refactor(console): disable getc() by default
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
diff --git a/Makefile b/Makefile
index 464544f..94dfc3e 100644
--- a/Makefile
+++ b/Makefile
@@ -1223,6 +1223,7 @@
CONDITIONAL_CMO \
RAS_FFH_SUPPORT \
PSA_CRYPTO \
+ ENABLE_CONSOLE_GETC \
)))
# Numeric_Flags
@@ -1414,6 +1415,7 @@
SVE_VECTOR_LEN \
ENABLE_SPMD_LP \
PSA_CRYPTO \
+ ENABLE_CONSOLE_GETC \
)))
ifeq (${SANITIZE_UB},trap)
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index 34d83f2..c045a6a 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -1191,6 +1191,12 @@
per the `PSA Crypto API specification`_. This feature is only supported if
using MbedTLS 3.x version. By default it is disabled (``0``).
+- ``ENABLE_CONSOLE_GETC``: Boolean option to enable `getc()` feature in console
+ driver(s). By default it is disabled (``0``) because it constitutes an attack
+ vector into TF-A by potentially allowing an attacker to inject arbitrary data.
+ This option should only be enabled on a need basis if there is a use case for
+ reading characters from the console.
+
GICv3 driver options
--------------------
diff --git a/docs/process/security-hardening.rst b/docs/process/security-hardening.rst
index f9618db..eace467 100644
--- a/docs/process/security-hardening.rst
+++ b/docs/process/security-hardening.rst
@@ -135,6 +135,16 @@
it is recommended to develop against ``W=2`` (which will eventually become the
default).
+Additional guidelines are provided below for some security-related build
+options:
+
+- The ``ENABLE_CONSOLE_GETC`` build flag should be set to 0 to disable the
+ `getc()` feature, which allows the firmware to read characters from the
+ console. Keeping this feature enabled is considered dangerous from a security
+ point of view because it potentially allows an attacker to inject arbitrary
+ data into the firmware. It should only be enabled on a need basis if there is
+ a use case for it, for example in a testing or factory environment.
+
.. rubric:: References
- `Arm ARM`_
diff --git a/drivers/amlogic/console/aarch64/meson_console.S b/drivers/amlogic/console/aarch64/meson_console.S
index 6d0a2d6..d955d83 100644
--- a/drivers/amlogic/console/aarch64/meson_console.S
+++ b/drivers/amlogic/console/aarch64/meson_console.S
@@ -69,7 +69,7 @@
mov x0, x6
mov x30, x7
- finish_console_register meson putc=1, getc=1, flush=1
+ finish_console_register meson putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
ret x7
diff --git a/drivers/arm/dcc/dcc_console.c b/drivers/arm/dcc/dcc_console.c
index 8d9f793..d8f9462 100644
--- a/drivers/arm/dcc/dcc_console.c
+++ b/drivers/arm/dcc/dcc_console.c
@@ -53,6 +53,7 @@
return read_mdccsr_el0();
}
+#if ENABLE_CONSOLE_GETC
static inline char __dcc_getchar(void)
{
char c;
@@ -61,6 +62,7 @@
return c;
}
+#endif
static inline void __dcc_putchar(char c)
{
@@ -102,6 +104,7 @@
return ch;
}
+#if ENABLE_CONSOLE_GETC
static int32_t dcc_console_getc(struct console *console)
{
unsigned int status;
@@ -113,6 +116,7 @@
return __dcc_getchar();
}
+#endif
/**
* dcc_console_flush() - Function to force a write of all buffered data
@@ -135,7 +139,9 @@
.flags = CONSOLE_FLAG_BOOT |
CONSOLE_FLAG_RUNTIME,
.putc = dcc_console_putc,
+#if ENABLE_CONSOLE_GETC
.getc = dcc_console_getc,
+#endif
.flush = dcc_console_flush,
},
};
diff --git a/drivers/arm/pl011/aarch32/pl011_console.S b/drivers/arm/pl011/aarch32/pl011_console.S
index 9caeb0c..b7d1747 100644
--- a/drivers/arm/pl011/aarch32/pl011_console.S
+++ b/drivers/arm/pl011/aarch32/pl011_console.S
@@ -116,7 +116,7 @@
mov r0, r4
pop {r4, lr}
- finish_console_register pl011 putc=1, getc=1, flush=1
+ finish_console_register pl011 putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
pop {r4, pc}
diff --git a/drivers/arm/pl011/aarch64/pl011_console.S b/drivers/arm/pl011/aarch64/pl011_console.S
index 861d2ed..8cb0122 100644
--- a/drivers/arm/pl011/aarch64/pl011_console.S
+++ b/drivers/arm/pl011/aarch64/pl011_console.S
@@ -103,7 +103,7 @@
mov x0, x6
mov x30, x7
- finish_console_register pl011 putc=1, getc=1, flush=1
+ finish_console_register pl011 putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
