diff options
34 files changed, 686 insertions, 74 deletions
@@ -246,6 +246,12 @@ endif # over the sources. endif +################################################################################ +# Include libraries' Makefile that are used in all BL +################################################################################ + +include lib/stack_protector/stack_protector.mk + ################################################################################ # Include the platform specific Makefile after the SPD Makefile (the platform @@ -374,6 +380,55 @@ CRTTOOL ?= ${CRTTOOLPATH}/cert_create${BIN_EXT} FIPTOOLPATH ?= tools/fiptool FIPTOOL ?= ${FIPTOOLPATH}/fiptool${BIN_EXT} +################################################################################ +# Include BL specific makefiles +################################################################################ +ifdef BL1_SOURCES +NEED_BL1 := yes +include bl1/bl1.mk +endif + +ifdef BL2_SOURCES +NEED_BL2 := yes +include bl2/bl2.mk +endif + +# For AArch32, BL31 is not applicable, and BL2U is not supported at present. +ifneq (${ARCH},aarch32) +ifdef BL2U_SOURCES +NEED_BL2U := yes +include bl2u/bl2u.mk +endif + +ifdef BL31_SOURCES +# When booting an EL3 payload, there is no need to compile the BL31 image nor +# put it in the FIP. +ifndef EL3_PAYLOAD_BASE +NEED_BL31 := yes +include bl31/bl31.mk +endif +endif +endif + +ifeq (${ARCH},aarch32) +NEED_BL32 := yes + +################################################################################ +# Build `AARCH32_SP` as BL32 image for AArch32 +################################################################################ +ifneq (${AARCH32_SP},none) +# We expect to locate an sp.mk under the specified AARCH32_SP directory +AARCH32_SP_MAKE := $(wildcard bl32/${AARCH32_SP}/${AARCH32_SP}.mk) + +ifeq (${AARCH32_SP_MAKE},) + $(error Error: No bl32/${AARCH32_SP}/${AARCH32_SP}.mk located) +endif + +$(info Including ${AARCH32_SP_MAKE}) +include ${AARCH32_SP_MAKE} +endif + +endif ################################################################################ # Build options checks @@ -460,56 +515,6 @@ else endif ################################################################################ -# Include BL specific makefiles -################################################################################ -ifdef BL1_SOURCES -NEED_BL1 := yes -include bl1/bl1.mk -endif - -ifdef BL2_SOURCES -NEED_BL2 := yes -include bl2/bl2.mk -endif - -# For AArch32, BL31 is not applicable, and BL2U is not supported at present. -ifneq (${ARCH},aarch32) -ifdef BL2U_SOURCES -NEED_BL2U := yes -include bl2u/bl2u.mk -endif - -ifdef BL31_SOURCES -# When booting an EL3 payload, there is no need to compile the BL31 image nor -# put it in the FIP. -ifndef EL3_PAYLOAD_BASE -NEED_BL31 := yes -include bl31/bl31.mk -endif -endif -endif - -ifeq (${ARCH},aarch32) -NEED_BL32 := yes - -################################################################################ -# Build `AARCH32_SP` as BL32 image for AArch32 -################################################################################ -ifneq (${AARCH32_SP},none) -# We expect to locate an sp.mk under the specified AARCH32_SP directory -AARCH32_SP_MAKE := $(wildcard bl32/${AARCH32_SP}/${AARCH32_SP}.mk) - -ifeq (${AARCH32_SP_MAKE},) - $(error Error: No bl32/${AARCH32_SP}/${AARCH32_SP}.mk located) -endif - -$(info Including ${AARCH32_SP_MAKE}) -include ${AARCH32_SP_MAKE} -endif - -endif - -################################################################################ # Build targets ################################################################################ diff --git a/bl1/bl1.ld.S b/bl1/bl1.ld.S index b69065ee..2cfb24c1 100644 --- a/bl1/bl1.ld.S +++ b/bl1/bl1.ld.S @@ -111,14 +111,20 @@ SECTIONS ASSERT(__CPU_OPS_END__ > __CPU_OPS_START__, "cpu_ops not defined