mirror of
https://github.com/ARM-software/arm-trusted-firmware.git
synced 2025-04-16 17:44:19 +00:00
85bebe18da
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
59 lines
1.6 KiB
ArmAsm
59 lines
1.6 KiB
ArmAsm
/*
|
|
* Copyright (c) 2018-2019, ARM Limited and Contributors. All rights reserved.
|
|
*
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
*/
|
|
#ifndef CONSOLE_MACROS_S
|
|
#define CONSOLE_MACROS_S
|
|
|
|
#include <drivers/console.h>
|
|
|
|
/*
|
|
* This macro encapsulates the common setup that has to be done at the end of
|
|
* a console driver's register function. It will register all of the driver's
|
|
* callbacks in the console_t structure and initialize the flags field (by
|
|
* default consoles are enabled for the "boot" and "crash" states, this can be
|
|
* changed after registration with the console_set_scope() function). It ends
|
|
* with a tail call that will include return to the caller.
|
|
* REQUIRES console_t pointer in r0 and a valid return address in lr.
|
|
*/
|
|
.macro finish_console_register _driver, putc=0, getc=0, flush=0
|
|
/*
|
|
* If any of the callback is not specified or set as 0, then the
|
|
* corresponding callback entry in console_t is set to 0.
|
|
*/
|
|
.ifne \putc
|
|
ldr r1, =console_\_driver\()_putc
|
|
.else
|
|
mov r1, #0
|
|
.endif
|
|
str r1, [r0, #CONSOLE_T_PUTC]
|
|
|
|
/*
|
|
* If ENABLE_CONSOLE_GETC support is disabled, but a getc callback is
|
|
* specified nonetheless, the assembler will abort on encountering the
|
|
* CONSOLE_T_GETC macro, which is undefined.
|
|
*/
|
|
.ifne \getc
|
|
ldr r1, =console_\_driver\()_getc
|
|
str r1, [r0, #CONSOLE_T_GETC]
|
|
.else
|
|
#if ENABLE_CONSOLE_GETC
|
|
mov r1, #0
|
|
str r1, [r0, #CONSOLE_T_GETC]
|
|
#endif
|
|
.endif
|
|
|
|
.ifne \flush
|
|
ldr r1, =console_\_driver\()_flush
|
|
.else
|
|
mov r1, #0
|
|
.endif
|
|
str r1, [r0, #CONSOLE_T_FLUSH]
|
|
|
|
mov r1, #(CONSOLE_FLAG_BOOT | CONSOLE_FLAG_CRASH)
|
|
str r1, [r0, #CONSOLE_T_FLAGS]
|
|
b console_register
|
|
.endm
|
|
|
|
#endif /* CONSOLE_MACROS_S */
|