SPM: Add fault injection protection support in Library model
Create a reference implementation of fault injection protection in
Library model SPM initialization.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Co-authorized-by: David Hu <david.hu@arm.com>
Change-Id: Ifa4a83bfb9a43de785cee27a13a783a52cf47c7c
diff --git a/secure_fw/spm/cmsis_func/main.c b/secure_fw/spm/cmsis_func/main.c
index 5695279..2a809dd 100644
--- a/secure_fw/spm/cmsis_func/main.c
+++ b/secure_fw/spm/cmsis_func/main.c
@@ -6,6 +6,7 @@
*/
#include "arch.h"
+#include "fih.h"
#include "ffm/tfm_boot_data.h"
#include "region.h"
#include "spm_func.h"
@@ -34,44 +35,61 @@
REGION_DECLARE(Image$$, ARM_LIB_STACK_MSP, $$ZI$$Base);
-static int32_t tfm_core_init(void)
+static fih_int tfm_core_init(void)
{
size_t i;
enum tfm_hal_status_t hal_status = TFM_HAL_ERROR_GENERIC;
enum tfm_plat_err_t plat_err = TFM_PLAT_ERR_SYSTEM_ERR;
enum irq_target_state_t irq_target_state = TFM_IRQ_TARGET_STATE_SECURE;
+#ifdef TFM_FIH_PROFILE_ON
+ fih_int fih_rc = FIH_FAILURE;
+#endif
/* Enables fault handlers */
plat_err = tfm_spm_hal_enable_fault_handlers();
if (plat_err != TFM_PLAT_ERR_SUCCESS) {
- return TFM_ERROR_GENERIC;
+ FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
}
/* Configures the system reset request properties */
plat_err = tfm_spm_hal_system_reset_cfg();
if (plat_err != TFM_PLAT_ERR_SUCCESS) {
- return TFM_ERROR_GENERIC;
+ FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
}
/* Configures debug authentication */
+#ifdef TFM_FIH_PROFILE_ON
+ FIH_CALL(tfm_spm_hal_init_debug, fih_rc);
+ if (fih_not_eq(fih_rc, fih_int_encode(TFM_PLAT_ERR_SUCCESS))) {
+ FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
+ }
+#else /* TFM_FIH_PROFILE_ON */
plat_err = tfm_spm_hal_init_debug();
if (plat_err != TFM_PLAT_ERR_SUCCESS) {
return TFM_ERROR_GENERIC;
}
+#endif /* TFM_FIH_PROFILE_ON */
/*
* Access to any peripheral should be performed after programming
* the necessary security components such as PPC/SAU.
*/
+#ifdef TFM_FIH_PROFILE_ON
+ FIH_CALL(tfm_hal_set_up_static_boundaries, fih_rc);
+ if (fih_not_eq(fih_rc, fih_int_encode(TFM_HAL_SUCCESS))) {
+ FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
+ }
+#else /* TFM_FIH_PROFILE_ON */
hal_status = tfm_hal_set_up_static_boundaries();
if (hal_status != TFM_HAL_SUCCESS) {
return TFM_ERROR_GENERIC;
}
+#endif /* TFM_FIH_PROFILE_ON */
/* Performs platform specific initialization */
hal_status = tfm_hal_platform_init();
if (hal_status != TFM_HAL_SUCCESS) {
- return TFM_ERROR_GENERIC;
+ FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
}
/* Configures architecture */
@@ -90,7 +108,7 @@
*/
plat_err = tfm_spm_hal_nvic_interrupt_target_state_cfg();
if (plat_err != TFM_PLAT_ERR_SUCCESS) {
- return TFM_ERROR_GENERIC;
+ FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
}
for (i = 0; i < tfm_core_irq_signals_count; ++i) {
@@ -98,27 +116,30 @@
tfm_core_irq_signals[i].irq_line,
tfm_core_irq_signals[i].irq_priority);
if (plat_err != TFM_PLAT_ERR_SUCCESS) {
- return TFM_ERROR_GENERIC;
+ FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
}
irq_target_state = tfm_spm_hal_set_irq_target_state(
tfm_core_irq_signals[i].irq_line,
TFM_IRQ_TARGET_STATE_SECURE);
if (irq_target_state != TFM_IRQ_TARGET_STATE_SECURE) {
- return TFM_ERROR_GENERIC;
+ FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
}
}
/* Enable secure peripherals interrupts */
plat_err = tfm_spm_hal_nvic_interrupt_enable();
if (plat_err != TFM_PLAT_ERR_SUCCESS) {
- return TFM_ERROR_GENERIC;
+ FIH_RET(fih_int_encode(TFM_ERROR_GENERIC));
}
- return TFM_SUCCESS;
+ FIH_RET(fih_int_encode(TFM_SUCCESS));
}
int main(void)
{
+ enum spm_err_t spm_err = SPM_ERR_GENERIC_ERR;
+ fih_int fih_rc = FIH_FAILURE;
+
/* set Main Stack Pointer limit */
tfm_arch_init_secure_msp((uint32_t)®ION_NAME(Image$$,
ARM_LIB_STACK_MSP,
@@ -127,13 +148,18 @@
/* Seal the PSP stacks viz ARM_LIB_STACK and TFM_SECURE_STACK */
tfm_spm_seal_psp_stacks();
- if (tfm_core_init() != TFM_SUCCESS) {
+ fih_delay_init();
+
+ FIH_CALL(tfm_core_init, fih_rc);
+ if (fih_not_eq(fih_rc, fih_int_encode(TFM_SUCCESS))) {
tfm_core_panic();
}
+
/* Print the TF-M version */
SPMLOG_INFMSG("\033[1;34mBooting TFM v"VERSION_FULLSTR"\033[0m\r\n");
- if (tfm_spm_db_init() != SPM_ERR_OK) {
+ spm_err = tfm_spm_db_init();
+ if (spm_err != SPM_ERR_OK) {
tfm_core_panic();
}
@@ -145,7 +171,8 @@
tfm_arch_set_psplim(psp_stack_bottom);
- if (tfm_spm_partition_init() != SPM_ERR_OK) {
+ FIH_CALL(tfm_spm_partition_init, fih_rc);
+ if (fih_not_eq(fih_rc, fih_int_encode(SPM_ERR_OK))) {
/* Certain systems might refuse to boot altogether if partitions fail
* to initialize. This is a placeholder for such an error handler
*/
@@ -164,6 +191,13 @@
tfm_spm_partition_set_state(TFM_SP_NON_SECURE_ID,
SPM_PARTITION_STATE_RUNNING);
+#ifdef TFM_FIH_PROFILE_ON
+ FIH_CALL(tfm_spm_hal_verify_isolation_hw, fih_rc);
+ if (fih_not_eq(fih_rc, fih_int_encode(TFM_PLAT_ERR_SUCCESS))) {
+ tfm_core_panic();
+ }
+#endif
+
#ifdef TFM_CORE_DEBUG
/* Jumps to non-secure code */
SPMLOG_DBGMSG("\033[1;34mJumping to non-secure code...\033[0m\r\n");