for this platform.") + . = BL1_RW_BASE; + ASSERT(BL1_RW_BASE == ALIGN(4096), + "BL1_RW_BASE address is not aligned on a page boundary.") + /* * The .data section gets copied from ROM to RAM at runtime. - * Its LMA must be 16-byte aligned. + * Its LMA should be 16-byte aligned to allow efficient copying of 16-bytes + * aligned regions in it. * Its VMA must be page-aligned as it marks the first read/write page. + * + * It must be placed at a lower address than the stacks if the stack + * protector is enabled. Alternatively, the .data.stack_protector_canary + * section can be placed independently of the main .data section. */ - . = BL1_RW_BASE; - ASSERT(. == ALIGN(4096), - "BL1_RW_BASE address is not aligned on a page boundary.") .data . : ALIGN(16) { __DATA_RAM_START__ = .; *(.data*) diff --git a/bl2/aarch32/bl2_entrypoint.S b/bl2/aarch32/bl2_entrypoint.S index bb0b7f31..c82456f2 100644 --- a/bl2/aarch32/bl2_entrypoint.S +++ b/bl2/aarch32/bl2_entrypoint.S @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2016-2017, ARM Limited and Contributors. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -122,6 +122,15 @@ func bl2_entrypoint bl plat_set_my_stack /* --------------------------------------------- + * Initialize the stack protector canary before + * any C code is called. + * --------------------------------------------- + */ +#if STACK_PROTECTOR_ENABLED + bl update_stack_protector_canary +#endif + + /* --------------------------------------------- * Perform early platform setup & platform * specific early arch. setup e.g. mmu setup * --------------------------------------------- diff --git a/bl2/aarch64/bl2_entrypoint.S b/bl2/aarch64/bl2_entrypoint.S index 31f77879..15a217d0 100644 --- a/bl2/aarch64/bl2_entrypoint.S +++ b/bl2/aarch64/bl2_entrypoint.S @@ -113,6 +113,15 @@ func bl2_entrypoint bl plat_set_my_stack /* --------------------------------------------- + * Initialize the stack protector canary before + * any C code is called. + * --------------------------------------------- + */ +#if STACK_PROTECTOR_ENABLED + bl update_stack_protector_canary +#endif + + /* --------------------------------------------- * Perform early platform setup & platform * specific early arch. setup e.g. mmu setup * --------------------------------------------- diff --git a/bl2/bl2.ld.S b/bl2/bl2.ld.S index b9275f34..07e0bccd 100644 --- a/bl2/bl2.ld.S +++ b/bl2/bl2.ld.S @@ -99,6 +99,11 @@ SECTIONS */ __RW_START__ = . ; + /* + * .data must be placed at a lower address than the stacks if the stack + * protector is enabled. Alternatively, the .data.stack_protector_canary + * section can be placed independently of the main .data section. + */ .data . : { __DATA_START__ = .; *(.data*) diff --git a/bl2u/aarch64/bl2u_entrypoint.S b/bl2u/aarch64/bl2u_entrypoint.S index 9fa84bf4..81aabc77 100644 --- a/bl2u/aarch64/bl2u_entrypoint.S +++ b/bl2u/aarch64/bl2u_entrypoint.S @@ -107,6 +107,15 @@ func bl2u_entrypoint bl plat_set_my_stack /* --------------------------------------------- + * Initialize the stack protector canary before + * any C code is called. + * --------------------------------------------- + */ +#if STACK_PROTECTOR_ENABLED + bl update_stack_protector_canary +#endif + + /* --------------------------------------------- * Perform early platform setup & platform * specific early arch. setup e.g. mmu setup * --------------------------------------------- diff --git a/bl2u/bl2u.ld.S b/bl2u/bl2u.ld.S index 91e8556e..aebf84f4 100644 --- a/bl2u/bl2u.ld.S +++ b/bl2u/bl2u.ld.S @@ -86,6 +86,11 @@ SECTIONS */ __RW_START__ = . ; + /* + * .data must be placed at a lower address than the stacks if the stack + * protector is enabled. Alternatively, the .data.stack_protector_canary + * section can be placed independently of the main .data section. + */ .data . : { __DATA_START__ = .; *(.data*) diff --git