commit | f91f1449db94f8c3d1924776c6adfa4fd20e4ecc | [log] [tgz] |
---|---|---|
author | Sandrine Bailleux <sandrine.bailleux@arm.com> | Fri Jul 08 14:37:40 2016 +0100 |
committer | Sandrine Bailleux <sandrine.bailleux@arm.com> | Fri Jul 08 14:55:11 2016 +0100 |
tree | 26daaf26d64ef7698da3920c0dd654963f2a92a8 | |
parent | 66552da2aca9be6add883117d9edab7543c4ae71 [diff] |
Introduce SEPARATE_CODE_AND_RODATA build flag At the moment, all BL images share a similar memory layout: they start with their code section, followed by their read-only data section. The two sections are contiguous in memory. Therefore, the end of the code section and the beginning of the read-only data one might share a memory page. This forces both to be mapped with the same memory attributes. As the code needs to be executable, this means that the read-only data stored on the same memory page as the code are executable as well. This could potentially be exploited as part of a security attack. This patch introduces a new build flag called SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data on separate memory pages. This in turn allows independent control of the access permissions for the code and read-only data. This has an impact on memory footprint, as padding bytes need to be introduced between the code and read-only data to ensure the segragation of the two. To limit the memory cost, the memory layout of the read-only section has been changed in this case. - When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e. the read-only section still looks like this (padding omitted): | ... | +-------------------+ | Exception vectors | +-------------------+ | Read-only data | +-------------------+ | Code | +-------------------+ BLx_BASE In this case, the linker script provides the limits of the whole read-only section. - When SEPARATE_CODE_AND_RODATA=1, the exception vectors and read-only data are swapped, such that the code and exception vectors are contiguous, followed by the read-only data. This gives the following new layout (padding omitted): | ... | +-------------------+ | Read-only data | +-------------------+ | Exception vectors | +-------------------+ | Code | +-------------------+ BLx_BASE In this case, the linker script now exports 2 sets of addresses instead: the limits of the code and the limits of the read-only data. Refer to the Firmware Design guide for more details. This provides platform code with a finer-grained view of the image layout and allows it to map these 2 regions with the appropriate access permissions. Note that SEPARATE_CODE_AND_RODATA applies to all BL images. Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49
ARM Trusted Firmware provides a reference implementation of secure world software for ARMv8-A, including a [Secure Monitor] TEE-SMC executing at Exception Level 3 (EL3). It implements various ARM interface standards, such as the Power State Coordination Interface (PSCI), Trusted Board Boot Requirements (TBBR, ARM DEN0006C-1) and SMC Calling Convention. As far as possible the code is designed for reuse or porting to other ARMv8-A model and hardware platforms.
ARM will continue development in collaboration with interested parties to provide a full reference implementation of PSCI, TBBR and Secure Monitor code to the benefit of all developers working with ARMv8-A TrustZone technology.
The software is provided under a BSD 3-Clause license. Certain source files are derived from FreeBSD code: the original license is included in these source files.
This release provides a suitable starting point for productization of secure world boot and runtime firmware. Future versions will contain new features, optimizations and quality improvements.
Users are encouraged to do their own security validation, including penetration testing, on any secure world code derived from ARM Trusted Firmware.
Initialization of the secure world (for example, exception vectors, control registers, interrupt controller and interrupts for the platform), before transitioning into the normal world at the Exception Level and Register Width specified by the platform.
Library support for CPU specific reset and power down sequences. This includes support for errata workarounds.
Drivers for both the version 2.0 and version 3.0 ARM Generic Interrupt Controller specifications (GICv2 and GICv3). The latter also enables GICv3 hardware systems that do not contain legacy GICv2 support.
Drivers to enable standard initialization of ARM System IP, for example Cache Coherent Interconnect (CCI), Cache Coherent Network (CCN), Network Interconnect (NIC) and TrustZone Controller (TZC).
SMC (Secure Monitor Call) handling, conforming to the SMC Calling Convention using an EL3 runtime services framework.
SMC handling relating to PSCI for the Secondary CPU Boot, CPU Hotplug, CPU Idle and System Shutdown/Reset/Suspend use-cases.
Secure Monitor library code such as world switching, EL1 context management and interrupt routing. This must be integrated with a Secure-EL1 Payload Dispatcher (SPD) component to customize the interaction with a Secure-EL1 Payload (SP), for example a Secure OS.
A Test Secure-EL1 Payload and Dispatcher to demonstrate Secure Monitor functionality and Secure-EL1 interaction with PSCI.
SPDs for the OP-TEE Secure OS and [NVidia Trusted Little Kernel] NVidia TLK.
A Trusted Board Boot implementation, conforming to all mandatory TBBR requirements. This includes image authentication using certificates, a Firmware Update (or recovery mode) boot flow, and packaging of the various firmware images into a Firmware Image Package (FIP) to be loaded from non-volatile storage.
Support for alternative boot flows. Some platforms have their own boot firmware and only require the ARM Trusted Firmware Secure Monitor functionality. Other platforms require minimal initialization before booting into an arbitrary EL3 payload.
For a full description of functionality and implementation details, please see the Firmware Design and supporting documentation. The Change Log provides details of changes made since the last release.
This release of the Trusted Firmware has been tested on variants r0 and r1 of the [Juno ARM Development Platform] Juno with [Linaro Release 15.10] Linaro Release Notes.
The Trusted Firmware has also been tested on the 64-bit Linux versions of the following ARM FVPs:
Foundation_Platform
(Version 9.4, Build 9.4.59)FVP_Base_AEMv8A-AEMv8A
(Version 7.0, Build 0.8.7004)FVP_Base_Cortex-A57x4-A53x4
(Version 7.0, Build 0.8.7004)FVP_Base_Cortex-A57x1-A53x1
(Version 7.0, Build 0.8.7004)FVP_Base_Cortex-A57x2-A53x4
(Version 7.0, Build 0.8.7004)The Foundation FVP can be downloaded free of charge. The Base FVPs can be licensed from ARM: see [www.arm.com/fvp] FVP.
This release also contains the following platform support:
Complete implementation of the PSCI v1.0 specification.
Support for new CPUs and System IP.
More platform support.
Optimization and quality improvements.
For a full list of detailed issues in the current code, please see the Change Log and the GitHub issue tracker.
Get the Trusted Firmware source code from GitHub.
See the User Guide for instructions on how to install, build and use the Trusted Firmware with the ARM FVPs.
See the Firmware Design for information on how the ARM Trusted Firmware works.
See the Porting Guide as well for information about how to use this software on another ARMv8-A platform.
See the Contributing Guidelines for information on how to contribute to this project and the Acknowledgments file for a list of contributors to the project.
ARM welcomes any feedback on the Trusted Firmware. Please send feedback using the GitHub issue tracker.
ARM licensees may contact ARM directly via their partner managers.
Copyright (c) 2013-2015, ARM Limited and Contributors. All rights reserved.