core: enable write-implies-execute-never when applicable

HW may or may not support STCLR "WXN" configuration field.
CFG_HWSUPP_MEM_PERM_WXN reflects this state. AArch64 is assumed to
always support this field.

Enable the "WXN" (and UWXN) bits in STCLR upon configuration directive
CFG_CORE_RWDATA_NOEXEC.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

14 files changed, 25 insertions, 0 deletions

diff --git a/core/arch/arm/include/arm64.h b/core/arch/arm/include/arm64.h
index f3790f8d..943509f1 100644
--- a/core/arch/arm/include/arm64.h
+++ b/core/arch/arm/include/arm64.h
@@ -36,6 +36,7 @@
 #define SCTLR_C		BIT32(2)
 #define SCTLR_SA	BIT32(3)
 #define SCTLR_I		BIT32(12)
+#define SCTLR_WXN	BIT32(19)
 
 #define TTBR_ASID_MASK		0xff
 #define TTBR_ASID_SHIFT		48
diff --git a/core/arch/arm/kernel/generic_entry_a32.S b/core/arch/arm/kernel/generic_entry_a32.S
index f9ae65e7..20333f87 100644
--- a/core/arch/arm/kernel/generic_entry_a32.S
+++ b/core/arch/arm/kernel/generic_entry_a32.S
@@ -190,6 +190,9 @@ UNWIND(	.cantunwind)
 	orr	r0, r0, #SCTLR_A
 	bic	r0, r0, #SCTLR_C
 	bic	r0, r0, #SCTLR_I
+#if defined(CFG_HWSUPP_MEM_PERM_WXN) && defined(CFG_CORE_RWDATA_NOEXEC)
+	orr	r0, r0, #(SCTLR_WXN | SCTLR_UWXN)
+#endif
 	write_sctlr r0
 	isb
 
@@ -447,6 +450,9 @@ UNWIND(	.cantunwind)
 	mov	r6, lr
 	read_sctlr r0
 	orr	r0, r0, #SCTLR_A
+#if defined(CFG_HWSUPP_MEM_PERM_WXN) && defined(CFG_CORE_RWDATA_NOEXEC)
+	orr	r0, r0, #(SCTLR_WXN | SCTLR_UWXN)
+#endif
 	write_sctlr r0
 
 	ldr	r0, =_start
diff --git a/core/arch/arm/kernel/generic_entry_a64.S b/core/arch/arm/kernel/generic_entry_a64.S
index 0d0fe785..712971d4 100644
--- a/core/arch/arm/kernel/generic_entry_a64.S
+++ b/core/arch/arm/kernel/generic_entry_a64.S
@@ -74,6 +74,9 @@ FUNC _start , :
 
 	mrs	x0, sctlr_el1
 	mov	x1, #(SCTLR_I | SCTLR_A | SCTLR_SA)
+#if defined(CFG_CORE_RWDATA_NOEXEC)
+	orr	x1, x1, #SCTLR_WXN
+#endif
 	orr	x0, x0, x1
 	msr	sctlr_el1, x0
 	isb
@@ -179,6 +182,9 @@ FUNC cpu_on_handler , :
 
 	mrs	x0, sctlr_el1
 	mov	x1, #(SCTLR_I | SCTLR_A | SCTLR_SA)
+#if defined(CFG_CORE_RWDATA_NOEXEC)
+	orr	x1, x1, #SCTLR_WXN
+#endif
 	orr	x0, x0, x1
 	msr	sctlr_el1, x0
 	isb
diff --git a/core/arch/arm/plat-d02/conf.mk b/core/arch/arm/plat-d02/conf.mk
index 06a573cd..e4ef0321 100644
--- a/core/arch/arm/plat-d02/conf.mk
+++ b/core/arch/arm/plat-d02/conf.mk
@@ -9,6 +9,7 @@ CFG_CORE_HEAP_SIZE ?= 98304
 
