Merge "refactor(console): disable getc() by default" into integration

author: Manish Pandey <manish.pandey2@arm.com> 2023-10-11 14:17:57 +0200
committer: TrustedFirmware Code Review <review@review.trustedfirmware.org> 2023-10-11 14:17:57 +0200
commit: 3312fe8387b9379f6aefe8e075baa28802108244 (patch)
tree: 09a6e05374bf55dbb93c070c8373f593981a7e26
parent: a05414bedc9b1cc35cf0795ce641b6b4db5bc97e (diff)
parent: 85bebe18dabea174d148f1478f5e16b36799175b (diff)
25 files changed, 75 insertions, 15 deletions
diff --git a/Makefile b/Makefile
index 464544f6c..94dfc3e16 100644
--- a/Makefile
+++ b/Makefile
@@ -1223,6 +1223,7 @@ $(eval $(call assert_booleans,\
 	CONDITIONAL_CMO \
 	RAS_FFH_SUPPORT \
 	PSA_CRYPTO	\
+	ENABLE_CONSOLE_GETC \
 )))
 
 # Numeric_Flags
@@ -1414,6 +1415,7 @@ $(eval $(call add_defines,\
 	SVE_VECTOR_LEN \
 	ENABLE_SPMD_LP \
 	PSA_CRYPTO	\
+	ENABLE_CONSOLE_GETC \
 )))
 
 ifeq (${SANITIZE_UB},trap)
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index 34d83f255..c045a6aa2 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -1191,6 +1191,12 @@ Common build options
   per the `PSA Crypto API specification`_. This feature is only supported if
   using MbedTLS 3.x version. By default it is disabled (``0``).
 
+- ``ENABLE_CONSOLE_GETC``: Boolean option to enable `getc()` feature in console
+  driver(s). By default it is disabled (``0``) because it constitutes an attack
+  vector into TF-A by potentially allowing an attacker to inject arbitrary data.
+  This option should only be enabled on a need basis if there is a use case for
+  reading characters from the console.
+
 GICv3 driver options
 --------------------
 
diff --git a/docs/process/security-hardening.rst b/docs/process/security-hardening.rst
index f9618db08..eace467d4 100644
--- a/docs/process/security-hardening.rst
+++ b/docs/process/security-hardening.rst
@@ -135,6 +135,16 @@ Several build options can be used to check for security issues. Refer to the
   it is recommended to develop against ``W=2`` (which will eventually become the
   default).
 
+Additional guidelines are provided below for some security-related build
+options:
+
+- The ``ENABLE_CONSOLE_GETC`` build flag should be set to 0 to disable the
+  `getc()` feature, which allows the firmware to read characters from the
+  console. Keeping this feature enabled is considered dangerous from a security
+  point of view because it potentially allows an attacker to inject arbitrary
+  data into the firmware. It should only be enabled on a need basis if there is
+  a use case for it, for example in a testing or factory environment.
+
 .. rubric:: References
 
 -  `Arm ARM`_
diff --git a/drivers/amlogic/console/aarch64/meson_console.S b/drivers/amlogic/console/aarch64/meson_console.S
index 6d0a2d62e..d955d83c5 100644
--- a/drivers/amlogic/console/aarch64/meson_console.S
+++ b/drivers/amlogic/console/aarch64/meson_console.S
@@ -69,7 +69,7 @@ func console_meson_register
 
 	mov	x0, x6
 	mov	x30, x7
-	finish_console_register meson putc=1, getc=1, flush=1
+	finish_console_register meson putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	ret	x7
diff --git a/drivers/arm/dcc/dcc_console.c b/drivers/arm/dcc/dcc_console.c
index 8d9f7936d..d8f9462ae 100644
--- a/drivers/arm/dcc/dcc_console.c
+++ b/drivers/arm/dcc/dcc_console.c
@@ -53,6 +53,7 @@ static inline uint32_t __dcc_getstatus(void)
 	return read_mdccsr_el0();
 }
 
