diff mbox series

[v2,01/28] boot/arm-trusted-firmware: option to disable stack protection

Message ID 20210609200003.2866122-2-geomatsi@gmail.com
State New
Headers show
Series sunxi: use mainline arm-trusted-firmware | expand

Commit Message

Sergey Matyukevich June 9, 2021, 7:59 p.m. UTC
Default value for ATF build flag  ENABLE_STACK_PROTECTOR is "none".
Buildroot sets appropriate ENABLE_STACK_PROTECTOR build flag value
based on the enabled BR2_SSP_* options. For any values other than
"none", ATF platform specific hook 'plat_get_stack_protector_canary'
should be implemented. However this hook is not implemented by all
the platforms supported by ATF. For instance, allwinner does not
provide such a hook.

Add new option BR2_TARGET_ARM_TRUSTED_FIRMWARE_DISABLE_SSP to disable
GCC stack protecton when selected ATF platform does not provide
support for this feature.

Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
---
 boot/arm-trusted-firmware/Config.in               | 7 +++++++
 boot/arm-trusted-firmware/arm-trusted-firmware.mk | 4 ++++
 2 files changed, 11 insertions(+)

Comments

Thomas Petazzoni June 9, 2021, 9:40 p.m. UTC | #1
On Wed,  9 Jun 2021 22:59:36 +0300
Sergey Matyukevich <geomatsi@gmail.com> wrote:

> +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_DISABLE_SSP
> +	bool "Disable stack protection"
> +	help
> +	  Select this option to explicitly disable stack protection checks in GCC.
> +	  Such checks need to be disabled if ATF platform port does not implement
> +	  plat_get_stack_protector_canary() hook.

It's a bit annoying that we have to tell TF-A about this. If TF-A
doesn't implement plat_get_stack_protector_canary() for a certain
platform, why does it try to enable SSP ? It feels like something that
should be fixed in TF-A.

Thomas
Sergey Matyukevich June 9, 2021, 10:03 p.m. UTC | #2
Hello Thomas,

> > +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_DISABLE_SSP
> > +	bool "Disable stack protection"
> > +	help
> > +	  Select this option to explicitly disable stack protection checks in GCC.
> > +	  Such checks need to be disabled if ATF platform port does not implement
> > +	  plat_get_stack_protector_canary() hook.
> 
> It's a bit annoying that we have to tell TF-A about this. If TF-A
> doesn't implement plat_get_stack_protector_canary() for a certain
> platform, why does it try to enable SSP ? It feels like something that
> should be fixed in TF-A.

TF-A does not attempt to enable those protection checks. This is
controlled by its ENABLE_STACK_PROTECTOR build flag, which default
value is 'none'. This is Buildroot who tries to enable TF-A stack
protection checks depending on BR2_SSP_* toolchain features only:
see arm-trusted-firmware.mk.

Regards,
Sergey
Heiko Thiery June 10, 2021, 6:36 a.m. UTC | #3
Hi Thomas, Hi Sergey,

Am Do., 10. Juni 2021 um 00:03 Uhr schrieb Sergey Matyukevich
<geomatsi@gmail.com>:
>
> Hello Thomas,
>
> > > +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_DISABLE_SSP
> > > +   bool "Disable stack protection"
> > > +   help
> > > +     Select this option to explicitly disable stack protection checks in GCC.
> > > +     Such checks need to be disabled if ATF platform port does not implement
> > > +     plat_get_stack_protector_canary() hook.
> >
> > It's a bit annoying that we have to tell TF-A about this. If TF-A
> > doesn't implement plat_get_stack_protector_canary() for a certain
> > platform, why does it try to enable SSP ? It feels like something that
> > should be fixed in TF-A.
>
> TF-A does not attempt to enable those protection checks. This is
> controlled by its ENABLE_STACK_PROTECTOR build flag, which default
> value is 'none'. This is Buildroot who tries to enable TF-A stack
> protection checks depending on BR2_SSP_* toolchain features only:
> see arm-trusted-firmware.mk.

with commit 810ba387 we enabled SSP by default. And in the ATF
makefile we map that setting to atf ENABLE_STACK_PROTECTOR setting. As
this we force to use SSP in atf. But you're right this should be
handled in the TF-A stack. I tried to get some feedback from the TF-A
guys [1] but there is no helpful answer. So for now I think it is a
quick solution to make it possible to disable SSP for ATF like that.

On the other hand, does it make any sense at all to automatically take
over the SSP setting from the compiler options?

