platform: nordic_nrf: rewrite SPU functions
Rewrite the SPU functions to make it more clear what the permissions
will be and thereby prevent accidental priviledge elevation.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Change-Id: I3c0db861b8db9981552b699e298b525918afff36
diff --git a/platform/ext/target/nordic_nrf/common/core/native_drivers/spu.c b/platform/ext/target/nordic_nrf/common/core/native_drivers/spu.c
index 2ca5758..8ba5b57 100644
--- a/platform/ext/target/nordic_nrf/common/core/native_drivers/spu.c
+++ b/platform/ext/target/nordic_nrf/common/core/native_drivers/spu.c
@@ -126,27 +126,28 @@
for (size_t i = 0; i < NUM_FLASH_SECURE_ATTRIBUTION_REGIONS ; i++) {
if (!spu_region_is_bootloader_region(NRF_SPU, i)) {
nrf_spu_flashregion_set(NRF_SPU, i,
- 1 /* Secure */,
+ SPU_SECURE_ATTR_SECURE,
NRF_SPU_MEM_PERM_READ
| NRF_SPU_MEM_PERM_WRITE
| NRF_SPU_MEM_PERM_EXECUTE,
- 0 /* No lock */);
+ SPU_LOCK_CONF_UNLOCKED);
}
}
for (size_t i = 0; i < NUM_SRAM_SECURE_ATTRIBUTION_REGIONS ; i++) {
if (!spu_region_is_pcd_region(NRF_SPU, i)) {
nrf_spu_ramregion_set(NRF_SPU, i,
- 1 /* Secure */,
+ SPU_SECURE_ATTR_SECURE,
NRF_SPU_MEM_PERM_READ
| NRF_SPU_MEM_PERM_WRITE
| NRF_SPU_MEM_PERM_EXECUTE,
- 0 /* No lock */);
+ SPU_LOCK_CONF_UNLOCKED);
}
}
}
-void spu_regions_flash_config_non_secure(uint32_t start_addr, uint32_t limit_addr)
+void spu_regions_flash_config(uint32_t start_addr, uint32_t limit_addr, bool secure_attr,
+ uint32_t permissions, bool lock_conf)
{
/* Determine start and last flash region number */
size_t start_id =
@@ -158,16 +159,12 @@
/* Configure all flash regions between start_id and last_id */
for (size_t i = start_id; i <= last_id; i++) {
- nrf_spu_flashregion_set(NRF_SPU, i,
- 0 /* Non-Secure */,
- NRF_SPU_MEM_PERM_READ
- | NRF_SPU_MEM_PERM_WRITE
- | NRF_SPU_MEM_PERM_EXECUTE,
- 1 /* Lock */);
+ nrf_spu_flashregion_set(NRF_SPU, i, secure_attr, permissions, lock_conf);
}
}
-void spu_regions_sram_config_non_secure(uint32_t start_addr, uint32_t limit_addr)
+void spu_regions_sram_config(uint32_t start_addr, uint32_t limit_addr, bool secure_attr,
+ uint32_t permissions, bool lock_conf)
{
/* Determine start and last ram region number */
size_t start_id =
@@ -179,12 +176,7 @@
/* Configure all ram regions between start_id and last_id */
for (size_t i = start_id; i <= last_id; i++) {
- nrf_spu_ramregion_set(NRF_SPU, i,
- 0 /* Non-Secure */,
- NRF_SPU_MEM_PERM_READ
- | NRF_SPU_MEM_PERM_WRITE
- | NRF_SPU_MEM_PERM_EXECUTE,
- 1 /* Lock */);
+ nrf_spu_ramregion_set(NRF_SPU, i, secure_attr, permissions, lock_conf);
}
}
@@ -211,7 +203,7 @@
nrf_spu_flashnsc_set(NRF_SPU, 0,
FLASH_NSC_SIZE_REG(nsc_size),
FLASH_NSC_REGION_FROM_ADDR(start_addr),
- 1 /* Lock */);
+ SPU_LOCK_CONF_LOCKED);
}
uint32_t spu_regions_flash_get_base_address_in_region(uint32_t region_id)
diff --git a/platform/ext/target/nordic_nrf/common/core/native_drivers/spu.h b/platform/ext/target/nordic_nrf/common/core/native_drivers/spu.h
index cc0fddb..5e1bd43 100644
--- a/platform/ext/target/nordic_nrf/common/core/native_drivers/spu.h
+++ b/platform/ext/target/nordic_nrf/common/core/native_drivers/spu.h
@@ -23,6 +23,10 @@
#include <hal/nrf_spu.h>
+#define SPU_LOCK_CONF_LOCKED true
+#define SPU_LOCK_CONF_UNLOCKED false
+#define SPU_SECURE_ATTR_SECURE true
+#define SPU_SECURE_ATTR_NONSECURE false
/**
* \brief SPU interrupt enabling
@@ -42,32 +46,25 @@
/**
* \brief Reset TF-M memory regions to being Secure.
