From 538516f5d3db6e2c30dfa9f0b82859389f529e78 Mon Sep 17 00:00:00 2001
From: Bipin Ravi <bipin.ravi@arm.com>
Date: Thu, 28 Sep 2023 13:17:24 -0500
Subject: [PATCH] feat(security): add support for SLS mitigation

This patch enables support for the gcc compiler option "-mharden-sls",
the default is not to use this option. Setting HARDEN_SLS=1 sets
"-mharden-sls=all" that enables all hardening against straight line
speculation.

Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I59f5963c22431571f5aebe7e0c5642b32362f4c9
---
 Makefile                               |  5 +++++
 docs/getting_started/build-options.rst | 13 +++++++++++++
 make_helpers/defaults.mk               |  4 ++++
 3 files changed, 22 insertions(+)

diff --git a/Makefile b/Makefile
index 907ae21d4..ef01fef6c 100644
--- a/Makefile
+++ b/Makefile
@@ -312,6 +312,10 @@ WARNINGS	+=		-Wunused-but-set-variable -Wmaybe-uninitialized	\
 # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105523
 TF_CFLAGS		+= 	$(call cc_option, --param=min-pagesize=0)
 
+ifeq ($(HARDEN_SLS), 1)
+        TF_CFLAGS_aarch64       +=      $(call cc_option, -mharden-sls=all)
+endif
+
 else
 # using clang
 WARNINGS	+=		-Wshift-overflow -Wshift-sign-overflow \
@@ -1179,6 +1183,7 @@ $(eval $(call assert_booleans,\
 	GENERATE_COT \
 	GICV2_G0_FOR_EL3 \
 	HANDLE_EA_EL3_FIRST_NS \
+	HARDEN_SLS \
 	HW_ASSISTED_COHERENCY \
 	MEASURED_BOOT \
 	DRTM_SUPPORT \
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index cd70a2275..f0f1cac30 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -748,6 +748,19 @@ Common build options
 
       MARCH_DIRECTIVE := -march=armv8.5-a
 
+-  ``HARDEN_SLS``: used to pass -mharden-sls=all from the TF-A build
+   options to the compiler currently supporting only of the options.
+   GCC documentation:
+   https://gcc.gnu.org/onlinedocs/gcc/AArch64-Options.html#index-mharden-sls
+
+   An example usage:
+
+   .. code:: make
+
+      HARDEN_SLS := 1
+
+   This option defaults to 0.
+
 -  ``NON_TRUSTED_WORLD_KEY``: This option is used when ``GENERATE_COT=1``. It
    specifies a file that contains the Non-Trusted World private key in PEM
    format or a PKCS11 URI. If ``SAVE_KEYS=1``, only a file is accepted and it
diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk
index ea22655ce..57529ee68 100644
--- a/make_helpers/defaults.mk
+++ b/make_helpers/defaults.mk
@@ -150,6 +150,10 @@ HANDLE_EA_EL3_FIRST_NS		:= 0
 # Enable Handoff protocol using transfer lists
 TRANSFER_LIST			:= 0
 
+# Enables support for the gcc compiler option "-mharden-sls=all".
+# By default, disables all SLS hardening.
+HARDEN_SLS			:= 0
+
 # Secure hash algorithm flag, accepts 3 values: sha256, sha384 and sha512.
 # The default value is sha256.
 HASH_ALG			:= sha256