feat(security): add support for SLS mitigation
This patch enables support for the gcc compiler option "-mharden-sls",
the default is not to use this option. Setting HARDEN_SLS=1 sets
"-mharden-sls=all" that enables all hardening against straight line
speculation.
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I59f5963c22431571f5aebe7e0c5642b32362f4c9
diff --git a/Makefile b/Makefile
index 907ae21..ef01fef 100644
--- a/Makefile
+++ b/Makefile
@@ -312,6 +312,10 @@
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105523
TF_CFLAGS += $(call cc_option, --param=min-pagesize=0)
+ifeq ($(HARDEN_SLS), 1)
+ TF_CFLAGS_aarch64 += $(call cc_option, -mharden-sls=all)
+endif
+
else
# using clang
WARNINGS += -Wshift-overflow -Wshift-sign-overflow \
@@ -1179,6 +1183,7 @@
GENERATE_COT \
GICV2_G0_FOR_EL3 \
HANDLE_EA_EL3_FIRST_NS \
+ HARDEN_SLS \
HW_ASSISTED_COHERENCY \
MEASURED_BOOT \
DRTM_SUPPORT \
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index cd70a22..f0f1cac 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -748,6 +748,19 @@
MARCH_DIRECTIVE := -march=armv8.5-a
+- ``HARDEN_SLS``: used to pass -mharden-sls=all from the TF-A build
+ options to the compiler currently supporting only of the options.
+ GCC documentation:
+ https://gcc.gnu.org/onlinedocs/gcc/AArch64-Options.html#index-mharden-sls
+
+ An example usage:
+
+ .. code:: make
+
+ HARDEN_SLS := 1
+
+ This option defaults to 0.
+
- ``NON_TRUSTED_WORLD_KEY``: This option is used when ``GENERATE_COT=1``. It
specifies a file that contains the Non-Trusted World private key in PEM
format or a PKCS11 URI. If ``SAVE_KEYS=1``, only a file is accepted and it
diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk
index ea22655..57529ee 100644
--- a/make_helpers/defaults.mk
+++ b/make_helpers/defaults.mk
@@ -150,6 +150,10 @@
# Enable Handoff protocol using transfer lists
TRANSFER_LIST := 0
+# Enables support for the gcc compiler option "-mharden-sls=all".
+# By default, disables all SLS hardening.
+HARDEN_SLS := 0
+
# Secure hash algorithm flag, accepts 3 values: sha256, sha384 and sha512.
# The default value is sha256.
HASH_ALG := sha256