a/bl31/bl31.ld.S b/bl31/bl31.ld.S index e5d6232e..3a3fbd9a 100644 --- a/bl31/bl31.ld.S +++ b/bl31/bl31.ld.S @@ -140,7 +140,12 @@ SECTIONS */ __RW_START__ = . ; - .data . : { + /* + * .data must be placed at a lower address than the stacks if the stack + * protector is enabled. Alternatively, the .data.stack_protector_canary + * section can be placed independently of the main .data section. + */ + .data . : { __DATA_START__ = .; *(.data*) __DATA_END__ = .; diff --git a/bl32/tsp/aarch64/tsp_entrypoint.S b/bl32/tsp/aarch64/tsp_entrypoint.S index 182f3148..3f281394 100644 --- a/bl32/tsp/aarch64/tsp_entrypoint.S +++ b/bl32/tsp/aarch64/tsp_entrypoint.S @@ -139,6 +139,15 @@ func tsp_entrypoint bl plat_set_my_stack /* --------------------------------------------- + * Initialize the stack protector canary before + * any C code is called. + * --------------------------------------------- + */ +#if STACK_PROTECTOR_ENABLED + bl update_stack_protector_canary +#endif + + /* --------------------------------------------- * Perform early platform setup & platform * specific early arch. setup e.g. mmu setup * --------------------------------------------- diff --git a/docs/porting-guide.md b/docs/porting-guide.md index 65518ffb..690f307a 100644 --- a/docs/porting-guide.md +++ b/docs/porting-guide.md @@ -920,6 +920,20 @@ kept aside to pass trusted firmware related information that next BL image needs. This function is currently invoked in BL2 to pass this information to the next BL image, when LOAD_IMAGE_V2 is enabled. +### Function : plat_get_stack_protector_canary() + Argument : void + Return : u_register_t + +This function returns a random value that is used to initialize the canary used +when the stack protector is enabled with ENABLE_STACK_PROTECTOR. A predictable +value will weaken the protection as the attacker could easily write the right +value as part of the attack most of the time. Therefore, it should return a +true random number. + +Note: For the protection to be effective, the global data need to be placed at +a lower address than the stack bases. Failure to do so would allow an attacker +to overwrite the canary as part of the stack buffer overflow attack. + ### Function : plat_flush_next_bl_params() Argument : void diff --git a/docs/user-guide.md b/docs/user-guide.md index 2770b2cd..a1df9652 100644 --- a/docs/user-guide.md +++ b/docs/user-guide.md @@ -301,6 +301,14 @@ performed. Currently, only PSCI is instrumented. Enabling this option enables the `ENABLE_PMF` build option as well. Default is 0. +* `ENABLE_STACK_PROTECTOR`: String option to enable the stack protection + checks in GCC. Allowed values are "all", "strong" and "0" (default). + "strong" is the recommended stack protection level if this feature is + desired. 0 disables the stack protection. For all values other than 0, the + `plat_get_stack_protector_canary()` platform hook needs to be implemented. + The value is passed as the last component of the option + `-fstack-protector-$ENABLE_STACK_PROTECTOR`. + * `ERROR_DEPRECATED`: This option decides whether to treat the usage of deprecated platform APIs, helper functions or drivers within Trusted Firmware as error. It can take the value 1 (flag the use of deprecated @@ -799,7 +807,7 @@ images with support for these features: modules by checking out a recent version of the [mbed TLS Repository]. It is important to use a version that is compatible with TF and fixes any known security vulnerabilities. See [mbed TLS Security Center] for more - information. This version of TF is tested with tag `mbedtls-2.2.1`. + information. The latest version of TF is tested with tag `mbedtls-2.4.2`. The `drivers/auth/mbedtls/mbedtls_*.mk` files contain the list of mbed TLS source files the modules depend upon. diff --git a/include/common/aarch32/el3_common_macros.S b/include/common/aarch32/el3_common_macros.S index f6b7527e..d7e0b3f5 100644 --- a/include/common/aarch32/el3_common_macros.S +++ b/include/common/aarch32/el3_common_macros.S @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2016-2017, ARM Limited and Contributors. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -278,6 +278,12 @@ * --------------------------------------------------------------------- */ bl plat_set_my_stack + +#if STACK_PROTECTOR_ENABLED + .if \_init_c_runtime + bl update_stack_protector_canary + .endif /* _init_c_runtime */ +#endif .endm #endif /* __EL3_COMMON_MACROS_S__ */ diff --git a/include/common/aarch64/el3_common_macros.S b/include/common/aarch64/el3_common_macros.S index e085f9f1..5c6aa069 100644 --- a/include/common/aarch64/el3_common_macros.S +++ b/include/common/aarch64/el3_common_macros.S @@ -283,6 +283,12 @@ * --------------------------------------------------------------------- */ bl plat_set_my_stack + +#if STACK_PROTECTOR_ENABLED + .if \_init_c_runtime + bl update_stack_protector_canary + .endif /* _init_c_runtime */ +#endif .endm #endif /* __EL3_COMMON_MACROS_S__ */ diff --git a/include/common/debug.h b/include/common/debug.h index 41c8df0c..c6f211f3 100644 --- a/include/common/debug.h +++ b/include/common/debug.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2016, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -84,6 +84,9 @@ void __dead2 do_panic(void); #define panic() do_panic() +/* Function called when stack protection check code detects a corrupted stack */ +void __dead2 __stack_chk_fail(void); + void tf_printf(const char *fmt, ...) __printflike(1, 2); #endif /* __ASSEMBLY__ */ diff --git a/include/lib/utils.h b/include/lib/utils.h index 69bbb430..279c9135 100644 --- a/include/lib/utils.h +++ b/include/lib/utils.h @@ -42,6 +42,20 @@ #define BIT(nr) (1UL << (nr)) +#define MIN(x, y) __extension__ ({ \ + __typeof__(x) _x = (x); \ + __typeof__(y) _y = (y); \ + (void)(&_x == &_y); \ + _x < _y ? _x : _y; \ +}) + +#define MAX(x, y) __extension__ ({ \ + __typeof__(x) _x = (x); \ + __typeof__(y) _y = (y); \ + (void)(&_x == &_y); \ + _x > _y ? _x : _y; \ +}) + /* * The round_up() macro rounds up a value to the given boundary in a * type-agnostic yet type-safe manner. The boundary must be a power of two. diff --git a/include/plat/arm/board/common/board_css_def.h b/include/plat/arm/board/common/board_css_def.h index 65e3d32d..4b5e84dd 100644 --- a/include/plat/arm/board/common/board_css_def.h +++ b/include/plat/arm/board/common/board_css_def.h @@ -33,6 +33,7 @@ #include <common_def.h> #include <soc_css_def.h> +#include <utils.h> #include <v2m_def.h> /* diff --git a/include/plat/arm/common/arm_def.h b/include/plat/arm/common/arm_def.h index 8ce718af..43e0eb89 100644 --- a/include/plat/arm/common/arm_def.h +++ b/include/plat/arm/common/arm_def.h @@ -34,6 +34,7 @@ #include <common_def.h> #include <platform_def.h> #include <tbbr_img_def.h> +#include <utils.h> #include <xlat_tables_defs.h> diff --git a/include/plat/arm/soc/common/soc_css_def.h b/include/plat/arm/soc/common/soc_css_def.h index e83144ec..3b4cc79f 100644 --- a/include/plat/arm/soc/common/soc_css_def.h +++ b/include/plat/arm/soc/common/soc_css_def.h @@ -32,6 +32,7 @@ #define __SOC_CSS_DEF_H__ #include <common_def.h> +#include <utils.h> /* diff --git a/include/plat/common/platform.h b/include/plat/common/platform.h index 73bb6431..f13b30d8 100644 --- a/include/plat/common/platform.h +++ b/include/plat/common/platform.h @@ -72,6 +72,16 @@ uintptr_t plat_get_ns_image_entrypoint(void); unsigned int plat_my_core_pos(void); int plat_core_pos_by_mpidr(u_register_t mpidr); +#if STACK_PROTECTOR_ENABLED +/* + * Return a new value to be used for the stack protection's canary. + * + * Ideally, this value is a random number that is impossible to predict by an + * attacker. + */ +u_register_t plat_get_stack_protector_canary(void); +#endif /* STACK_PROTECTOR_ENABLED */ + /******************************************************************************* * Mandatory interrupt management functions ******************************************************************************/ @@ -326,7 +336,7 @@ int platform_setup_pm(const plat_pm_ops_t **); unsigned int plat_get_aff_count(unsigned int, unsigned long); unsigned int plat_get_aff_state(unsigned int, unsigned long); -#else +#else /* __ENABLE_PLAT_COMPAT__ */ /* * The below function enable Trusted Firmware components like SPDs which * haven't migrated to the new platform API to compile on platforms which @@ -335,4 +345,6 @@ unsigned int plat_get_aff_state(unsigned int, unsigned long); unsigned int platform_get_core_pos(unsigned long mpidr) __deprecated; #endif /* __ENABLE_PLAT_COMPAT__ */ + #endif /* __PLATFORM_H__ */ + diff --git a/lib/stack_protector/aarch32/asm_stack_protector.S b/lib/stack_protector/aarch32/asm_stack_protector.S new file mode 100644 index 00000000..9d2d77dc --- /dev/null +++ b/lib/stack_protector/aarch32/asm_stack_protector.S @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of ARM nor the names of its contributors may be used + * to endorse or promote products derived from this software without specific + * prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include <arch.h> +#include <asm_macros.S> +#include <assert_macros.S> + + .globl update_stack_protector_canary + +/* ----------------------------------------------------------------------- + * void update_stack_protector_canary(void) + * + * Change the value of the canary used for stack smashing attacks protection. + * Note: This must be called when it is safe to call C code, but this cannot be + * called by C code. Doing this will make the check fail when the calling + * function returns. + * ----------------------------------------------------------------------- + */ + +func update_stack_protector_canary + /* Use r4 as it is callee-saved */ + mov r4, lr + bl plat_get_stack_protector_canary + + /* Update the canary with the returned value */ + ldr r1, =__stack_chk_guard + str r0, [r1] + bx r4 +endfunc update_stack_protector_canary + + diff --git a/lib/stack_protector/aarch64/asm_stack_protector.S b/lib/stack_protector/aarch64/asm_stack_protector.S new file mode 100644 index 00000000..36f8f068 --- /dev/null +++ b/lib/stack_protector/aarch64/asm_stack_protector.S @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of ARM nor the names of its contributors may be used + * to endorse or promote products derived from this software without specific + * prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include <arch.h> +#include <asm_macros.S> +#include <assert_macros.S> + + .globl update_stack_protector_canary + +/* ----------------------------------------------------------------------- + * void update_stack_protector_canary(void) + * + * Change the value of the canary used for stack smashing attacks protection. + * Note: This must be called when it is safe to call C code, but this cannot be + * called by C code. Doing this will make the check fail when the calling + * function returns. + * ----------------------------------------------------------------------- + */ + +func update_stack_protector_canary + /* Use x19 as it is callee-saved */ + mov x19, x30 + bl plat_get_stack_protector_canary + + /* Update the canary with the returned value */ + adrp x1, __stack_chk_guard + str x0, [x1, #:lo12:__stack_chk_guard] + ret x19 +endfunc update_stack_protector_canary + + diff --git a/lib/stack_protector/stack_protector.c b/lib/stack_protector/stack_protector.c new file mode 100644 index 00000000..ccf2af48 --- /dev/null +++ b/lib/stack_protector/stack_protector.c @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of ARM nor the names of its contributors may be used + * to