*
- * Reset all (Flash or SRAM, but excluding the regions owned by the bootloader(s)) memory region permissions
- to be Secure and have default (i.e. Read-Write-Execute allow) access policy.
+ * Reset all (Flash or SRAM, but excluding the regions owned by the
+ * bootloader(s)) memory region permissions to be Secure and have the
+ * default (Read-Write-Execute allow) access policy.
*
* \note region lock is not applied to allow modifying the configuration.
*/
void spu_regions_reset_unlocked_secure(void);
/**
- * \brief Configure Flash memory regions as Non-Secure
- *
- * Configure a range of Flash memory regions as Non-Secure
- *
- * \note region lock is applied to prevent further modification during
- * the current reset cycle.
+ * \brief Configure the SPU Flash memory region
*/
-void spu_regions_flash_config_non_secure(uint32_t start_addr, uint32_t limit_addr);
+void spu_regions_flash_config(uint32_t start_addr, uint32_t limit_addr, bool secure_attr,
+ uint32_t permissions, bool lock_conf);
/**
- * \brief Configure SRAM memory regions as Non-Secure
- *
- * Configure a range of SRAM memory regions as Non-Secure
- *
- * \note region lock is applied to prevent further modification during
- * the current reset cycle.
+ * \brief Configure SPU SRAM memory regions
*/
-void spu_regions_sram_config_non_secure(uint32_t start_addr, uint32_t limit_addr);
+void spu_regions_sram_config(uint32_t start_addr, uint32_t limit_addr, bool secure_attr,
+ uint32_t permissions, bool lock_conf);
/**
* \brief Configure Non-Secure Callable area
@@ -119,13 +116,13 @@
* Configure DPPI channels to be accessible from Non-Secure domain.
*
* \param channels_mask Bitmask with channels configuration.
- * \param dppi_lock Variable indicating whether to lock DPPI channel security
+ * \param lock_conf Variable indicating whether to lock DPPI channel security
*
* \note all channels are configured as Non-Secure
*/
-static inline void spu_dppi_config_non_secure(uint32_t channels_mask, bool dppi_lock)
+static inline void spu_dppi_config_non_secure(uint32_t channels_mask, bool lock_conf)
{
- nrf_spu_dppi_config_set(NRF_SPU, 0, channels_mask, dppi_lock);
+ nrf_spu_dppi_config_set(NRF_SPU, 0, channels_mask, lock_conf);
}
/**
@@ -133,14 +130,14 @@
*
* \param port_number GPIO Port number
* \param gpio_mask Bitmask with gpio configuration.