 $(call force,CFG_GENERIC_BOOT,y)
 $(call force,CFG_HWSUPP_MEM_PERM_PXN,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,y)
 $(call force,CFG_HI16XX_UART,y)
 $(call force,CFG_PM_STUBS,y)
 $(call force,CFG_SECURE_TIME_SOURCE_CNTPCT,y)
diff --git a/core/arch/arm/plat-hikey/conf.mk b/core/arch/arm/plat-hikey/conf.mk
index 2b2c9869..200cb540 100644
--- a/core/arch/arm/plat-hikey/conf.mk
+++ b/core/arch/arm/plat-hikey/conf.mk
@@ -6,6 +6,7 @@ core_arm32-platform-aflags	+= -mfpu=neon
 
 $(call force,CFG_GENERIC_BOOT,y)
 $(call force,CFG_HWSUPP_MEM_PERM_PXN,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,y)
 $(call force,CFG_PL011,y)
 $(call force,CFG_PM_STUBS,y)
 $(call force,CFG_SECURE_TIME_SOURCE_CNTPCT,y)
diff --git a/core/arch/arm/plat-imx/conf.mk b/core/arch/arm/plat-imx/conf.mk
index 788807f2..85023d5b 100644
--- a/core/arch/arm/plat-imx/conf.mk
+++ b/core/arch/arm/plat-imx/conf.mk
@@ -43,6 +43,7 @@ ifeq ($(CFG_MX6UL),y)
 arm32-platform-cpuarch		:= cortex-a7
 
 $(call force,CFG_SECURE_TIME_SOURCE_CNTPCT,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,y)
 endif
 
 
@@ -53,6 +54,7 @@ arm32-platform-cpuarch		:= cortex-a9
 $(call force,CFG_PL310,y)
 $(call force,CFG_PL310_LOCKED,y)
 $(call force,CFG_SECURE_TIME_SOURCE_REE,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,n)
 
 CFG_BOOT_SYNC_CPU ?= y
 CFG_BOOT_SECONDARY_REQUEST ?= y
diff --git a/core/arch/arm/plat-ls/conf.mk b/core/arch/arm/plat-ls/conf.mk
index e7385fdb..39b269eb 100644
--- a/core/arch/arm/plat-ls/conf.mk
+++ b/core/arch/arm/plat-ls/conf.mk
@@ -11,6 +11,7 @@ $(call force,CFG_SECURE_TIME_SOURCE_CNTPCT,y)
 $(call force,CFG_GIC,y)
 $(call force,CFG_16550_UART,y)
 $(call force,CFG_PM_STUBS,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,y)
 
 ta-targets = ta_arm32
 
diff --git a/core/arch/arm/plat-mediatek/conf.mk b/core/arch/arm/plat-mediatek/conf.mk
index 81642b62..6989264b 100644
--- a/core/arch/arm/plat-mediatek/conf.mk
+++ b/core/arch/arm/plat-mediatek/conf.mk
@@ -9,6 +9,7 @@ arm32-platform-aflags	+= -mfpu=neon
 $(call force,CFG_8250_UART,y)
 $(call force,CFG_GENERIC_BOOT,y)
 $(call force,CFG_HWSUPP_MEM_PERM_PXN,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,y)
 $(call force,CFG_PM_STUBS,y)
 $(call force,CFG_SECURE_TIME_SOURCE_CNTPCT,y)
 $(call force,CFG_WITH_ARM_TRUSTED_FW,y)
diff --git a/core/arch/arm/plat-rcar/conf.mk b/core/arch/arm/plat-rcar/conf.mk
index caf26c81..8d3badd0 100644
--- a/core/arch/arm/plat-rcar/conf.mk
+++ b/core/arch/arm/plat-rcar/conf.mk
@@ -8,6 +8,7 @@ arm32-platform-aflags	+= -mfpu=neon
 
