diff options
| author | Sandrine Bailleux <sandrine.bailleux@arm.com> | 2016-06-14 17:01:00 +0100 |
|---|---|---|
| committer | Sandrine Bailleux <sandrine.bailleux@arm.com> | 2016-07-08 14:55:11 +0100 |
| commit | 91fad6551ee3e5529f9b442cd4a084251cdebe1d (patch) | |
| tree | 1efb697c92c26e93b662216809a2af1f28c0a724 | |
| parent | 84aaf559618f7323e4e053215ab558bb540beffc (diff) | |
ARM CSS platforms: Map flash as execute-never by default
On ARM CSS platforms, the whole flash used to be mapped as executable.
This is not required, given that the flash is used to store the BL1
and FIP images and:
- The FIP is not executed in place, its images are copied to RAM
and executed from there.
- BL1 is executed in place from flash but only its code needs to be
mapped as executable and platform code takes care of re-mapping
BL1's read-only section as executable.
Therefore, this patch now maps the flash as non-executable by default
on these platforms. This increases security by restricting the
executable region to what is strictly needed.
This patch also adds some comments to clarify the memory mapping
attributes on these platforms.
Change-Id: I4db3c145508bea1f43fbe0f6dcd551e1aec1ecd3
| -rw-r--r-- | include/plat/arm/board/common/v2m_def.h | 17 | ||||
| -rw-r--r-- | plat/arm/board/fvp/fvp_common.c | 3 |
2 files changed, 18 insertions, 2 deletions
diff --git a/include/plat/arm/board/common/v2m_def.h b/include/plat/arm/board/common/v2m_def.h index 888792ed..7cee4e8f 100644 --- a/include/plat/arm/board/common/v2m_def.h +++ b/include/plat/arm/board/common/v2m_def.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2016, ARM Limited and Contributors. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -119,13 +119,26 @@ #define V2M_SP810_CTRL_TIM2_SEL (1 << 19) #define V2M_SP810_CTRL_TIM3_SEL (1 << 21) +/* + * The flash can be mapped either as read-only or read-write. + * + * If it is read-write then it should also be mapped as device memory because + * NOR flash programming involves sending a fixed, ordered sequence of commands. + * + * If it is read-only then it should also be mapped as: + * - Normal memory, because reading from NOR flash is transparent, it is like + * reading from RAM. + * - Non-executable by default. If some parts of the flash need to be executable + * then platform code is responsible for re-mapping the appropriate portion + * of it as executable. + */ #define V2M_MAP_FLASH0_RW MAP_REGION_FLAT(V2M_FLASH0_BASE,\ V2M_FLASH0_SIZE, \ MT_DEVICE | MT_RW | MT_SECURE) #define V2M_MAP_FLASH0_RO MAP_REGION_FLAT(V2M_FLASH0_BASE,\ V2M_FLASH0_SIZE, \ - MT_MEMORY | MT_RO | MT_SECURE) + MT_RO_DATA | MT_SECURE) #define V2M_MAP_IOFPGA MAP_REGION_FLAT(V2M_IOFPGA_BASE,\ V2M_IOFPGA_SIZE, \ diff --git a/plat/arm/board/fvp/fvp_common.c b/plat/arm/board/fvp/fvp_common.c index affd0b82..002cff67 100644 --- a/plat/arm/board/fvp/fvp_common.c +++ b/plat/arm/board/fvp/fvp_common.c @@ -69,6 +69,9 @@ arm_config_t arm_config; * Table of memory regions for various BL stages to map using the MMU. * This doesn't include Trusted SRAM as arm_setup_page_tables() already * takes care of mapping it. + * + * The flash needs to be mapped as writable in order to erase the FIP's Table of + * Contents in case of unrecoverable error (see plat_error_handler()). */ #if IMAGE_BL1 const mmap_region_t plat_arm_mmap[] = { |