endorse or promote products derived from this software without specific + * prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ +#include <debug.h> +#include <platform.h> +#include <stdint.h> + +/* + * Canary value used by the compiler runtime checks to detect stack corruption. + * + * Force the canary to be in .data to allow predictable memory layout relatively + * to the stacks. + */ +u_register_t __attribute__((section(".data.stack_protector_canary"))) + __stack_chk_guard = (u_register_t) 3288484550995823360ULL; + +/* + * Function called when the stack's canary check fails, which means the stack + * was corrupted. It must not return. + */ +void __dead2 __stack_chk_fail(void) +{ +#if DEBUG + ERROR("Stack corruption detected\n"); +#endif + panic(); +} + diff --git a/lib/stack_protector/stack_protector.mk b/lib/stack_protector/stack_protector.mk new file mode 100644 index 00000000..03d47c47 --- /dev/null +++ b/lib/stack_protector/stack_protector.mk @@ -0,0 +1,43 @@ +# +# Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# Neither the name of ARM nor the names of its contributors may be used +# to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE +# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +# Boolean macro to be used in C code +STACK_PROTECTOR_ENABLED := 0 + +ifneq (${ENABLE_STACK_PROTECTOR},0) +STACK_PROTECTOR_ENABLED := 1 +BL_COMMON_SOURCES += lib/stack_protector/stack_protector.c \ + lib/stack_protector/${ARCH}/asm_stack_protector.S + +TF_CFLAGS += -fstack-protector-${ENABLE_STACK_PROTECTOR} +endif + +$(eval $(call add_define,STACK_PROTECTOR_ENABLED)) + diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index de506be5..e66f5112 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -90,6 +90,9 @@ ENABLE_PSCI_STAT := 0 # Flag to enable runtime instrumentation using PMF ENABLE_RUNTIME_INSTRUMENTATION := 0 +# Flag to enable stack corruption protection +ENABLE_STACK_PROTECTOR := 0 + # Build flag to treat usage of deprecated platform and framework APIs as error. ERROR_DEPRECATED := 0 diff --git a/plat/arm/board/fvp/fvp_stack_protector.c b/plat/arm/board/fvp/fvp_stack_protector.c new file mode 100644 index 00000000..0375c1e2 --- /dev/null +++ b/plat/arm/board/fvp/fvp_stack_protector.c @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of ARM nor the names of its contributors may be used + * to endorse or promote products derived from this software without specific + * prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include <arch_helpers.h> +#include <platform.h> +#include <stdint.h> + +#define RANDOM_CANARY_VALUE ((u_register_t) 3288484550995823360ULL) + +u_register_t plat_get_stack_protector_canary(void) +{ + /* + * Ideally, a random number should be returned instead of the + * combination of a timer's value and a compile-time constant. As the + * FVP does not have any random number generator, this is better than + * nothing but not necessarily really secure. + */ + return RANDOM_CANARY_VALUE ^ read_cntpct_el0(); +} + diff --git a/plat/arm/board/fvp/include/platform_def.h b/plat/arm/board/fvp/include/platform_def.h index bf5e03b0..4088e986 100644 --- a/plat/arm/board/fvp/include/platform_def.h +++ b/plat/arm/board/fvp/include/platform_def.h @@ -35,6 +35,7 @@ #include <board_arm_def.h> #include <common_def.h> #include <tzc400.h> +#include <utils.h> #include <v2m_def.h> #include "../fvp_def.h" diff --git a/plat/arm/board/fvp/platform.mk b/plat/arm/board/fvp/platform.mk index 9b827a6b..8bac0be9 100644 --- a/plat/arm/board/fvp/platform.mk +++ b/plat/arm/board/fvp/platform.