commit c0dc40e224c89595113d35dade50640e17a20603
author Jit Loon Lim <jit.loon.lim@intel.com> Fri Nov 17 10:36:30 2023 +0800
committer Sieu Mun Tang <sieu.mun.tang@intel.com> Fri Dec 15 01:48:04 2023 +0800
tree d51e2ab737bdb39990d2ae26ebd4e2d1dc1194cf
parent bb653a35a679202c4d2f37e7ca201e259e63a0eb

fix(intel): update fcs functions to check ddr range

The src addr and dest addr of fcs functions are not checked against
their valid ddr range. Thus adding the ddr range checking to avoid
overlap/overwritten ddr address.

Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I9b4d4155dd16d9d5d36e0c91e4a2600c17867daf

plat/intel/soc/common/sip/socfpga_sip_fcs.c

diff --git a/plat/intel/soc/common/sip/socfpga_sip_fcs.c b/plat/intel/soc/common/sip/socfpga_sip_fcs.c
index beaa720..843ec69 100644
--- a/plat/intel/soc/common/sip/socfpga_sip_fcs.c
+++ b/plat/intel/soc/common/sip/socfpga_sip_fcs.c
@@ -247,14 +247,6 @@
 	int status;
 	uint32_t load_size;
 
-	fcs_encrypt_payload payload = {
-		FCS_ENCRYPTION_DATA_0,
-		src_addr,
-		src_size,
-		dst_addr,
-		dst_size };
-	load_size = sizeof(payload) / MBOX_WORD_BYTE;
-
 	if (!is_address_in_ddr_range(src_addr, src_size) ||
 		!is_address_in_ddr_range(dst_addr, dst_size)) {
 		return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -264,6 +256,14 @@
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+	fcs_encrypt_payload payload = {
+		FCS_ENCRYPTION_DATA_0,
+		src_addr,
+		src_size,
+		dst_addr,
+		dst_size };
+	load_size = sizeof(payload) / MBOX_WORD_BYTE;
+
 	status = mailbox_send_cmd_async(send_id, MBOX_FCS_ENCRYPT_REQ,
 				(uint32_t *) &payload, load_size,
 				CMD_INDIRECT);
@@ -283,6 +283,15 @@
 	uint32_t load_size;
 	uintptr_t id_offset;
 
+	if (!is_address_in_ddr_range(src_addr, src_size) ||
+		!is_address_in_ddr_range(dst_addr, dst_size)) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
+	if (!is_size_4_bytes_aligned(src_size)) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	inv_dcache_range(src_addr, src_size); /* flush cache before mmio read to avoid reading old values */
 	id_offset = src_addr + FCS_OWNER_ID_OFFSET;
 	fcs_decrypt_payload payload = {
@@ -295,15 +304,6 @@
 		dst_size };
 	load_size = sizeof(payload) / MBOX_WORD_BYTE;
 
-	if (!is_address_in_ddr_range(src_addr, src_size) ||
-		!is_address_in_ddr_range(dst_addr, dst_size)) {
-		return INTEL_SIP_SMC_STATUS_REJECTED;
-	}
-
-	if (!is_size_4_bytes_aligned(src_size)) {
-		return INTEL_SIP_SMC_STATUS_REJECTED;
-	}
-
 	status = mailbox_send_cmd_async(send_id, MBOX_FCS_DECRYPT_REQ,
 				(uint32_t *) &payload, load_size,
 				CMD_INDIRECT);
@@ -2023,6 +2023,10 @@
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}
 
+	if (!is_address_in_ddr_range(dst_addr, *dst_size)) {
+		return INTEL_SIP_SMC_STATUS_REJECTED;
+	}
+
 	if (fcs_ecdsa_get_pubkey_param.session_id != session_id ||
 		fcs_ecdsa_get_pubkey_param.context_id != context_id) {
 		return INTEL_SIP_SMC_STATUS_REJECTED;
@@ -2234,7 +2238,8 @@
 	}
 
 	if ((!is_8_bytes_aligned(dst_addr)) ||
-		(!is_32_bytes_aligned(dst_size))) {
+		(!is_32_bytes_aligned(dst_size)) ||
+		(!is_address_in_ddr_range(dst_addr, dst_size))) {
 		return INTEL_SIP_SMC_STATUS_REJECTED;
 	}