From patchwork Fri Jun 25 19:33:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergey Matyukevich X-Patchwork-Id: 1497428 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=BedtSdJQ; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GBRyF570Pz9sTD for ; Sat, 26 Jun 2021 05:33:57 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 088D460B58; Fri, 25 Jun 2021 19:33:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ssnBc0gM_VPm; Fri, 25 Jun 2021 19:33:51 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 630E1605BF; Fri, 25 Jun 2021 19:33:50 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id B03861C11A9 for ; Fri, 25 Jun 2021 19:33:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 97C6C60900 for ; Fri, 25 Jun 2021 19:33:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AgryoEYLxVmn for ; Fri, 25 Jun 2021 19:33:24 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) by smtp3.osuosl.org (Postfix) with ESMTPS id 69CC66001B for ; Fri, 25 Jun 2021 19:33:24 +0000 (UTC) Received: by mail-lf1-x133.google.com with SMTP id x24so17981853lfr.10 for ; Fri, 25 Jun 2021 12:33:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Hlr2E7Q+Tqhg7BdTGlinyaUxm80GnNRx0GcbdjndfpQ=; b=BedtSdJQ3DrhJDE38vr7bmx+1QRXHgkK+RgdhPAHwU12Rlz7KFmEAq/St5POeaUbCK 6/87G0a8cGbuZr/+8vArIZh+65dpxe0dZcSuF0bmCTfVvmPqMuDJ8HA9J3SvmufLOtKc cweG3YQZFIBAEFKGQDxzFAQ1ytngMPKjVmpYc0bkz8+eHADokLMZJ1DetfJYvd60zWHt 960OjoC542559He/pDM/LCf6ANifn2YLSjVXPZTOzyv2VOlYHsZfBN/X741NKZRJEgK9 VPNRKh4dED3QSNm5hhO4orFPnGPVp1SC5SRJzVVvZvl5y5lPhq3cypYP+xp7ZYAc7l3k /aYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Hlr2E7Q+Tqhg7BdTGlinyaUxm80GnNRx0GcbdjndfpQ=; b=neMcQhx5IRQfU1TcQzxiH33mGA+TbA/OCrTBml//qvR0FtWto6k15I3TrrfEdCa/t6 qqLR1Q9phKIa+Fo3/A7cXUyPI6txuzK3FEAMxKAU5vrLNi6N3eJmq51phVqeP/tIbTmP 8xzbfvS/zNHn3bubYK+13D2pHFRhdgvV9gocxNYs6l8QVCh1W37IMqDmLfg6K0j3FVRi WnA7PRldeDJ4biIg7Z9JLgLMXBEXW2HXcfa2ejBy7FmIhCdvpgUw1PEWJSt2niYJk7EA Vj9oYX1zAwUT3JgyBvRXN270204ld8/K/PzOdv1UYHybHGh+Wx7C1AR69fEczVQWQPJa 4QaQ== X-Gm-Message-State: AOAM531/klOp31ZoTh5AL+UnF/4PCkExZW0KjQd5vUzmny0Cc9q+Np90 XJfF9qAHAz6bEmiKQeOXxXYPyrLnqvc= X-Google-Smtp-Source: ABdhPJxEjwvtp8fUz5NqIWRvJleQZXfizl0zSabLoA0yoDKPPbOQh3ysrI9sEqkhJCjOCRhJu8EK3Q== X-Received: by 2002:a19:a405:: with SMTP id q5mr9848044lfc.187.1624649602079; Fri, 25 Jun 2021 12:33:22 -0700 (PDT) Received: from localhost.localdomain ([5.188.167.245]) by smtp.googlemail.com with ESMTPSA id i13sm683114ljn.80.2021.06.25.12.33.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Jun 2021 12:33:21 -0700 (PDT) From: Sergey Matyukevich To: buildroot@buildroot.org Date: Fri, 25 Jun 2021 22:33:14 +0300 Message-Id: <20210625193318.635449-2-geomatsi@gmail.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210625193318.635449-1-geomatsi@gmail.com> References: <20210625193318.635449-1-geomatsi@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH v3 1/5] boot/arm-trusted-firmware: enable stack protection level selection X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Heiko Thiery , "Yann E . MORIN" , Sergey Matyukevich , =?utf-8?q?Christoph_M=C3=BCllner?= Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Buildroot sets appropriate ENABLE_STACK_PROTECTOR build flag value based on the toolchain BR2_SSP_* option. However it might not be always convenient to automatically infer TF-A stack protection from the toolchian features. For instance, secure memory constraints may become an issue and all the extra TF-A features need to be tuned or disabled in order to shrink TF-A firmware image. Besides, for any values other than "none", TF-A platform specific hook 'plat_get_stack_protector_canary' should be implemented. However this hook is not implemented by all the platforms supported by TF-A. For instance, allwinner currently does not provide such a hook. Add choice menu to TF-A Config.in to enable selection of the appropriate stack protection level. Signed-off-by: Sergey Matyukevich --- boot/arm-trusted-firmware/Config.in | 26 +++++++++++++++++++ .../arm-trusted-firmware.mk | 8 +++--- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-firmware/Config.in index a5a8c5bfc3..5cdb0c37fd 100644 --- a/boot/arm-trusted-firmware/Config.in +++ b/boot/arm-trusted-firmware/Config.in @@ -188,4 +188,30 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_ARM32_TOOLCHAIN Select this option if your ATF board configuration requires an ARM32 bare metal toolchain to be available. +choice + prompt "TF-A GCC stack protection" + help + Select TF-A GCC stack protection. This feature requires + support from both toolchain and TF-A platform specific + layer. Namely, for all values other than 'none' the + plat_get_stack_protector_canary() platform hook needs + to be implemented. + +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_NONE + bool "none" + +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_DEFAULT + bool "default" + depends on BR2_SSP_REGULAR + +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_STRONG + bool "strong" + depends on BR2_SSP_STRONG + +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_ALL + bool "all" + depends on BR2_SSP_ALL + +endchoice + endif diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk index 279658712b..9b00672aa6 100644 --- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk +++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk @@ -109,11 +109,13 @@ ARM_TRUSTED_FIRMWARE_MAKE_OPTS += MV_DDR_PATH=$(MV_DDR_MARVELL_DIR) ARM_TRUSTED_FIRMWARE_DEPENDENCIES += mv-ddr-marvell endif -ifeq ($(BR2_SSP_REGULAR),y) +ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_NONE),y) +ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=none +else ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_DEFAULT),y) ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=default -else ifeq ($(BR2_SSP_STRONG),y) +else ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_STRONG),y) ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=strong -else ifeq ($(BR2_SSP_ALL),y) +else ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_ALL),y) ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=all endif