+#if ENABLE_CONSOLE_GETC
 static inline char __dcc_getchar(void)
 {
 	char c;
@@ -61,6 +62,7 @@ static inline char __dcc_getchar(void)
 
 	return c;
 }
+#endif
 
 static inline void __dcc_putchar(char c)
 {
@@ -102,6 +104,7 @@ static int32_t dcc_console_putc(int32_t ch, struct console *console)
 	return ch;
 }
 
+#if ENABLE_CONSOLE_GETC
 static int32_t dcc_console_getc(struct console *console)
 {
 	unsigned int status;
@@ -113,6 +116,7 @@ static int32_t dcc_console_getc(struct console *console)
 
 	return __dcc_getchar();
 }
+#endif
 
 /**
  * dcc_console_flush() - Function to force a write of all buffered data
@@ -135,7 +139,9 @@ static struct dcc_console dcc_console = {
 		.flags = CONSOLE_FLAG_BOOT |
 			CONSOLE_FLAG_RUNTIME,
 		.putc = dcc_console_putc,
+#if ENABLE_CONSOLE_GETC
 		.getc = dcc_console_getc,
+#endif
 		.flush = dcc_console_flush,
 	},
 };
diff --git a/drivers/arm/pl011/aarch32/pl011_console.S b/drivers/arm/pl011/aarch32/pl011_console.S
index 9caeb0c69..b7d1747f5 100644
--- a/drivers/arm/pl011/aarch32/pl011_console.S
+++ b/drivers/arm/pl011/aarch32/pl011_console.S
@@ -116,7 +116,7 @@ func console_pl011_register
 
 	mov	r0, r4
 	pop	{r4, lr}
-	finish_console_register pl011 putc=1, getc=1, flush=1
+	finish_console_register pl011 putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	pop	{r4, pc}
diff --git a/drivers/arm/pl011/aarch64/pl011_console.S b/drivers/arm/pl011/aarch64/pl011_console.S
index 861d2ed22..8cb0122be 100644
--- a/drivers/arm/pl011/aarch64/pl011_console.S
+++ b/drivers/arm/pl011/aarch64/pl011_console.S
@@ -103,7 +103,7 @@ func console_pl011_register
 
 	mov	x0, x6
 	mov	x30, x7
-	finish_console_register pl011 putc=1, getc=1, flush=1
+	finish_console_register pl011 putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	ret	x7
diff --git a/drivers/cadence/uart/aarch64/cdns_console.S b/drivers/cadence/uart/aarch64/cdns_console.S
index 1bdaa4872..d2dd0a8e2 100644
--- a/drivers/cadence/uart/aarch64/cdns_console.S
+++ b/drivers/cadence/uart/aarch64/cdns_console.S
@@ -79,7 +79,7 @@ func console_cdns_register
 
 	mov	x0, x6
 	mov	x30, x7
-	finish_console_register cdns putc=1, getc=1, flush=1
+	finish_console_register cdns putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	ret	x7
diff --git a/drivers/console/aarch32/skeleton_console.S b/drivers/console/aarch32/skeleton_console.S
index a9e13ec44..05a598508 100644
--- a/drivers/console/aarch32/skeleton_console.S
+++ b/drivers/console/aarch32/skeleton_console.S
@@ -63,7 +63,7 @@ func console_xxx_register
 	 * If any of the argument is unspecified, then the corresponding
 	 * entry in console_t is set to 0.
 	 */
-	finish_console_register xxx putc=1, getc=1, flush=1
+	finish_console_register xxx putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 	/* Jump here if hardware init fails or parameters are invalid. */
 register_fail:
diff --git a/drivers/console/aarch64/skeleton_console.S b/drivers/console/aarch64/skeleton_console.S
index 7ea2eec9f..3310d2892 100644
--- a/drivers/console/aarch64/skeleton_console.S
+++ b/drivers/console/aarch64/skeleton_console.S
@@ -63,7 +63,7 @@ func console_xxx_register
 	 * If any of the argument is unspecified, then the corresponding
 	 * entry in console_t is set to 0.
 	 */
-	finish_console_register xxx putc=1, getc=1, flush=1
+	finish_console_register xxx putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 	/* Jump here if hardware init fails or parameters are invalid. */
 register_fail:
diff --git a/drivers/console/multi_console.c b/drivers/console/multi_console.c
index 93c38d849..e962fff37 100644
--- a/drivers/console/multi_console.c
+++ b/drivers/console/multi_console.c
@@ -108,6 +108,7 @@ int putchar(int c)
 		return EOF;
 }
 
