commit 035fa15eb062593d43ce332ce698c6a073885203
author Olivier Deprez <olivier.deprez@arm.com> Mon Mar 14 11:19:10 2022 +0100
committer Joao Alves <joao.alves@arm.com> Wed Jul 13 10:59:16 2022 +0200
tree a502ac654029aa4526a2202fe1bdc1ebf746d55a
parent dd0561820946fe23bcd57cc129140437f72102a5

feat: manifest NS memory/device region attribute

This change permits providing the security state of a memory region for
S-EL0 partitions through Hafnium/VHE.
Note the same mechanism will be supported only from a later change for
S-EL1 partitions as the NS bit is controlled by the Stage-1 translation
regime. Hafnium must leverage VTTBR/VSTTBR page tables to enforce this.

Change-Id: Ieb0256d3c5f499dc435d5a2f95934f338178c315
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>

src/manifest.c

diff --git a/src/manifest.c b/src/manifest.c
index 14e2df1..0b8a824 100644
--- a/src/manifest.c
+++ b/src/manifest.c
@@ -393,15 +393,27 @@
 
 		TRY(read_uint32(mem_node, "attributes",
 				&mem_regions[i].attributes));
-		mem_regions[i].attributes &= MM_PERM_MASK;
 
-		if (mem_regions[i].attributes != (MM_MODE_R) &&
-		    mem_regions[i].attributes != (MM_MODE_R | MM_MODE_W) &&
-		    mem_regions[i].attributes != (MM_MODE_R | MM_MODE_X)) {
+		/*
+		 * Check RWX permission attributes.
+		 * Security attribute is checked at load phase.
+		 */
+		uint32_t permissions = mem_regions[i].attributes &
+				       (MANIFEST_REGION_ATTR_READ |
+					MANIFEST_REGION_ATTR_WRITE |
+					MANIFEST_REGION_ATTR_EXEC);
+		if (permissions != MANIFEST_REGION_ATTR_READ &&
+		    permissions != (MANIFEST_REGION_ATTR_READ |
+				    MANIFEST_REGION_ATTR_WRITE) &&
+		    permissions != (MANIFEST_REGION_ATTR_READ |
+				    MANIFEST_REGION_ATTR_EXEC)) {
 			return MANIFEST_ERROR_INVALID_MEM_PERM;
 		}
 
-		dlog_verbose("      Attributes:  %u\n",
+		/* Filter memory region attributes. */
+		mem_regions[i].attributes &= MANIFEST_REGION_ALL_ATTR_MASK;
+
+		dlog_verbose("      Attributes:  %#x\n",
 			     mem_regions[i].attributes);
 
 		if (rxtx->available) {
@@ -468,16 +480,27 @@
 
 		TRY(read_uint32(dev_node, "attributes",
 				&dev_regions[i].attributes));
-		dev_regions[i].attributes =
-			(dev_regions[i].attributes & MM_PERM_MASK) | MM_MODE_D;
 
-		if (dev_regions[i].attributes != (MM_MODE_R | MM_MODE_D) &&
-		    dev_regions[i].attributes !=
-			    (MM_MODE_R | MM_MODE_W | MM_MODE_D)) {
+		/*
+		 * Check RWX permission attributes.
+		 * Security attribute is checked at load phase.
+		 */
+		uint32_t permissions = dev_regions[i].attributes &
+				       (MANIFEST_REGION_ATTR_READ |
+					MANIFEST_REGION_ATTR_WRITE |
+					MANIFEST_REGION_ATTR_EXEC);
+
+		if (permissions != MANIFEST_REGION_ATTR_READ &&
+		    permissions != (MANIFEST_REGION_ATTR_READ |
+				    MANIFEST_REGION_ATTR_WRITE)) {
 			return MANIFEST_ERROR_INVALID_MEM_PERM;
 		}
 
-		dlog_verbose("      Attributes:  %u\n",
+		/* Filer device region attributes. */
+		dev_regions[i].attributes = dev_regions[i].attributes &
+					    MANIFEST_REGION_ALL_ATTR_MASK;
+
+		dlog_verbose("      Attributes:  %#x\n",
 			     dev_regions[i].attributes);
 
 		TRY(read_optional_uint32list(dev_node, "interrupts", &list));