ret x7
diff --git a/drivers/cadence/uart/aarch64/cdns_console.S b/drivers/cadence/uart/aarch64/cdns_console.S
index 1bdaa48..d2dd0a8 100644
--- a/drivers/cadence/uart/aarch64/cdns_console.S
+++ b/drivers/cadence/uart/aarch64/cdns_console.S
@@ -79,7 +79,7 @@
mov x0, x6
mov x30, x7
- finish_console_register cdns putc=1, getc=1, flush=1
+ finish_console_register cdns putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
ret x7
diff --git a/drivers/console/aarch32/skeleton_console.S b/drivers/console/aarch32/skeleton_console.S
index a9e13ec..05a5985 100644
--- a/drivers/console/aarch32/skeleton_console.S
+++ b/drivers/console/aarch32/skeleton_console.S
@@ -63,7 +63,7 @@
* If any of the argument is unspecified, then the corresponding
* entry in console_t is set to 0.
*/
- finish_console_register xxx putc=1, getc=1, flush=1
+ finish_console_register xxx putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
/* Jump here if hardware init fails or parameters are invalid. */
register_fail:
diff --git a/drivers/console/aarch64/skeleton_console.S b/drivers/console/aarch64/skeleton_console.S
index 7ea2eec..3310d28 100644
--- a/drivers/console/aarch64/skeleton_console.S
+++ b/drivers/console/aarch64/skeleton_console.S
@@ -63,7 +63,7 @@
* If any of the argument is unspecified, then the corresponding
* entry in console_t is set to 0.
*/
- finish_console_register xxx putc=1, getc=1, flush=1
+ finish_console_register xxx putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
/* Jump here if hardware init fails or parameters are invalid. */
register_fail:
diff --git a/drivers/console/multi_console.c b/drivers/console/multi_console.c
index 93c38d8..e962fff 100644
--- a/drivers/console/multi_console.c
+++ b/drivers/console/multi_console.c
@@ -108,6 +108,7 @@
return EOF;
}
+#if ENABLE_CONSOLE_GETC
int console_getc(void)
{
int err = ERROR_NO_VALID_CONSOLE;
@@ -127,6 +128,7 @@
return err;
}
+#endif
void console_flush(void)
{
diff --git a/drivers/marvell/uart/a3700_console.S b/drivers/marvell/uart/a3700_console.S
index c7eb165..a1eacbc 100644
--- a/drivers/marvell/uart/a3700_console.S
+++ b/drivers/marvell/uart/a3700_console.S
@@ -140,7 +140,7 @@
mov x0, x6
mov x30, x7
- finish_console_register a3700, putc=1, getc=1, flush=1
+ finish_console_register a3700, putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
ret x7
diff --git a/drivers/nxp/console/16550_console.S b/drivers/nxp/console/16550_console.S
index 044d3d0..b5617a3 100644
--- a/drivers/nxp/console/16550_console.S
+++ b/drivers/nxp/console/16550_console.S
@@ -167,7 +167,7 @@
register_16550:
mov x0, x6
mov x30, x7
- finish_console_register 16550 putc=1, getc=1, flush=1
+ finish_console_register 16550 putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
ret x7
diff --git a/drivers/ti/uart/aarch32/16550_console.S b/drivers/ti/uart/aarch32/16550_console.S
index 0429f87..898a68d 100644
--- a/drivers/ti/uart/aarch32/16550_console.S
+++ b/drivers/ti/uart/aarch32/16550_console.S
@@ -124,7 +124,7 @@
register_16550:
mov r0, r4
pop {r4, lr}
- finish_console_register 16550 putc=1, getc=1, flush=1
+ finish_console_register 16550 putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
pop {r4, pc}
diff --git a/drivers/ti/uart/aarch64/16550_console.S b/drivers/ti/uart/aarch64/16550_console.S
index cb21512..2b1b5a9 100644
--- a/drivers/ti/uart/aarch64/16550_console.S
+++ b/drivers/ti/uart/aarch64/16550_console.S
@@ -118,7 +118,7 @@
register_16550:
mov x0, x6
mov x30, x7
- finish_console_register 16550 putc=1, getc=1, flush=1
+ finish_console_register 16550 putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
ret x7
diff --git a/include/arch/aarch32/console_macros.S b/include/arch/aarch32/console_macros.S
index 996cb32..726b281 100644
--- a/include/arch/aarch32/console_macros.S
+++ b/include/arch/aarch32/console_macros.S
@@ -29,12 +29,20 @@
.endif
str r1, [r0, #CONSOLE_T_PUTC]
+ /*
+ * If ENABLE_CONSOLE_GETC support is disabled, but a getc callback is
+ * specified nonetheless, the assembler will abort on encountering the
+ * CONSOLE_T_GETC macro, which is undefined.
