andrius
/
arm-trusted-firmware
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
arm-trusted-firmware/lib/xlat_tables_v2/ro_xlat_tables.mk

42 lines
1.5 KiB
Makefile
Raw Permalink Normal View History

Read-only xlat tables for BL31 memory This patch introduces a build flag which allows the xlat tables to be mapped in a read-only region within BL31 memory. It makes it much harder for someone who has acquired the ability to write to arbitrary secure memory addresses to gain control of the translation tables. The memory attributes of the descriptors describing the tables themselves are changed to read-only secure data. This change happens at the end of BL31 runtime setup. Until this point, the tables have read-write permissions. This gives a window of opportunity for changes to be made to the tables with the MMU on (e.g. reclaiming init code). No changes can be made to the tables with the MMU turned on from this point onwards. This change is also enabled for sp_min and tspd. To make all this possible, the base table was moved to .rodata. The penalty we pay is that now .rodata must be aligned to the size of the base table (512B alignment). Still, this is better than putting the base table with the higher level tables in the xlat_table section, as that would cost us a full 4KB page. Changing the tables from read-write to read-only cannot be done with the MMU on, as the break-before-make sequence would invalidate the descriptor which resolves the level 3 page table where that very descriptor is located. This would make the translation required for writing the changes impossible, generating an MMU fault. The caches are also flushed. Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com> Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
2019-11-07 15:18:03 +00:00
#
feat(spmc): prevent read only xlat tables with the EL3 SPMC If using the EL3 SPMC ensure that we don't mark the translation tables as read only. The SPMC requires the ability to map and unmap a partitions RX/TX buffers at runtime. Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com> Signed-off-by: Marc Bonnici <marc.bonnici@arm.com> Change-Id: Ibb78a6a2e3847ce4ec74ce81a9bb61ce34fec24c
2021-03-06 06:13:06 +00:00
# Copyright (c) 2020-2022, ARM Limited. All rights reserved.
Read-only xlat tables for BL31 memory This patch introduces a build flag which allows the xlat tables to be mapped in a read-only region within BL31 memory. It makes it much harder for someone who has acquired the ability to write to arbitrary secure memory addresses to gain control of the translation tables. The memory attributes of the descriptors describing the tables themselves are changed to read-only secure data. This change happens at the end of BL31 runtime setup. Until this point, the tables have read-write permissions. This gives a window of opportunity for changes to be made to the tables with the MMU on (e.g. reclaiming init code). No changes can be made to the tables with the MMU turned on from this point onwards. This change is also enabled for sp_min and tspd. To make all this possible, the base table was moved to .rodata. The penalty we pay is that now .rodata must be aligned to the size of the base table (512B alignment). Still, this is better than putting the base table with the higher level tables in the xlat_table section, as that would cost us a full 4KB page. Changing the tables from read-write to read-only cannot be done with the MMU on, as the break-before-make sequence would invalidate the descriptor which resolves the level 3 page table where that very descriptor is located. This would make the translation required for writing the changes impossible, generating an MMU fault. The caches are also flushed. Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com> Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
2019-11-07 15:18:03 +00:00
#
# SPDX-License-Identifier: BSD-3-Clause
#
ifeq (${USE_DEBUGFS}, 1)
$(error "Debugfs requires functionality from the dynamic translation \
library and is incompatible with ALLOW_RO_XLAT_TABLES.")
endif
ifeq (${ARCH},aarch32)
ifeq (${RESET_TO_SP_MIN},1)
$(error "RESET_TO_SP_MIN requires functionality from the dynamic \
translation library and is incompatible with \
ALLOW_RO_XLAT_TABLES.")
endif
else # if AArch64
ifeq (${PLAT},tegra)
$(error "Tegra requires functionality from the dynamic translation \
library and is incompatible with ALLOW_RO_XLAT_TABLES.")
endif
ifeq (${RESET_TO_BL31},1)
$(error "RESET_TO_BL31 requires functionality from the dynamic \
translation library and is incompatible with \
ALLOW_RO_XLAT_TABLES.")
endif
ifeq (${SPD},trusty)
$(error "Trusty requires functionality from the dynamic translation \
library and is incompatible with ALLOW_RO_XLAT_TABLES.")
endif
ifeq (${SPM_MM},1)
$(error "SPM_MM requires functionality to change memory region \
attributes, which is not possible once the translation tables \
have been made read-only.")
endif
feat(spmc): prevent read only xlat tables with the EL3 SPMC If using the EL3 SPMC ensure that we don't mark the translation tables as read only. The SPMC requires the ability to map and unmap a partitions RX/TX buffers at runtime. Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com> Signed-off-by: Marc Bonnici <marc.bonnici@arm.com> Change-Id: Ibb78a6a2e3847ce4ec74ce81a9bb61ce34fec24c
2021-03-06 06:13:06 +00:00
ifeq (${SPMC_AT_EL3},1)
$(error "EL3 SPMC requires functionality from the dynamic translation \
library and is incompatible with ALLOW_RO_XLAT_TABLES.")
endif
Read-only xlat tables for BL31 memory This patch introduces a build flag which allows the xlat tables to be mapped in a read-only region within BL31 memory. It makes it much harder for someone who has acquired the ability to write to arbitrary secure memory addresses to gain control of the translation tables. The memory attributes of the descriptors describing the tables themselves are changed to read-only secure data. This change happens at the end of BL31 runtime setup. Until this point, the tables have read-write permissions. This gives a window of opportunity for changes to be made to the tables with the MMU on (e.g. reclaiming init code). No changes can be made to the tables with the MMU turned on from this point onwards. This change is also enabled for sp_min and tspd. To make all this possible, the base table was moved to .rodata. The penalty we pay is that now .rodata must be aligned to the size of the base table (512B alignment). Still, this is better than putting the base table with the higher level tables in the xlat_table section, as that would cost us a full 4KB page. Changing the tables from read-write to read-only cannot be done with the MMU on, as the break-before-make sequence would invalidate the descriptor which resolves the level 3 page table where that very descriptor is located. This would make the translation required for writing the changes impossible, generating an MMU fault. The caches are also flushed. Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com> Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
2019-11-07 15:18:03 +00:00
endif