diff options
| author | Sandrine Bailleux <sandrine.bailleux@arm.com> | 2023-10-11 08:38:00 +0200 |
|---|---|---|
| committer | Sandrine Bailleux <sandrine.bailleux@arm.com> | 2023-10-11 08:40:14 +0200 |
| commit | 85bebe18dabea174d148f1478f5e16b36799175b (patch) | |
| tree | 09a6e05374bf55dbb93c070c8373f593981a7e26 /plat | |
| parent | a05414bedc9b1cc35cf0795ce641b6b4db5bc97e (diff) | |
refactor(console): disable getc() by default
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Diffstat (limited to 'plat')
| -rw-r--r-- | plat/imx/common/aarch32/imx_uart_console.S | 2 | ||||
| -rw-r--r-- | plat/imx/common/imx_uart_console.S | 2 | ||||
| -rw-r--r-- | plat/imx/common/lpuart_console.S | 2 | ||||
| -rw-r--r-- | plat/nvidia/tegra/drivers/spe/shared_console.S | 2 | ||||
| -rw-r--r-- | plat/socionext/uniphier/uniphier_console_setup.c | 2 |
5 files changed, 6 insertions, 4 deletions
diff --git a/plat/imx/common/aarch32/imx_uart_console.S b/plat/imx/common/aarch32/imx_uart_console.S index 1a1229aab..2a35b5edf 100644 --- a/plat/imx/common/aarch32/imx_uart_console.S +++ b/plat/imx/common/aarch32/imx_uart_console.S @@ -28,7 +28,7 @@ func console_imx_uart_register mov r0, r4 pop {r4, lr} - finish_console_register imx_uart putc=1, getc=1, flush=1 + finish_console_register imx_uart putc=1, getc=ENABLE_CONSOLE_GETC, flush=1 register_fail: pop {r4, pc} diff --git a/plat/imx/common/imx_uart_console.S b/plat/imx/common/imx_uart_console.S index 4d17288a1..560db15b5 100644 --- a/plat/imx/common/imx_uart_console.S +++ b/plat/imx/common/imx_uart_console.S @@ -33,7 +33,7 @@ func console_imx_uart_register mov x0, x6 mov x30, x7 - finish_console_register imx_uart putc=1, getc=1, flush=1 + finish_console_register imx_uart putc=1, getc=ENABLE_CONSOLE_GETC, flush=1 register_fail: ret x7 diff --git a/plat/imx/common/lpuart_console.S b/plat/imx/common/lpuart_console.S index ff01e3551..7acf77384 100644 --- a/plat/imx/common/lpuart_console.S +++ b/plat/imx/common/lpuart_console.S @@ -27,7 +27,7 @@ func console_lpuart_register mov x0, x6 mov x30, x7 - finish_console_register lpuart putc=1, getc=1, flush=1 + finish_console_register lpuart putc=1, getc=ENABLE_CONSOLE_GETC, flush=1 register_fail: ret x7 diff --git a/plat/nvidia/tegra/drivers/spe/shared_console.S b/plat/nvidia/tegra/drivers/spe/shared_console.S index d1b18dd44..5ad4eb8ab 100644 --- a/plat/nvidia/tegra/drivers/spe/shared_console.S +++ b/plat/nvidia/tegra/drivers/spe/shared_console.S @@ -71,7 +71,7 @@ func console_spe_register cbz x3, register_fail str x0, [x3, #CONSOLE_T_BASE] mov x0, x3 - finish_console_register spe putc=1, getc=1, flush=1 + finish_console_register spe putc=1, getc=ENABLE_CONSOLE_GETC, flush=1 register_fail: mov w0, wzr diff --git a/plat/socionext/uniphier/uniphier_console_setup.c b/plat/socionext/uniphier/uniphier_console_setup.c index 9fda26e93..9268f5d5a 100644 --- a/plat/socionext/uniphier/uniphier_console_setup.c +++ b/plat/socionext/uniphier/uniphier_console_setup.c @@ -30,7 +30,9 @@ static console_t uniphier_console = { CONSOLE_FLAG_CRASH | CONSOLE_FLAG_TRANSLATE_CRLF, .putc = uniphier_console_putc, +#if ENABLE_CONSOLE_GETC .getc = uniphier_console_getc, +#endif .flush = uniphier_console_flush, }; |