+ */
.ifne \getc
ldr r1, =console_\_driver\()_getc
+ str r1, [r0, #CONSOLE_T_GETC]
.else
+#if ENABLE_CONSOLE_GETC
mov r1, #0
+ str r1, [r0, #CONSOLE_T_GETC]
+#endif
.endif
- str r1, [r0, #CONSOLE_T_GETC]
.ifne \flush
ldr r1, =console_\_driver\()_flush
diff --git a/include/arch/aarch64/console_macros.S b/include/arch/aarch64/console_macros.S
index 3285d85..8adb9cd 100644
--- a/include/arch/aarch64/console_macros.S
+++ b/include/arch/aarch64/console_macros.S
@@ -30,12 +30,19 @@
str xzr, [x0, #CONSOLE_T_PUTC]
.endif
+ /*
+ * If ENABLE_CONSOLE_GETC support is disabled, but a getc callback is
+ * specified nonetheless, the assembler will abort on encountering the
+ * CONSOLE_T_GETC macro, which is undefined.
+ */
.ifne \getc
adrp x1, console_\_driver\()_getc
add x1, x1, :lo12:console_\_driver\()_getc
str x1, [x0, #CONSOLE_T_GETC]
.else
+#if ENABLE_CONSOLE_GETC
str xzr, [x0, #CONSOLE_T_GETC]
+#endif
.endif
.ifne \flush
diff --git a/include/drivers/console.h b/include/drivers/console.h
index f499571..fa4eb94 100644
--- a/include/drivers/console.h
+++ b/include/drivers/console.h
@@ -12,10 +12,16 @@
#define CONSOLE_T_NEXT (U(0) * REGSZ)
#define CONSOLE_T_FLAGS (U(1) * REGSZ)
#define CONSOLE_T_PUTC (U(2) * REGSZ)
+#if ENABLE_CONSOLE_GETC
#define CONSOLE_T_GETC (U(3) * REGSZ)
#define CONSOLE_T_FLUSH (U(4) * REGSZ)
#define CONSOLE_T_BASE (U(5) * REGSZ)
#define CONSOLE_T_DRVDATA (U(6) * REGSZ)
+#else
+#define CONSOLE_T_FLUSH (U(3) * REGSZ)
+#define CONSOLE_T_BASE (U(4) * REGSZ)
+#define CONSOLE_T_DRVDATA (U(5) * REGSZ)
+#endif
#define CONSOLE_FLAG_BOOT (U(1) << 0)
#define CONSOLE_FLAG_RUNTIME (U(1) << 1)
@@ -42,7 +48,9 @@
*/
u_register_t flags;
int (*const putc)(int character, struct console *console);
+#if ENABLE_CONSOLE_GETC
int (*const getc)(struct console *console);
+#endif
void (*const flush)(struct console *console);
uintptr_t base;
/* Additional private driver data may follow here. */
@@ -75,8 +83,10 @@
void console_switch_state(unsigned int new_state);
/* Output a character on all consoles registered for the current state. */
int console_putc(int c);
+#if ENABLE_CONSOLE_GETC
/* Read a character (blocking) from any console registered for current state. */
int console_getc(void);
+#endif
/* Flush all consoles registered for the current state. */
void console_flush(void);
diff --git a/include/drivers/console_assertions.h b/include/drivers/console_assertions.h
index 00caa31..9f06573 100644
--- a/include/drivers/console_assertions.h
+++ b/include/drivers/console_assertions.h
@@ -19,8 +19,10 @@
assert_console_t_flags_offset_mismatch);
CASSERT(CONSOLE_T_PUTC == __builtin_offsetof(console_t, putc),
assert_console_t_putc_offset_mismatch);
+#if ENABLE_CONSOLE_GETC
CASSERT(CONSOLE_T_GETC == __builtin_offsetof(console_t, getc),
assert_console_t_getc_offset_mismatch);