+#if ENABLE_CONSOLE_GETC
 int console_getc(void)
 {
 	int err = ERROR_NO_VALID_CONSOLE;
@@ -127,6 +128,7 @@ int console_getc(void)
 
 	return err;
 }
+#endif
 
 void console_flush(void)
 {
diff --git a/drivers/marvell/uart/a3700_console.S b/drivers/marvell/uart/a3700_console.S
index c7eb165e6..a1eacbc43 100644
--- a/drivers/marvell/uart/a3700_console.S
+++ b/drivers/marvell/uart/a3700_console.S
@@ -140,7 +140,7 @@ func console_a3700_register
 
 	mov	x0, x6
 	mov	x30, x7
-	finish_console_register a3700, putc=1, getc=1, flush=1
+	finish_console_register a3700, putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	ret	x7
diff --git a/drivers/nxp/console/16550_console.S b/drivers/nxp/console/16550_console.S
index 044d3d074..b5617a3e8 100644
--- a/drivers/nxp/console/16550_console.S
+++ b/drivers/nxp/console/16550_console.S
@@ -167,7 +167,7 @@ func nxp_console_16550_register
 register_16550:
 	mov	x0, x6
 	mov	x30, x7
-	finish_console_register 16550 putc=1, getc=1, flush=1
+	finish_console_register 16550 putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	ret	x7
diff --git a/drivers/ti/uart/aarch32/16550_console.S b/drivers/ti/uart/aarch32/16550_console.S
index 0429f8702..898a68d8c 100644
--- a/drivers/ti/uart/aarch32/16550_console.S
+++ b/drivers/ti/uart/aarch32/16550_console.S
@@ -124,7 +124,7 @@ func console_16550_register
 register_16550:
 	mov	r0, r4
 	pop	{r4, lr}
-	finish_console_register 16550 putc=1, getc=1, flush=1
+	finish_console_register 16550 putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	pop	{r4, pc}
diff --git a/drivers/ti/uart/aarch64/16550_console.S b/drivers/ti/uart/aarch64/16550_console.S
index cb2151253..2b1b5a9d7 100644
--- a/drivers/ti/uart/aarch64/16550_console.S
+++ b/drivers/ti/uart/aarch64/16550_console.S
@@ -118,7 +118,7 @@ func console_16550_register
 register_16550:
 	mov	x0, x6
 	mov	x30, x7
-	finish_console_register 16550 putc=1, getc=1, flush=1
+	finish_console_register 16550 putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	ret	x7
diff --git a/include/arch/aarch32/console_macros.S b/include/arch/aarch32/console_macros.S
index 996cb327f..726b28186 100644
--- a/include/arch/aarch32/console_macros.S
+++ b/include/arch/aarch32/console_macros.S
@@ -29,12 +29,20 @@
 	.endif
 	str	r1, [r0, #CONSOLE_T_PUTC]
 
+	/*
+	 * If ENABLE_CONSOLE_GETC support is disabled, but a getc callback is
+	 * specified nonetheless, the assembler will abort on encountering the
+	 * CONSOLE_T_GETC macro, which is undefined.
+	 */
 	.ifne \getc
 	  ldr	r1, =console_\_driver\()_getc
+	  str	r1, [r0, #CONSOLE_T_GETC]
 	.else
+#if ENABLE_CONSOLE_GETC
 	  mov	r1, #0
+	  str	r1, [r0, #CONSOLE_T_GETC]
+#endif
 	.endif
-	str	r1, [r0, #CONSOLE_T_GETC]
 
 	.ifne \flush
 	  ldr	r1, =console_\_driver\()_flush
diff --git a/include/arch/aarch64/console_macros.S b/include/arch/aarch64/console_macros.S
index 3285d855a..8adb9cdb1 100644
--- a/include/arch/aarch64/console_macros.S
+++ b/include/arch/aarch64/console_macros.S
@@ -30,12 +30,19 @@
 	  str	xzr, [x0, #CONSOLE_T_PUTC]
 	.endif
 