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2013-2016, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: @@ -157,5 +157,9 @@ BL31_SOURCES += plat/arm/board/fvp/fvp_bl31_setup.c \ # Disable the PSCI platform compatibility layer ENABLE_PLAT_COMPAT := 0 +ifneq (${ENABLE_STACK_PROTECTOR},0) +PLAT_BL_COMMON_SOURCES += plat/arm/board/fvp/fvp_stack_protector.c +endif + include plat/arm/board/common/board_common.mk include plat/arm/common/arm_common.mk diff --git a/plat/arm/board/juno/juno_decl.h b/plat/arm/board/juno/juno_decl.h new file mode 100644 index 00000000..75ed5b03 --- /dev/null +++ b/plat/arm/board/juno/juno_decl.h @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of ARM nor the names of its contributors may be used + * to endorse or promote products derived from this software without specific + * prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __JUNO_DECL_H__ +#define __JUNO_DECL_H__ + +int juno_getentropy(void *buf, size_t len); + +#endif /* __JUNO_DECL_H__ */ diff --git a/plat/arm/board/juno/juno_def.h b/plat/arm/board/juno/juno_def.h index f27bbb22..a8e9872b 100644 --- a/plat/arm/board/juno/juno_def.h +++ b/plat/arm/board/juno/juno_def.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2016, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2014-2017, ARM Limited and Contributors. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -75,6 +75,17 @@ #define TZC400_NSAID_CORESIGHT 12 /******************************************************************************* + * TRNG related constants + ******************************************************************************/ +#define TRNG_BASE 0x7FE60000ULL +#define TRNG_NOUTPUTS 4 +#define TRNG_STATUS 0x10 +#define TRNG_INTMASK 0x14 +#define TRNG_CONFIG 0x18 +#define TRNG_CONTROL 0x1C +#define TRNG_NBYTES 16 /* Number of bytes generated per round. */ + +/******************************************************************************* * MMU-401 related constants ******************************************************************************/ #define MMU401_SSD_OFFSET 0x4000 diff --git a/plat/arm/board/juno/juno_stack_protector.c b/plat/arm/board/juno/juno_stack_protector.c new file mode 100644 index 00000000..720a522e --- /dev/null +++ b/plat/arm/board/juno/juno_stack_protector.c @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of ARM nor the names of its contributors may be used + * to endorse or promote products derived from this software without specific + * prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include <arch_helpers.h> +#include <debug.h> +#include <utils.h> +#include "juno_decl.h" +#include "juno_def.h" + +u_register_t plat_get_stack_protector_canary(void) +{ + u_register_t c[TRNG_NBYTES / sizeof(u_register_t)]; + u_register_t ret = 0; + size_t i; + + if (juno_getentropy(c, sizeof(c)) != 0) { + ERROR("Not enough entropy to initialize canary value\n"); + panic(); + } + + /* + * On Juno we get 128-bits of entropy in one round. + * Fuse the values together to form the canary. + */ + for (i = 0; i < ARRAY_SIZE(c); i++) + ret ^= c[i]; + return ret; +} diff --git a/plat/arm/board/juno/juno_trng.c b/plat/arm/board/juno/juno_trng.c new file mode 100644 index 00000000..2fcddcdb --- /dev/null +++ b/plat/arm/board/juno/juno_trng.c @@ -0,0 +1,104 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of ARM nor the names of its contributors may be used + * to endorse or promote products derived from this software without specific + * prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include <assert.h> +#include <mmio.h> +#include <string.h> +#include <utils.h> +#include "juno_def.h" + +#define NSAMPLE_CLOCKS 1 /* min 1 cycle, max 231 cycles */ +#define NRETRIES 5 + +static inline int output_valid(void) +{ + int i; + + for (i = 0; i < NRETRIES; i++) { + uint32_t val; + + val = mmio_read_32(TRNG_BASE + TRNG_STATUS); + if (val & 1U) + break; + } + if (i >= NRETRIES) + return 0; /* No output data available. */ + return 1; +} + +/* + * This function fills `buf` with `len` bytes of entropy. + * It uses the Trusted Entropy Source peripheral on Juno. + * Returns 0 when