+#endif
CASSERT(CONSOLE_T_FLUSH == __builtin_offsetof(console_t, flush),
assert_console_t_flush_offset_mismatch);
CASSERT(CONSOLE_T_DRVDATA == sizeof(console_t),
diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk
index 321ae9f..f31365a 100644
--- a/make_helpers/defaults.mk
+++ b/make_helpers/defaults.mk
@@ -362,3 +362,8 @@
# By default, disable PSA crypto (use MbedTLS legacy crypto API).
PSA_CRYPTO := 0
+
+# getc() support from the console(s).
+# Disabled by default because it constitutes an attack vector into TF-A. It
+# should only be enabled if there is a use case for it.
+ENABLE_CONSOLE_GETC := 0
diff --git a/plat/imx/common/aarch32/imx_uart_console.S b/plat/imx/common/aarch32/imx_uart_console.S
index 1a1229a..2a35b5e 100644
--- a/plat/imx/common/aarch32/imx_uart_console.S
+++ b/plat/imx/common/aarch32/imx_uart_console.S
@@ -28,7 +28,7 @@
mov r0, r4
pop {r4, lr}
- finish_console_register imx_uart putc=1, getc=1, flush=1
+ finish_console_register imx_uart putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
pop {r4, pc}
diff --git a/plat/imx/common/imx_uart_console.S b/plat/imx/common/imx_uart_console.S
index 4d17288..560db15 100644
--- a/plat/imx/common/imx_uart_console.S
+++ b/plat/imx/common/imx_uart_console.S
@@ -33,7 +33,7 @@
mov x0, x6
mov x30, x7
- finish_console_register imx_uart putc=1, getc=1, flush=1
+ finish_console_register imx_uart putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
ret x7
diff --git a/plat/imx/common/lpuart_console.S b/plat/imx/common/lpuart_console.S
index ff01e35..7acf773 100644
--- a/plat/imx/common/lpuart_console.S
+++ b/plat/imx/common/lpuart_console.S
@@ -27,7 +27,7 @@
mov x0, x6
mov x30, x7
- finish_console_register lpuart putc=1, getc=1, flush=1
+ finish_console_register lpuart putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
ret x7
diff --git a/plat/nvidia/tegra/drivers/spe/shared_console.S b/plat/nvidia/tegra/drivers/spe/shared_console.S
index d1b18dd..5ad4eb8 100644
--- a/plat/nvidia/tegra/drivers/spe/shared_console.S
+++ b/plat/nvidia/tegra/drivers/spe/shared_console.S
@@ -71,7 +71,7 @@
cbz x3, register_fail
str x0, [x3, #CONSOLE_T_BASE]
mov x0, x3
- finish_console_register spe putc=1, getc=1, flush=1
+ finish_console_register spe putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
register_fail:
mov w0, wzr
diff --git a/plat/socionext/uniphier/uniphier_console_setup.c b/plat/socionext/uniphier/uniphier_console_setup.c
index 9fda26e..9268f5d 100644
--- a/plat/socionext/uniphier/uniphier_console_setup.c
+++ b/plat/socionext/uniphier/uniphier_console_setup.c
@@ -30,7 +30,9 @@
CONSOLE_FLAG_CRASH |
CONSOLE_FLAG_TRANSLATE_CRLF,
.putc = uniphier_console_putc,
+#if ENABLE_CONSOLE_GETC
.getc = uniphier_console_getc,
+#endif
.flush = uniphier_console_flush,
};