diff options
| author | Antonio Nino Diaz <antonio.ninodiaz@arm.com> | 2018-07-13 15:26:49 +0100 |
|---|---|---|
| committer | Antonio Nino Diaz <antonio.ninodiaz@arm.com> | 2018-07-16 15:56:42 +0100 |
| commit | 1aad932ce684ec0586bd272f6080b0ef970a2d61 (patch) | |
| tree | 4ca42a666bad7a3c4f34b1396e384bce7557dc03 | |
| parent | 4ad2696d888400a9990f8c7a0fa57af743f01515 (diff) | |
rpi3: Add support for the stack protector
It uses the hardware RNG in a similar way as Juno (it gets 128 bits of
entropy and does xor on them).
It is disabled by default.
Change-Id: I8b3adb61f5a5623716e0e8b6799404c68dd94c60
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
| -rw-r--r-- | docs/plat/rpi3.rst | 3 | ||||
| -rw-r--r-- | plat/rpi3/platform.mk | 8 | ||||
| -rw-r--r-- | plat/rpi3/rpi3_stack_protector.c | 27 |
3 files changed, 38 insertions, 0 deletions
diff --git a/docs/plat/rpi3.rst b/docs/plat/rpi3.rst index 902da944..80515ba2 100644 --- a/docs/plat/rpi3.rst +++ b/docs/plat/rpi3.rst @@ -212,6 +212,9 @@ instructions in `Setup SD card`_. The following build options are supported: +- ``ENABLE_STACK_PROTECTOR``: Disabled by default. It uses the hardware RNG of + the board. + - ``PRELOADED_BL33_BASE``: Specially useful because the file ``kernel8.img`` can be loaded anywhere by modifying the file ``config.txt``. It doesn't have to contain a kernel, it could have any arbitrary payload. diff --git a/plat/rpi3/platform.mk b/plat/rpi3/platform.mk index 3ad7114c..2f18af6a 100644 --- a/plat/rpi3/platform.mk +++ b/plat/rpi3/platform.mk @@ -90,6 +90,9 @@ WORKAROUND_CVE_2017_5715 := 0 # Disable the PSCI platform compatibility layer by default ENABLE_PLAT_COMPAT := 0 +# Disable stack protector by default +ENABLE_STACK_PROTECTOR := 0 + # Reset to BL31 isn't supported RESET_TO_BL31 := 0 @@ -146,6 +149,11 @@ ifeq (${ARCH},aarch32) $(error Error: AArch32 not supported on rpi3) endif +ifneq ($(ENABLE_STACK_PROTECTOR), 0) +PLAT_BL_COMMON_SOURCES += plat/rpi3/rpi3_rng.c \ + plat/rpi3/rpi3_stack_protector.c +endif + ifeq (${SPD},opteed) BL2_SOURCES += \ lib/optee/optee_utils.c diff --git a/plat/rpi3/rpi3_stack_protector.c b/plat/rpi3/rpi3_stack_protector.c new file mode 100644 index 00000000..d939cd39 --- /dev/null +++ b/plat/rpi3/rpi3_stack_protector.c @@ -0,0 +1,27 @@ +/* + * Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include <sys/types.h> +#include <utils.h> + +#include "rpi3_private.h" + +/* Get 128 bits of entropy and fuse the values together to form the canary. */ +#define TRNG_NBYTES 16U + +u_register_t plat_get_stack_protector_canary(void) +{ + size_t i; + u_register_t buf[TRNG_NBYTES / sizeof(u_register_t)]; + u_register_t ret = 0U; + + rpi3_rng_read(buf, sizeof(buf)); + + for (i = 0U; i < ARRAY_SIZE(buf); i++) + ret ^= buf[i]; + + return ret; +} |