- * \param gpio_lock Variable indicating whether to lock GPIO port security
+ * \param lock_conf Variable indicating whether to lock GPIO port security
*
* \note all pins are configured as Non-Secure
*/
static inline void spu_gpio_config_non_secure(uint8_t port_number, uint32_t gpio_mask,
- bool gpio_lock)
+ bool lock_conf)
{
- nrf_spu_gpio_config_set(NRF_SPU, port_number, gpio_mask, gpio_lock);
+ nrf_spu_gpio_config_set(NRF_SPU, port_number, gpio_mask, lock_conf);
}
/**
diff --git a/platform/ext/target/nordic_nrf/common/core/target_cfg.c b/platform/ext/target/nordic_nrf/common/core/target_cfg.c
index b186d4c..2a2768c 100644
--- a/platform/ext/target/nordic_nrf/common/core/target_cfg.c
+++ b/platform/ext/target/nordic_nrf/common/core/target_cfg.c
@@ -698,29 +698,37 @@
*/
spu_regions_reset_unlocked_secure();
+ uint32_t perm;
+
/* Configures SPU Code and Data regions to be non-secure */
- spu_regions_flash_config_non_secure(
- memory_regions.non_secure_partition_base,
- memory_regions.non_secure_partition_limit);
- spu_regions_sram_config_non_secure(NS_DATA_START, NS_DATA_LIMIT);
+ perm = 0;
+ perm |= NRF_SPU_MEM_PERM_READ;
+ perm |= NRF_SPU_MEM_PERM_WRITE;
+ perm |= NRF_SPU_MEM_PERM_EXECUTE;
+
+ spu_regions_flash_config(memory_regions.non_secure_partition_base,
+ memory_regions.non_secure_partition_limit, SPU_SECURE_ATTR_NONSECURE,
+ perm, SPU_LOCK_CONF_LOCKED);
+
+ spu_regions_sram_config(NS_DATA_START, NS_DATA_LIMIT, SPU_SECURE_ATTR_NONSECURE, perm,
+ SPU_LOCK_CONF_LOCKED);
/* Configures veneers region to be non-secure callable */
- spu_regions_flash_config_non_secure_callable(
- memory_regions.veneer_base,
- memory_regions.veneer_limit - 1);
+ spu_regions_flash_config_non_secure_callable(memory_regions.veneer_base,
+ memory_regions.veneer_limit - 1);
#ifdef NRF_NS_SECONDARY
/* Secondary image partition */
- spu_regions_flash_config_non_secure(
- memory_regions.secondary_partition_base,
- memory_regions.secondary_partition_limit);
+ spu_regions_flash_config(memory_regions.secondary_partition_base,
+ memory_regions.secondary_partition_limit, SPU_SECURE_ATTR_NONSECURE,
+ perm, SPU_LOCK_CONF_LOCKED);
#endif /* NRF_NS_SECONDARY */
#ifdef NRF_NS_STORAGE_PARTITION_START
/* Configures storage partition to be non-secure */
- spu_regions_flash_config_non_secure(
- memory_regions.non_secure_storage_partition_base,
- memory_regions.non_secure_storage_partition_limit);
+ spu_regions_flash_config(memory_regions.non_secure_storage_partition_base,
+ memory_regions.non_secure_storage_partition_limit,
+ SPU_SECURE_ATTR_NONSECURE, perm, SPU_LOCK_CONF_LOCKED);
#endif /* NRF_NS_STORAGE_PARTITION_START */
return TFM_PLAT_ERR_SUCCESS;
@@ -840,12 +848,12 @@
spu_peripheral_config_non_secure((uint32_t)NRF_VMC, false);
/* DPPI channel configuration */
- spu_dppi_config_non_secure(TFM_PERIPHERAL_DPPI_CHANNEL_MASK_SECURE, true);
+ spu_dppi_config_non_secure(TFM_PERIPHERAL_DPPI_CHANNEL_MASK_SECURE, SPU_LOCK_CONF_LOCKED);
/* GPIO pin configuration */
- spu_gpio_config_non_secure(0, TFM_PERIPHERAL_GPIO0_PIN_MASK_SECURE, true);
+ spu_gpio_config_non_secure(0, TFM_PERIPHERAL_GPIO0_PIN_MASK_SECURE, SPU_LOCK_CONF_LOCKED);
#ifdef TFM_PERIPHERAL_GPIO1_PIN_MASK_SECURE
- spu_gpio_config_non_secure(1, TFM_PERIPHERAL_GPIO1_PIN_MASK_SECURE, true);
+ spu_gpio_config_non_secure(1, TFM_PERIPHERAL_GPIO1_PIN_MASK_SECURE, SPU_LOCK_CONF_LOCKED);
#endif
#ifdef NRF53_SERIES