mirror of
https://github.com/ARM-software/arm-trusted-firmware.git
synced 2025-04-18 02:24:18 +00:00
85bebe18da
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
97 lines
1.8 KiB
ArmAsm
97 lines
1.8 KiB
ArmAsm
/*
|
|
* Copyright (c) 2018-2020, ARM Limited and Contributors. All rights reserved.
|
|
*
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
*/
|
|
|
|
#include <arch.h>
|
|
#include <asm_macros.S>
|
|
#include <console_macros.S>
|
|
#include <assert_macros.S>
|
|
#include "imx_uart.h"
|
|
|
|
#define URXD 0x0 /* Receiver Register */
|
|
#define UTXD 0x40 /* Transmitter Register */
|
|
#define USR2 0x98 /* UART Status Register 2 */
|
|
#define UTS 0xb4 /* UART Test Register (mx31) */
|
|
#define URXD_RX_DATA (0xFF)
|
|
|
|
.globl console_imx_uart_register
|
|
.globl console_imx_uart_init
|
|
.globl console_imx_uart_putc
|
|
.globl console_imx_uart_getc
|
|
.globl console_imx_uart_flush
|
|
|
|
func console_imx_uart_register
|
|
mov x7, x30
|
|
mov x6, x3
|
|
cbz x6, register_fail
|
|
str x0, [x6, #CONSOLE_T_BASE]
|
|
|
|
bl console_imx_uart_init
|
|
cbz x0, register_fail
|
|
|
|
mov x0, x6
|
|
mov x30, x7
|
|
finish_console_register imx_uart putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
|
|
|
|
register_fail:
|
|
ret x7
|
|
endfunc console_imx_uart_register
|
|
|
|
func console_imx_uart_init
|
|
mov w0, #1
|
|
ret
|
|
endfunc console_imx_uart_init
|
|
|
|
func console_imx_uart_putc
|
|
ldr x1, [x1, #CONSOLE_T_BASE]
|
|
cbz x1, putc_error
|
|
|
|
/* Prepare '\r' to '\n' */
|
|
cmp w0, #0xA
|
|
b.ne 2f
|
|
1:
|
|
/* Check if the transmit FIFO is full */
|
|
ldr w2, [x1, #UTS]
|
|
tbnz w2, #4, 1b
|
|
mov w2, #0xD
|
|
str w2, [x1, #UTXD]
|
|
2:
|
|
/* Check if the transmit FIFO is full */
|
|
ldr w2, [x1, #UTS]
|
|
tbnz w2, #4, 2b
|
|
str w0, [x1, #UTXD]
|
|
ret
|
|
putc_error:
|
|
mov w0, #-1
|
|
ret
|
|
endfunc console_imx_uart_putc
|
|
|
|
func console_imx_uart_getc
|
|
ldr x0, [x0, #CONSOLE_T_BASE]
|
|
cbz x0, getc_error
|
|
1:
|
|
ldr w1, [x0, #UTS]
|
|
tbnz w1, #5, 1b
|
|
|
|
ldr w1, [x0, #URXD]
|
|
and w0, w1, #URXD_RX_DATA
|
|
|
|
ret
|
|
getc_error:
|
|
mov w0, #-1
|
|
ret
|
|
endfunc console_imx_uart_getc
|
|
|
|
func console_imx_uart_flush
|
|
ldr x0, [x0, #CONSOLE_T_BASE]
|
|
cbz x0, flush_exit
|
|
1:
|
|
/* Wait for the transmit complete bit */
|
|
ldr w1, [x0, #USR2]
|
|
tbz w1, #3, 1b
|
|
|
|
flush_exit:
|
|
ret
|
|
endfunc console_imx_uart_flush
|