Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / b24c637678fd8a2766e59bc744f212901f1e2d0f^! / . / plat / arm / board / fvp / platform.mk
commitb24c637678fd8a2766e59bc744f212901f1e2d0f[log] [tgz]
authorManish V Badarkhe <Manish.Badarkhe@arm.com>Sun Jan 24 03:26:50 2021 +0000
committerManish V Badarkhe <Manish.Badarkhe@arm.com>Tue Feb 09 15:55:26 2021 +0000
treed4b21fc0041c15af7f0e5b4d4db34c27c6a3b006
parent2f4c044ca131ac33e34bc84b8304e4252d2a1e58 [diff] [blame]
plat/arm: fvp: Protect GICR frames for fused/unused cores

Currently, BLs are mapping the GIC memory region as read-write
for all cores on boot-up.

This opens up the security hole where the active core can write
the GICR frame of fused/inactive core. To avoid this issue, disable
the GICR frame of all inactive cores as below:

1. After primary CPU boots up, map GICR region of all cores as
   read-only.
2. After primary CPU boots up, map its GICR region as read-write
   and initialize its redistributor interface.
3. After secondary CPU boots up, map its GICR region as read-write
   and initialize its redistributor interface.
4. All unused/fused core's redistributor regions remain read-only and
   write attempt to such protected regions results in an exception.

As mentioned above, this patch offers only the GICR memory-mapped
region protection considering there is no facility at the GIC IP
level to avoid writing the redistributor area.

These changes are currently done in BL31 of Arm FVP and guarded under
the flag 'FVP_GICR_REGION_PROTECTION'.

As of now, this patch is tested manually as below:
1. Disable the FVP cores (core 1, 2, 3) with core 0 as an active core.
2. Verify data abort triggered by manually updating the ‘GICR_CTLR’
   register of core 1’s(fused) redistributor from core 0(active).

Change-Id: I86c99c7b41bae137b2011cf2ac17fad0a26e776d
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

diff --git a/plat/arm/board/fvp/platform.mk b/plat/arm/board/fvp/platform.mk
index 0a6fa56..6c09d72 100644
--- a/plat/arm/board/fvp/platform.mk
+++ b/plat/arm/board/fvp/platform.mk

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -16,6 +16,10 @@
 # Default number of threads per CPU on FVP
 FVP_MAX_PE_PER_CPU	:= 1
 
+# Disable redistributor frame of inactive/fused CPU cores by marking it as read
+# only; enable redistributor frames of all CPU cores by default.
+FVP_GICR_REGION_PROTECTION		:= 0
+
 FVP_DT_PREFIX		:= fvp-base-gicv3-psci
 
 # The FVP platform depends on this macro to build with correct GIC driver.
@@ -30,6 +34,9 @@
 # Pass FVP_MAX_PE_PER_CPU to the build system.
 $(eval $(call add_define,FVP_MAX_PE_PER_CPU))
 
+# Pass FVP_GICR_REGION_PROTECTION to the build system.
+$(eval $(call add_define,FVP_GICR_REGION_PROTECTION))
+
 # Sanity check the cluster count and if FVP_CLUSTER_COUNT <= 2,
 # choose the CCI driver , else the CCN driver
 ifeq ($(FVP_CLUSTER_COUNT), 0)