TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / sandbox / pfalcon / trusted-firmware-m / d4bf34741f20d9282157c58fb6d3e0e67f278bb7^! / . / bl2 / ext / mcuboot / bl2_main.c
commitd4bf34741f20d9282157c58fb6d3e0e67f278bb7[log] [tgz]
authorTamas Ban <tamas.ban@arm.com>Fri Sep 06 12:59:56 2019 +0100
committerTamas Ban <tamas.ban@arm.com>Mon Sep 30 17:02:36 2019 +0200
tree0abe29fff9545875258aebb39947b0d62d57164e
parentaadc56fcad7585edaeeeaf0fb3c018b221cf730d [diff] [blame]
Boot: Clear RAM before starting secure firmware

Clearing RAM to not leak accidentally any sensitive
information to software components running after boot.
This change also addressing the conformance with
the R30_TBFU_EXEC rule in PSA-TBFU spec (version 1.0.beta.1).

Change-Id: I173ecee9f2c163d385d74c2f14887ed655df7cd5
Signed-off-by: Tamas Ban <tamas.ban@arm.com>

diff --git a/bl2/ext/mcuboot/bl2_main.c b/bl2/ext/mcuboot/bl2_main.c
index 7a8a451..f86c4c2 100644
--- a/bl2/ext/mcuboot/bl2_main.c
+++ b/bl2/ext/mcuboot/bl2_main.c

@@ -29,6 +29,7 @@
 #include "flash_map/flash_map.h"
 #include "bl2/include/boot_record.h"
 #include "security_cnt.h"
+#include "bl2/include/boot_hal.h"
 
 /* Avoids the semihosting issue */
 #if defined (__ARMCC_VERSION) && (__ARMCC_VERSION >= 6010050)
@@ -56,6 +57,41 @@
     uint32_t reset;
 };
 
+/*!
+ * \brief Chain-loading the next image in the boot sequence.
+ *
+ * This function calls the Reset_Handler of the next image in the boot sequence,
+ * usually it is the secure firmware. Before passing the execution to next image
+ * there is conditional rule to remove the secrets from the memory. This must be
+ * done if the following conditions are satisfied:
+ *  - Memory is shared between SW components at different stages of the trusted
+ *    boot process.
+ *  - There are secrets in the memory: KDF parameter, symmetric key,
+ *    manufacturer sensitive code/data, etc.
+ */
+__attribute__((naked)) void boot_jump_to_next_image(uint32_t reset_handler_addr)
+{
+    __ASM volatile(
+        ".syntax unified                 \n"
+        "mov     r7, r0                  \n"
+        "bl      boot_clear_bl2_ram_area \n" /* Clear RAM before jump */
+        "movs    r0, #0                  \n" /* Clear registers: R0-R12, */
+        "mov     r1, r0                  \n" /* except R7 */
+        "mov     r2, r0                  \n"
+        "mov     r3, r0                  \n"
+        "mov     r4, r0                  \n"
+        "mov     r5, r0                  \n"
+        "mov     r6, r0                  \n"
+        "mov     r8, r0                  \n"
+        "mov     r9, r0                  \n"
+        "mov     r10, r0                 \n"
+        "mov     r11, r0                 \n"
+        "mov     r12, r0                 \n"
+        "mov     lr,  r0                 \n"
+        "bx      r7                      \n" /* Jump to Reset_handler */
+    );
+}
+
 static void do_boot(struct boot_rsp *rsp)
 {
     /* Clang at O0, stores variables on the stack with SP relative addressing.
@@ -107,7 +143,7 @@
     __DSB();
     __ISB();
 
-    ((void (*)(void))vt->reset)();
+    boot_jump_to_next_image(vt->reset);
 }
 
 int main(void)