Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / b71a9e694d38f5aab9dd541ce74e6d49a95d15f8 / . / docs / process / security-hardening.rst
blob: 43a5721251dc14c3dc4e6b30612c30e53456a44c [file] [log] [blame]
Paul Beesley07f0a312019-05-16 13:33:18 +0100[diff] [blame]1Secure Development Guidelines
2=============================
Ambroise Vincentcc28b212019-06-05 15:40:29 +0100[diff] [blame]3
4This page contains guidance on what to check for additional security measures,
5including build options that can be modified to improve security or catch issues
6early in development.
7
Paul Beesley07f0a312019-05-16 13:33:18 +0100[diff] [blame]8Security considerations
9-----------------------
10
11Part of the security of a platform is handling errors correctly, as described in
12the previous section. There are several other security considerations covered in
13this section.
14
15Do not leak secrets to the normal world
16^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
17
18The secure world **must not** leak secrets to the normal world, for example in
19response to an SMC.
20
21Handling Denial of Service attacks
22^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
23
24The secure world **should never** crash or become unusable due to receiving too
25many normal world requests (a *Denial of Service* or *DoS* attack). It should
26have a mechanism for throttling or ignoring normal world requests.
27
Ambroise Vincentcc28b212019-06-05 15:40:29 +0100[diff] [blame]28Build options
29-------------
30
31Several build options can be used to check for security issues. Refer to the
Paul Beesleyd2fcc4e2019-05-29 13:59:40 +0100[diff] [blame]32:ref:`Build Options` for detailed information on these.
Ambroise Vincentcc28b212019-06-05 15:40:29 +0100[diff] [blame]33
34- The ``BRANCH_PROTECTION`` build flag can be used to enable Pointer
35 Authentication and Branch Target Identification.
36
37- The ``ENABLE_STACK_PROTECTOR`` build flag can be used to identify buffer
38 overflows.
39
40- The ``W`` build flag can be used to enable a number of compiler warning
41 options to detect potentially incorrect code.
42
43 - W=0 (default value)
44
45 The ``Wunused`` with ``Wno-unused-parameter``, ``Wdisabled-optimization``
46 and ``Wvla`` flags are enabled.
47
48 The ``Wunused-but-set-variable``, ``Wmaybe-uninitialized`` and
49 ``Wpacked-bitfield-compat`` are GCC specific flags that are also enabled.
50
51 - W=1
52
Justin Chadwell0c4eb602019-09-18 14:47:19 +0100[diff] [blame]53 Adds ``Wextra``, ``Wmissing-format-attribute``, ``Wmissing-prototypes``,
54 ``Wold-style-definition`` and ``Wunused-const-variable``.
Ambroise Vincentcc28b212019-06-05 15:40:29 +0100[diff] [blame]55
56 - W=2
57
58 Adds ``Waggregate-return``, ``Wcast-align``, ``Wnested-externs``,
Justin Chadwell80e264b2019-07-31 11:44:42 +0100[diff] [blame]59 ``Wshadow``, ``Wlogical-op``.
Ambroise Vincentcc28b212019-06-05 15:40:29 +0100[diff] [blame]60
61 - W=3
62
63 Adds ``Wbad-function-cast``, ``Wcast-qual``, ``Wconversion``, ``Wpacked``,
Justin Chadwell0c4eb602019-09-18 14:47:19 +0100[diff] [blame]64 ``Wpointer-arith``, ``Wredundant-decls`` and
Ambroise Vincentcc28b212019-06-05 15:40:29 +0100[diff] [blame]65 ``Wswitch-default``.
66
67 Refer to the GCC or Clang documentation for more information on the individual
68 options: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html and
69 https://clang.llvm.org/docs/DiagnosticsReference.html.
70
71 NB: The ``Werror`` flag is enabled by default in TF-A and can be disabled by
72 setting the ``E`` build flag to 0.
73
Paul Beesleyf8640672019-04-12 14:19:42 +0100[diff] [blame]74--------------
Ambroise Vincentcc28b212019-06-05 15:40:29 +0100[diff] [blame]75
Paul Beesley07f0a312019-05-16 13:33:18 +0100[diff] [blame]76*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*