TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / hafnium / hafnium.git / 2b80169c80836a86128faaa74a7b1b1c286e304d^! / .
commit2b80169c80836a86128faaa74a7b1b1c286e304d[log] [tgz]
authorRaghu Krishnamurthy <raghu.ncstate@gmail.com>Sun Jul 18 17:46:43 2021 -0700
committerOlivier Deprez <olivier.deprez@arm.com>Mon Oct 18 17:42:29 2021 +0200
tree48c08efd15d81e6fc504f2670d2a89a2ffe905f8
parent384693cff10f346649277b56ae196023324c3d95 [diff]
feat(VHE): Fix RWX mappings for S-EL0 partitions

For (S-)EL1 partitions, hafnium marks its entire memory range as RWX in
its stage-2 tables, since the expectation is that stage-1 tables inside
the partition will ensure appropriate permissions within the range. This
decision means that hafnium can simply load bin files (stripped elf
files) for the partitions without having to worry about different
segments of the ELF image, and no extra infrastructure is required to
load and run (S-)EL1 partitions. This does not work well for S-EL0
partition. However, for simplicity, until this point, the entire range
of S-EL0 partition was marked as RWX (obvious security issue). This
patch fixes the issue by ensuring hafnium marks the entire EL0 partition
memory as RX. With FFA_MEM_PERM_* ABI support, EL0 partitions are
expected to do their own relocations, be aware of their layouts and call
these FF-a ABIs to change the permissions as required.
This keeps hafnium very simple for supporting EL0 partitions in
that we dont require ELF loaders/parsers or data in manifest files
related to layout, for hafnium to setup.

Change-Id: I3af34d3d5a5065039e8402cc4485d5bdad23f6fc
Signed-off-by: Raghu Krishnamurthy <raghu.ncstate@gmail.com>

diff --git a/src/load.c b/src/load.c
index e7f3085..0db27c5 100644
--- a/src/load.c
+++ b/src/load.c

@@ -465,15 +465,19 @@
 	vm_locked = vm_lock(vm);
 
 	/*
-	 * Grant the VM access to the memory. TODO: For S-EL0 partitions,
-	 * mapping all of its memory as RWX is bad from a security standpoint.
-	 * Should just skip this and expect this to be present in the memory
-	 * regions?
+	 * Grant the VM access to the memory. For VM's we mark all memory in
+	 * stage-2 tables as RWX and the VM can control permissions using
+	 * stage-1 translations. For S-EL0 partitions, hafnium maps the entire
+	 * region of memory for the partition as RX. The partition is then
+	 * expected to perform its owns relocations and call the FFA_MEM_PERM_*
+	 * API's to change permissions on its image layout.
 	 */
-	map_mode = MM_MODE_R | MM_MODE_W | MM_MODE_X;
 	if (vm->el0_partition) {
-		map_mode |= MM_MODE_USER | MM_MODE_NG;
+		map_mode = MM_MODE_R | MM_MODE_X | MM_MODE_USER | MM_MODE_NG;
+	} else {
+		map_mode = MM_MODE_R | MM_MODE_W | MM_MODE_X;
 	}
+
 	if (!vm_identity_map(vm_locked, mem_begin, mem_end, map_mode, ppool,
 			     &secondary_entry)) {
 		dlog_error("Unable to initialise memory.\n");