[1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-May/001152.html

>
> Regards,
> Sergey
Thomas Petazzoni June 10, 2021, 2:10 p.m. UTC | #4
Hello,

On Thu, 10 Jun 2021 01:03:56 +0300
Sergey Matyukevich <geomatsi@gmail.com> wrote:

> > It's a bit annoying that we have to tell TF-A about this. If TF-A
> > doesn't implement plat_get_stack_protector_canary() for a certain
> > platform, why does it try to enable SSP ? It feels like something that
> > should be fixed in TF-A.  
> 
> TF-A does not attempt to enable those protection checks. This is
> controlled by its ENABLE_STACK_PROTECTOR build flag, which default
> value is 'none'. This is Buildroot who tries to enable TF-A stack
> protection checks depending on BR2_SSP_* toolchain features only:
> see arm-trusted-firmware.mk.

I think:

ifeq ($(BR2_SSP_REGULAR),y)
ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=default
else ifeq ($(BR2_SSP_STRONG),y)
ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=strong
else ifeq ($(BR2_SSP_ALL),y)
ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=all
endif

is probably not great. BR2_SSP_* should really only affect user-space
code, IMO. For bare-metal/bootloader code, handling SSP really requires
special support, so we should probably not force it.

That being said, it's a bit weird for TF-A to provide that
ENABLE_STACK_PROTECTOR option in a way that doesn't build/work on all
platforms.

Thomas
Sergey Matyukevich June 10, 2021, 7:26 p.m. UTC | #5
Hello Thomas, Heiko

> > > > +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_DISABLE_SSP
> > > > +   bool "Disable stack protection"
> > > > +   help
> > > > +     Select this option to explicitly disable stack protection checks in GCC.
> > > > +     Such checks need to be disabled if ATF platform port does not implement
> > > > +     plat_get_stack_protector_canary() hook.
> > >
> > > It's a bit annoying that we have to tell TF-A about this. If TF-A
> > > doesn't implement plat_get_stack_protector_canary() for a certain
> > > platform, why does it try to enable SSP ? It feels like something that
> > > should be fixed in TF-A.
> >
> > TF-A does not attempt to enable those protection checks. This is
> > controlled by its ENABLE_STACK_PROTECTOR build flag, which default
> > value is 'none'. This is Buildroot who tries to enable TF-A stack
> > protection checks depending on BR2_SSP_* toolchain features only:
> > see arm-trusted-firmware.mk.
> 
> with commit 810ba387 we enabled SSP by default. And in the ATF
> makefile we map that setting to atf ENABLE_STACK_PROTECTOR setting. As
> this we force to use SSP in atf. But you're right this should be
> handled in the TF-A stack. I tried to get some feedback from the TF-A
> guys [1] but there is no helpful answer. So for now I think it is a
> quick solution to make it possible to disable SSP for ATF like that.
> 
> On the other hand, does it make any sense at all to automatically take
> over the SSP setting from the compiler options?
> 
> [1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-May/001152.html

I would also agree that it might not be always convenient to automatically
infer TF-A SSP settings from the compiler options. Imagine the case when
secure memory constraints become an issue and all the extra features
need to be tuned or disabled in order to shrink TF-A firmware image.

So what if we leave the right to choose to the user ? I mean something
like the following menu in TF-A Config.in:

choice
        prompt "TF-A GCC stack protection"
        help
          Select TF-A GCC stack protection. Note that for all values
	  other than 'none' the plat_get_stack_protector_canary()
	  platform hook needs to be implemented.

config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_NONE
        bool "none"

config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_DEFAULT
        bool "default"
        depends on BR2_SSP_REGULAR

config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_STRONG
        bool "strong"
        depends on BR2_SSP_STRONG

config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_ALL
        bool "all"
        depends on BR2_SSP_ALL

endchoice

Regards,
Sergey
diff mbox series

Patch

diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-firmware/Config.in
index a5a8c5bfc3..ba371986d8 100644
--- a/boot/arm-trusted-firmware/Config.in
+++ b/boot/arm-trusted-firmware/Config.in
@@ -188,4 +188,11 @@  config BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_ARM32_TOOLCHAIN
 	  Select this option if your ATF board configuration requires
 	  an ARM32 bare metal toolchain to be available.
 
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_DISABLE_SSP
+	bool "Disable stack protection"
+	help
+	  Select this option to explicitly disable stack protection checks in GCC.
+	  Such checks need to be disabled if ATF platform port does not implement
+	  plat_get_stack_protector_canary() hook.
+
 endif
diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index 279658712b..00d20aac94 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -109,6 +109,9 @@  ARM_TRUSTED_FIRMWARE_MAKE_OPTS += MV_DDR_PATH=$(MV_DDR_MARVELL_DIR)
 ARM_TRUSTED_FIRMWARE_DEPENDENCIES += mv-ddr-marvell
 endif
 
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_DISABLE_SSP),y)
+ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=none
+else
 ifeq ($(BR2_SSP_REGULAR),y)
 ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=default
 else ifeq ($(BR2_SSP_STRONG),y)
@@ -116,6 +119,7 @@  ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=strong
 else ifeq ($(BR2_SSP_ALL),y)
 ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=all
 endif
+endif
 
 ARM_TRUSTED_FIRMWARE_MAKE_TARGETS = all