mirror of
https://github.com/ARM-software/arm-trusted-firmware.git
synced 2025-04-16 17:44:19 +00:00
85bebe18da
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
158 lines
3.8 KiB
C
158 lines
3.8 KiB
C
/*
|
|
* Copyright (c) 2015-2021, Xilinx Inc.
|
|
* Written by Michal Simek.
|
|
*
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
*
|
|
* Redistributions of source code must retain the above copyright notice, this
|
|
* list of conditions and the following disclaimer.
|
|
*
|
|
* Redistributions in binary form must reproduce the above copyright notice,
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
* and/or other materials provided with the distribution.
|
|
*
|
|
* Neither the name of ARM nor the names of its contributors may be used
|
|
* to endorse or promote products derived from this software without specific
|
|
* prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <errno.h>
|
|
#include <stddef.h>
|
|
#include <arch_helpers.h>
|
|
#include <drivers/arm/dcc.h>
|
|
#include <drivers/console.h>
|
|
#include <drivers/delay_timer.h>
|
|
#include <lib/mmio.h>
|
|
|
|
/* DCC Status Bits */
|
|
#define DCC_STATUS_RX BIT(30)
|
|
#define DCC_STATUS_TX BIT(29)
|
|
#define TIMEOUT_COUNT_US U(0x10624)
|
|
|
|
struct dcc_console {
|
|
struct console console;
|
|
};
|
|
|
|
static inline uint32_t __dcc_getstatus(void)
|
|
{
|
|
return read_mdccsr_el0();
|
|
}
|
|
|
|
#if ENABLE_CONSOLE_GETC
|
|
static inline char __dcc_getchar(void)
|
|
{
|
|
char c;
|
|
|
|
c = read_dbgdtrrx_el0();
|
|
|
|
return c;
|
|
}
|
|
#endif
|
|
|
|
static inline void __dcc_putchar(char c)
|
|
{
|
|
/*
|
|
* The typecast is to make absolutely certain that 'c' is
|
|
* zero-extended.
|
|
*/
|
|
write_dbgdtrtx_el0((unsigned char)c);
|
|
}
|
|
|
|
static int32_t dcc_status_timeout(uint32_t mask)
|
|
{
|
|
const unsigned int timeout_count = TIMEOUT_COUNT_US;
|
|
uint64_t timeout;
|
|
unsigned int status;
|
|
|
|
timeout = timeout_init_us(timeout_count);
|
|
|
|
do {
|
|
status = (__dcc_getstatus() & mask);
|
|
if (timeout_elapsed(timeout)) {
|
|
return -ETIMEDOUT;
|
|
}
|
|
} while ((status != 0U));
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int32_t dcc_console_putc(int32_t ch, struct console *console)
|
|
{
|
|
unsigned int status;
|
|
|
|
status = dcc_status_timeout(DCC_STATUS_TX);
|
|
if (status != 0U) {
|
|
return status;
|
|
}
|
|
__dcc_putchar(ch);
|
|
|
|
return ch;
|
|
}
|
|
|
|
#if ENABLE_CONSOLE_GETC
|
|
static int32_t dcc_console_getc(struct console *console)
|
|
{
|
|
unsigned int status;
|
|
|
|
status = dcc_status_timeout(DCC_STATUS_RX);
|
|
if (status != 0U) {
|
|
return status;
|
|
}
|
|
|
|
return __dcc_getchar();
|
|
}
|
|
#endif
|
|
|
|
/**
|
|
* dcc_console_flush() - Function to force a write of all buffered data
|
|
* that hasn't been output.
|
|
* @console Console struct
|
|
*
|
|
*/
|
|
static void dcc_console_flush(struct console *console)
|
|
{
|
|
unsigned int status;
|
|
|
|
status = dcc_status_timeout(DCC_STATUS_TX);
|
|
if (status != 0U) {
|
|
return;
|
|
}
|
|
}
|
|
|
|
static struct dcc_console dcc_console = {
|
|
.console = {
|
|
.flags = CONSOLE_FLAG_BOOT |
|
|
CONSOLE_FLAG_RUNTIME,
|
|
.putc = dcc_console_putc,
|
|
#if ENABLE_CONSOLE_GETC
|
|
.getc = dcc_console_getc,
|
|
#endif
|
|
.flush = dcc_console_flush,
|
|
},
|
|
};
|
|
|
|
int console_dcc_register(void)
|
|
{
|
|
return console_register(&dcc_console.console);
|
|
}
|
|
|
|
void console_dcc_unregister(void)
|
|
{
|
|
dcc_console_flush(&dcc_console.console);
|
|
(void)console_unregister(&dcc_console.console);
|
|
}
|