+	/*
+	 * If ENABLE_CONSOLE_GETC support is disabled, but a getc callback is
+	 * specified nonetheless, the assembler will abort on encountering the
+	 * CONSOLE_T_GETC macro, which is undefined.
+	 */
 	.ifne \getc
 	  adrp	x1, console_\_driver\()_getc
 	  add	x1, x1, :lo12:console_\_driver\()_getc
 	  str	x1, [x0, #CONSOLE_T_GETC]
 	.else
+#if ENABLE_CONSOLE_GETC
 	  str	xzr, [x0, #CONSOLE_T_GETC]
+#endif
 	.endif
 
 	.ifne \flush
diff --git a/include/drivers/console.h b/include/drivers/console.h
index f499571f7..fa4eb9462 100644
--- a/include/drivers/console.h
+++ b/include/drivers/console.h
@@ -12,10 +12,16 @@
 #define CONSOLE_T_NEXT			(U(0) * REGSZ)
 #define CONSOLE_T_FLAGS			(U(1) * REGSZ)
 #define CONSOLE_T_PUTC			(U(2) * REGSZ)
+#if ENABLE_CONSOLE_GETC
 #define CONSOLE_T_GETC			(U(3) * REGSZ)
 #define CONSOLE_T_FLUSH			(U(4) * REGSZ)
 #define CONSOLE_T_BASE			(U(5) * REGSZ)
 #define CONSOLE_T_DRVDATA		(U(6) * REGSZ)
+#else
+#define CONSOLE_T_FLUSH			(U(3) * REGSZ)
+#define CONSOLE_T_BASE			(U(4) * REGSZ)
+#define CONSOLE_T_DRVDATA		(U(5) * REGSZ)
+#endif
 
 #define CONSOLE_FLAG_BOOT		(U(1) << 0)
 #define CONSOLE_FLAG_RUNTIME		(U(1) << 1)
@@ -42,7 +48,9 @@ typedef struct console {
 	 */
 	u_register_t flags;
 	int (*const putc)(int character, struct console *console);
+#if ENABLE_CONSOLE_GETC
 	int (*const getc)(struct console *console);
+#endif
 	void (*const flush)(struct console *console);
 	uintptr_t base;
 	/* Additional private driver data may follow here. */
@@ -75,8 +83,10 @@ void console_set_scope(console_t *console, unsigned int scope);
 void console_switch_state(unsigned int new_state);
 /* Output a character on all consoles registered for the current state. */
 int console_putc(int c);
+#if ENABLE_CONSOLE_GETC
 /* Read a character (blocking) from any console registered for current state. */
 int console_getc(void);
+#endif
 /* Flush all consoles registered for the current state. */
 void console_flush(void);
 
diff --git a/include/drivers/console_assertions.h b/include/drivers/console_assertions.h
index 00caa3141..9f0657326 100644
--- a/include/drivers/console_assertions.h
+++ b/include/drivers/console_assertions.h
@@ -19,8 +19,10 @@ CASSERT(CONSOLE_T_FLAGS == __builtin_offsetof(console_t, flags),
 	assert_console_t_flags_offset_mismatch);
 CASSERT(CONSOLE_T_PUTC == __builtin_offsetof(console_t, putc),
 	assert_console_t_putc_offset_mismatch);
+#if ENABLE_CONSOLE_GETC
 CASSERT(CONSOLE_T_GETC == __builtin_offsetof(console_t, getc),
 	assert_console_t_getc_offset_mismatch);
+#endif
 CASSERT(CONSOLE_T_FLUSH == __builtin_offsetof(console_t, flush),
 	assert_console_t_flush_offset_mismatch);
 CASSERT(CONSOLE_T_DRVDATA == sizeof(console_t),
diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk
index 321ae9fd1..f31365a1f 100644
--- a/make_helpers/defaults.mk
+++ b/make_helpers/defaults.mk
@@ -362,3 +362,8 @@ ENABLE_SPMD_LP			:= 0
 
