From 51faada71a219a8b94cd8d8e423f0f22e9da4d8f Mon Sep 17 00:00:00 2001
From: Douglas Raillard <douglas.raillard@arm.com>
Date: Fri, 24 Feb 2017 18:14:15 +0000
Subject: Add support for GCC stack protection

Introduce new build option ENABLE_STACK_PROTECTOR. It enables
compilation of all BL images with one of the GCC -fstack-protector-*
options.

A new platform function plat_get_stack_protector_canary() is introduced.
It returns a value that is used to initialize the canary for stack
corruption detection. Returning a random value will prevent an attacker
from predicting the value and greatly increase the effectiveness of the
protection.

A message is printed at the ERROR level when a stack corruption is
detected.

To be effective, the global data must be stored at an address
lower than the base of the stacks. Failure to do so would allow an
attacker to overwrite the canary as part of an attack which would void
the protection.

FVP implementation of plat_get_stack_protector_canary is weak as
there is no real source of entropy on the FVP. It therefore relies on a
timer's value, which could be predictable.

Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
---
 bl1/bl1.ld.S | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'bl1')

diff --git a/bl1/bl1.ld.S b/bl1/bl1.ld.S
index b69065ee..2cfb24c1 100644
--- a/bl1/bl1.ld.S
+++ b/bl1/bl1.ld.S
@@ -111,14 +111,20 @@ SECTIONS
     ASSERT(__CPU_OPS_END__ > __CPU_OPS_START__,
            "cpu_ops not defined for this platform.")
 
+    . = BL1_RW_BASE;
+    ASSERT(BL1_RW_BASE == ALIGN(4096),
+           "BL1_RW_BASE address is not aligned on a page boundary.")
+
     /*
      * The .data section gets copied from ROM to RAM at runtime.
-     * Its LMA must be 16-byte aligned.
+     * Its LMA should be 16-byte aligned to allow efficient copying of 16-bytes
+     * aligned regions in it.
      * Its VMA must be page-aligned as it marks the first read/write page.
+     *
+     * It must be placed at a lower address than the stacks if the stack
+     * protector is enabled. Alternatively, the .data.stack_protector_canary
+     * section can be placed independently of the main .data section.
      */
-    . = BL1_RW_BASE;
-    ASSERT(. == ALIGN(4096),
-           "BL1_RW_BASE address is not aligned on a page boundary.")
     .data . : ALIGN(16) {
         __DATA_RAM_START__ = .;
         *(.data*)
-- 
cgit v1.2.3