diff --git a/Makefile b/Makefile index 81143e4d0..a10778560 100644 --- a/Makefile +++ b/Makefile @@ -308,6 +308,10 @@ WARNINGS += -Wunused-but-set-variable -Wmaybe-uninitialized \ # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105523 TF_CFLAGS += $(call cc_option, --param=min-pagesize=0) +ifeq ($(HARDEN_SLS), 1) + TF_CFLAGS_aarch64 += $(call cc_option, -mharden-sls=all) +endif + else # using clang WARNINGS += -Wshift-overflow -Wshift-sign-overflow \ @@ -1185,6 +1189,7 @@ $(eval $(call assert_booleans,\ GENERATE_COT \ GICV2_G0_FOR_EL3 \ HANDLE_EA_EL3_FIRST_NS \ + HARDEN_SLS \ HW_ASSISTED_COHERENCY \ MEASURED_BOOT \ DRTM_SUPPORT \ diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst index 599aed90b..7ca030079 100644 --- a/docs/getting_started/build-options.rst +++ b/docs/getting_started/build-options.rst @@ -671,6 +671,19 @@ Common build options MARCH_DIRECTIVE := -march=armv8.5-a +- ``HARDEN_SLS``: used to pass -mharden-sls=all from the TF-A build + options to the compiler currently supporting only of the options. + GCC documentation: + https://gcc.gnu.org/onlinedocs/gcc/AArch64-Options.html#index-mharden-sls + + An example usage: + + .. code:: make + + HARDEN_SLS := 1 + + This option defaults to 0. + - ``NON_TRUSTED_WORLD_KEY``: This option is used when ``GENERATE_COT=1``. It specifies a file that contains the Non-Trusted World private key in PEM format or a PKCS11 URI. If ``SAVE_KEYS=1``, only a file is accepted and it diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index 3ff0aaf1d..8829fcb0e 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -150,6 +150,10 @@ HANDLE_EA_EL3_FIRST_NS := 0 # Enable Handoff protocol using transfer lists TRANSFER_LIST := 0 +# Enables support for the gcc compiler option "-mharden-sls=all". +# By default, disables all SLS hardening. +HARDEN_SLS := 0 + # Secure hash algorithm flag, accepts 3 values: sha256, sha384 and sha512. # The default value is sha256. HASH_ALG := sha256