 # By default, disable PSA crypto (use MbedTLS legacy crypto API).
 PSA_CRYPTO			:= 0
+
+# getc() support from the console(s).
+# Disabled by default because it constitutes an attack vector into TF-A. It
+# should only be enabled if there is a use case for it.
+ENABLE_CONSOLE_GETC		:= 0
diff --git a/plat/imx/common/aarch32/imx_uart_console.S b/plat/imx/common/aarch32/imx_uart_console.S
index 1a1229aab..2a35b5edf 100644
--- a/plat/imx/common/aarch32/imx_uart_console.S
+++ b/plat/imx/common/aarch32/imx_uart_console.S
@@ -28,7 +28,7 @@ func console_imx_uart_register
 
 	mov	r0, r4
 	pop	{r4, lr}
-	finish_console_register imx_uart putc=1, getc=1, flush=1
+	finish_console_register imx_uart putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	pop	{r4, pc}
diff --git a/plat/imx/common/imx_uart_console.S b/plat/imx/common/imx_uart_console.S
index 4d17288a1..560db15b5 100644
--- a/plat/imx/common/imx_uart_console.S
+++ b/plat/imx/common/imx_uart_console.S
@@ -33,7 +33,7 @@ func console_imx_uart_register
 
 	mov	x0, x6
 	mov	x30, x7
-	finish_console_register imx_uart putc=1, getc=1, flush=1
+	finish_console_register imx_uart putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	ret	x7
diff --git a/plat/imx/common/lpuart_console.S b/plat/imx/common/lpuart_console.S
index ff01e3551..7acf77384 100644
--- a/plat/imx/common/lpuart_console.S
+++ b/plat/imx/common/lpuart_console.S
@@ -27,7 +27,7 @@ func console_lpuart_register
 
 	mov	x0, x6
 	mov	x30, x7
-	finish_console_register lpuart putc=1, getc=1, flush=1
+	finish_console_register lpuart putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	ret	x7
diff --git a/plat/nvidia/tegra/drivers/spe/shared_console.S b/plat/nvidia/tegra/drivers/spe/shared_console.S
index d1b18dd44..5ad4eb8ab 100644
--- a/plat/nvidia/tegra/drivers/spe/shared_console.S
+++ b/plat/nvidia/tegra/drivers/spe/shared_console.S
@@ -71,7 +71,7 @@ func console_spe_register
 	cbz	x3, register_fail
 	str	x0, [x3, #CONSOLE_T_BASE]
 	mov	x0, x3
-	finish_console_register spe putc=1, getc=1, flush=1
+	finish_console_register spe putc=1, getc=ENABLE_CONSOLE_GETC, flush=1
 
 register_fail:
 	mov	w0, wzr
diff --git a/plat/socionext/uniphier/uniphier_console_setup.c b/plat/socionext/uniphier/uniphier_console_setup.c
index 9fda26e93..9268f5d5a 100644
--- a/plat/socionext/uniphier/uniphier_console_setup.c
+++ b/plat/socionext/uniphier/uniphier_console_setup.c
@@ -30,7 +30,9 @@ static console_t uniphier_console = {
 		 CONSOLE_FLAG_CRASH |
 		 CONSOLE_FLAG_TRANSLATE_CRLF,
 	.putc = uniphier_console_putc,
+#if ENABLE_CONSOLE_GETC
 	.getc = uniphier_console_getc,
+#endif
 	.flush = uniphier_console_flush,
 };
author	Manish Pandey <manish.pandey2@arm.com>	2023-10-11 14:17:57 +0200
committer	TrustedFirmware Code Review <review@review.trustedfirmware.org>	2023-10-11 14:17:57 +0200
commit	3312fe8387b9379f6aefe8e075baa28802108244 (patch)
tree	09a6e05374bf55dbb93c070c8373f593981a7e26
parent	a05414bedc9b1cc35cf0795ce641b6b4db5bc97e (diff)
parent	85bebe18dabea174d148f1478f5e16b36799175b (diff)