the buffer has been filled with entropy + * successfully and -1 otherwise. + */ +int juno_getentropy(void *buf, size_t len) +{ + uint8_t *bp = buf; + + assert(buf); + assert(len); + assert(!check_uptr_overflow((uintptr_t)bp, len)); + + /* Disable interrupt mode. */ + mmio_write_32(TRNG_BASE + TRNG_INTMASK, 0); + /* Program TRNG to sample for `NSAMPLE_CLOCKS`. */ + mmio_write_32(TRNG_BASE + TRNG_CONFIG, NSAMPLE_CLOCKS); + + while (len > 0) { + int i; + + /* Start TRNG. */ + mmio_write_32(TRNG_BASE + TRNG_CONTROL, 1); + + /* Check if output is valid. */ + if (!output_valid()) + return -1; + + /* Fill entropy buffer. */ + for (i = 0; i < TRNG_NOUTPUTS; i++) { + size_t n; + uint32_t val; + + val = mmio_read_32(TRNG_BASE + i * sizeof(uint32_t)); + n = MIN(len, sizeof(uint32_t)); + memcpy(bp, &val, n); + bp += n; + len -= n; + if (len == 0) + break; + } + + /* Reset TRNG outputs. */ + mmio_write_32(TRNG_BASE + TRNG_STATUS, 1); + } + + return 0; +} diff --git a/plat/arm/board/juno/platform.mk b/plat/arm/board/juno/platform.mk index 7571582b..39977240 100644 --- a/plat/arm/board/juno/platform.mk +++ b/plat/arm/board/juno/platform.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2013-2016, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: @@ -39,8 +39,12 @@ JUNO_INTERCONNECT_SOURCES := drivers/arm/cci/cci.c \ JUNO_SECURITY_SOURCES := drivers/arm/tzc/tzc400.c \ plat/arm/board/juno/juno_security.c \ + plat/arm/board/juno/juno_trng.c \ plat/arm/common/arm_tzc400.c +ifneq (${ENABLE_STACK_PROTECTOR}, 0) +JUNO_SECURITY_SOURCES += plat/arm/board/juno/juno_stack_protector.c +endif PLAT_INCLUDES := -Iplat/arm/board/juno/include @@ -51,7 +55,8 @@ BL1_SOURCES += lib/cpus/aarch64/cortex_a53.S \ lib/cpus/aarch64/cortex_a72.S \ plat/arm/board/juno/juno_bl1_setup.c \ plat/arm/board/juno/juno_err.c \ - ${JUNO_INTERCONNECT_SOURCES} + ${JUNO_INTERCONNECT_SOURCES} \ + ${JUNO_SECURITY_SOURCES} BL2_SOURCES += plat/arm/board/juno/juno_err.c \ ${JUNO_SECURITY_SOURCES} @@ -67,11 +72,20 @@ BL31_SOURCES += lib/cpus/aarch64/cortex_a53.S \ ${JUNO_INTERCONNECT_SOURCES} \ ${JUNO_SECURITY_SOURCES} -# Enable workarounds for selected Cortex-A53 and A57 erratas. +# Enable workarounds for selected Cortex-A53 and A57 errata. ERRATA_A53_855873 := 1 ERRATA_A57_806969 := 0 ERRATA_A57_813419 := 1 ERRATA_A57_813420 := 1 +ERRATA_A57_826974 := 1 +ERRATA_A57_826977 := 1 +ERRATA_A57_828024 := 1 +ERRATA_A57_829520 := 1 +ERRATA_A57_833471 := 1 + +# Enable workarounds for selected Cortex-A53 errata. +ERRATA_A53_826319 := 1 +ERRATA_A53_836870 := 1 # Enable option to skip L1 data cache flush during the Cortex-A57 cluster # power down sequence diff --git a/plat/mediatek/mt6795/bl31.ld.S b/plat/mediatek/mt6795/bl31.ld.S index 472cd2e0..73d5fdf9 100644 --- a/plat/mediatek/mt6795/bl31.ld.S +++ b/plat/mediatek/mt6795/bl31.ld.S @@ -95,6 +95,11 @@ SECTIONS */ __RW_START__ = . ; + /* + * .data must be placed at a lower address than the stacks if the stack + * protector is enabled. Alternatively, the .data.stack_protector_canary + * section can be placed independently of the main .data section. + */ .data . : { __DATA_START__ = .; *(.data*) diff --git a/plat/rockchip/common/plat_pm.c b/plat/rockchip/common/plat_pm.c index 09c5397c..2d4dc99a 100644 --- a/plat/rockchip/common/plat_pm.c +++ b/plat/rockchip/common/plat_pm.c @@ -391,15 +391,6 @@ static void __dead2 rockchip_system_poweroff(void) rockchip_soc_system_off(); } -static void __dead2 rockchip_pd_pwr_down_wfi( - const psci_power_state_t *target_state) -{ - if (RK_SYSTEM_PWR_STATE(target_state) == PLAT_MAX_OFF_STATE) - rockchip_soc_sys_pd_pwr_dn_wfi(); - else - rockchip_soc_cores_pd_pwr_dn_wfi(target_state); -} - /******************************************************************************* * Export the platform handlers via plat_rockchip_psci_pm_ops. The rockchip * standard |