 $(call force,CFG_GENERIC_BOOT,y)
 $(call force,CFG_HWSUPP_MEM_PERM_PXN,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,y)
 $(call force,CFG_PM_STUBS,y)
 $(call force,CFG_SECURE_TIME_SOURCE_CNTPCT,y)
 $(call force,CFG_WITH_ARM_TRUSTED_FW,y)
diff --git a/core/arch/arm/plat-rpi3/conf.mk b/core/arch/arm/plat-rpi3/conf.mk
index 49fa817e..ee965ba8 100644
--- a/core/arch/arm/plat-rpi3/conf.mk
+++ b/core/arch/arm/plat-rpi3/conf.mk
@@ -7,6 +7,7 @@ core_arm32-platform-aflags	+= -mfpu=neon
 $(call force,CFG_8250_UART,y)
 $(call force,CFG_GENERIC_BOOT,y)
 $(call force,CFG_HWSUPP_MEM_PERM_PXN,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,y)
 $(call force,CFG_PM_STUBS,y)
 $(call force,CFG_SECURE_TIME_SOURCE_CNTPCT,y)
 $(call force,CFG_WITH_ARM_TRUSTED_FW,y)
diff --git a/core/arch/arm/plat-sprd/conf.mk b/core/arch/arm/plat-sprd/conf.mk
index 137214f9..a2df2da4 100644
--- a/core/arch/arm/plat-sprd/conf.mk
+++ b/core/arch/arm/plat-sprd/conf.mk
@@ -22,6 +22,7 @@ $(call force,CFG_GIC,y)
 $(call force,CFG_SPRD_UART,y)
 $(call force,CFG_PM_STUBS,y)
 $(call force,CFG_SECURE_TIME_SOURCE_CNTPCT,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,y)
 
 CFG_WITH_STACK_CANARIES ?= y
 # Overrides default in mk/config.mk with 128 kB
diff --git a/core/arch/arm/plat-ti/conf.mk b/core/arch/arm/plat-ti/conf.mk
index 3de900ba..c168ff71 100644
--- a/core/arch/arm/plat-ti/conf.mk
+++ b/core/arch/arm/plat-ti/conf.mk
@@ -17,6 +17,7 @@ arm32-platform-cpuarch		:= cortex-a9
 else
 CFG_OTP_SUPPORT ?= y
 $(call force,CFG_HWSUPP_MEM_PERM_PXN,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,y)
 $(call force,CFG_SECURE_TIME_SOURCE_CNTPCT,y)
 arm32-platform-cpuarch		:= cortex-a15
 endif
diff --git a/core/arch/arm/plat-vexpress/conf.mk b/core/arch/arm/plat-vexpress/conf.mk
index 5ba0840f..33b66a4c 100644
--- a/core/arch/arm/plat-vexpress/conf.mk
+++ b/core/arch/arm/plat-vexpress/conf.mk
@@ -33,6 +33,7 @@ endif
 $(call force,CFG_GENERIC_BOOT,y)
 $(call force,CFG_GIC,y)
 $(call force,CFG_HWSUPP_MEM_PERM_PXN,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,y)
 $(call force,CFG_PL011,y)
 $(call force,CFG_PM_STUBS,y)
 $(call force,CFG_SECURE_TIME_SOURCE_CNTPCT,y)
diff --git a/core/arch/arm/plat-zynqmp/conf.mk b/core/arch/arm/plat-zynqmp/conf.mk
index 5aea3a8a..bea1b741 100644
--- a/core/arch/arm/plat-zynqmp/conf.mk
+++ b/core/arch/arm/plat-zynqmp/conf.mk
@@ -10,6 +10,7 @@ $(call force,CFG_CDNS_UART,y)
 $(call force,CFG_GENERIC_BOOT,y)
 $(call force,CFG_GIC,y)
 $(call force,CFG_HWSUPP_MEM_PERM_PXN,y)
+$(call force,CFG_HWSUPP_MEM_PERM_WXN,y)
 $(call force,CFG_PM_STUBS,y)
 $(call force,CFG_SECURE_TIME_SOURCE_CNTPCT,y)
 $(call force,CFG_WITH_ARM_TRUSTED_FW,y)