mirror of
https://github.com/ARM-software/arm-trusted-firmware.git
synced 2025-04-13 16:14:20 +00:00
85bebe18da
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
94 lines
2.3 KiB
C
94 lines
2.3 KiB
C
/*
|
|
* Copyright (c) 2019-2020, Socionext Inc. All rights reserved.
|
|
*
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
*/
|
|
|
|
#include <assert.h>
|
|
|
|
#include <drivers/console.h>
|
|
#include <errno.h>
|
|
#include <lib/mmio.h>
|
|
#include <plat/common/platform.h>
|
|
|
|
#include "uniphier.h"
|
|
#include "uniphier_console.h"
|
|
|
|
#define UNIPHIER_UART_OFFSET 0x100
|
|
#define UNIPHIER_UART_NR_PORTS 4
|
|
|
|
/* These callbacks are implemented in assembly to use crash_console_helpers.S */
|
|
int uniphier_console_putc(int character, struct console *console);
|
|
int uniphier_console_getc(struct console *console);
|
|
void uniphier_console_flush(struct console *console);
|
|
|
|
static console_t uniphier_console = {
|
|
.flags = CONSOLE_FLAG_BOOT |
|
|
#if DEBUG
|
|
CONSOLE_FLAG_RUNTIME |
|
|
#endif
|
|
CONSOLE_FLAG_CRASH |
|
|
CONSOLE_FLAG_TRANSLATE_CRLF,
|
|
.putc = uniphier_console_putc,
|
|
#if ENABLE_CONSOLE_GETC
|
|
.getc = uniphier_console_getc,
|
|
#endif
|
|
.flush = uniphier_console_flush,
|
|
};
|
|
|
|
static const uintptr_t uniphier_uart_base[] = {
|
|
[UNIPHIER_SOC_LD11] = 0x54006800,
|
|
[UNIPHIER_SOC_LD20] = 0x54006800,
|
|
[UNIPHIER_SOC_PXS3] = 0x54006800,
|
|
};
|
|
|
|
/*
|
|
* There are 4 UART ports available on this platform. By default, we want to
|
|
* use the same one as used in the previous firmware stage.
|
|
*/
|
|
static uintptr_t uniphier_console_get_base(unsigned int soc)
|
|
{
|
|
uintptr_t base, end;
|
|
uint32_t div;
|
|
|
|
assert(soc < ARRAY_SIZE(uniphier_uart_base));
|
|
base = uniphier_uart_base[soc];
|
|
end = base + UNIPHIER_UART_OFFSET * UNIPHIER_UART_NR_PORTS;
|
|
|
|
while (base < end) {
|
|
div = mmio_read_32(base + UNIPHIER_UART_DLR);
|
|
if (div)
|
|
return base;
|
|
base += UNIPHIER_UART_OFFSET;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void uniphier_console_init(uintptr_t base)
|
|
{
|
|
mmio_write_32(base + UNIPHIER_UART_FCR, UNIPHIER_UART_FCR_ENABLE_FIFO);
|
|
mmio_write_32(base + UNIPHIER_UART_LCR_MCR,
|
|
UNIPHIER_UART_LCR_WLEN8 << 8);
|
|
}
|
|
|
|
void uniphier_console_setup(unsigned int soc)
|
|
{
|
|
uintptr_t base;
|
|
|
|
base = uniphier_console_get_base(soc);
|
|
if (!base)
|
|
plat_error_handler(-EINVAL);
|
|
|
|
uniphier_console.base = base;
|
|
console_register(&uniphier_console);
|
|
|
|
/*
|
|
* The hardware might be still printing characters queued up in the
|
|
* previous firmware stage. Make sure the transmitter is empty before
|
|
* any initialization. Otherwise, the console might get corrupted.
|
|
*/
|
|
console_flush();
|
|
|
|
uniphier_console_init(base);
|
|
}
|