From 274a69e7ca7769065efbc1b72fe16e1723269f54 Mon Sep 17 00:00:00 2001
From: Chris Kay <chris.kay@arm.com>
Date: Thu, 29 Sep 2022 16:21:24 +0100
Subject: [PATCH] build: forbid `ENABLE_RME=1` when
 `SEPARATE_CODE_AND_RODATA=0`

This change mitigates against read-only data being used for malicious
execution on platforms utilizing the RME/CCA.

Change-Id: I0068535aeaa5d2515c7c54ee0dc19200c7a86ba5
Signed-off-by: Chris Kay <chris.kay@arm.com>
---
 Makefile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Makefile b/Makefile
index 6d15e27c2..65955b2a5 100644
--- a/Makefile
+++ b/Makefile
@@ -842,6 +842,12 @@ ifeq ($(DRTM_SUPPORT),1)
     $(info DRTM_SUPPORT is an experimental feature)
 endif
 
+ifeq (${ENABLE_RME},1)
+    ifneq (${SEPARATE_CODE_AND_RODATA},1)
+        $(error `ENABLE_RME=1` requires `SEPARATE_CODE_AND_RODATA=1`)
+    endif
+endif
+
 ################################################################################
 # Process platform overrideable behaviour
 ################################################################################