Put Pointer Authentication key value in BSS section

Fork: 0

LuminaSensum / arm-trusted-firmware

Browse code Put Pointer Authentication key value in BSS section The dummy implementation of the plat_init_apiakey() platform API uses an internal 128-bit buffer to store the initial key value used for Pointer Authentication support. The intent - as stated in the file comments - was for this buffer to be write-protected by the MMU. Initialization of the buffer would be performed before enabling the MMU, thus bypassing write protection checks. However, the key buffer ended up into its own read-write section by mistake due to a typo on the section name ('rodata.apiakey' instead of '.rodata.apiakey', note the leading dot). As a result, the linker script was not pulling it into the .rodata output section. One way to address this issue could have been to fix the section name. However, this approach does not work well for BL1. Being the first image in the boot flow, it typically is sitting in real ROM so we don't have the capacity to update the key buffer at any time. The dummy implementation of plat_init_apiakey() provided at the moment is just there to demonstrate the Pointer Authentication feature in action. Proper key management and key generation would have to be a lot more careful on a production system. Therefore, the approach chosen here to leave the key buffer in writable memory but move it to the BSS section. This does mean that the key buffer could be maliciously updated for intalling unintended keys on the warm boot path but at the feature is only at an experimental stage right now, this is deemed acceptable. Change-Id: I121ccf35fe7bc86c73275a4586b32d4bc14698d6 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> WIP_v2.3-LS master v2.2-LS v2.4-LS v2.3-rc2 v2.3-rc1 v2.3-rc0 v2.3 v2.2-rc2 v2.2-rc1 v2.2-rc0 v2.2 v2.1-rc1 v2.1-rc0 v2.1
1 parent 3ca26be commit 47102b35d644a8c5a1343f9ec05c29b5d1e0e1b0 Sandrine Bailleux authored on 13 Mar 2019

Browse code

The dummy implementation of the plat_init_apiakey() platform API uses
an internal 128-bit buffer to store the initial key value used for
Pointer Authentication support.

The intent - as stated in the file comments - was for this buffer to
be write-protected by the MMU. Initialization of the buffer would be
performed before enabling the MMU, thus bypassing write protection
checks.

However, the key buffer ended up into its own read-write section by
mistake due to a typo on the section name ('rodata.apiakey' instead of
'.rodata.apiakey', note the leading dot). As a result, the linker
script was not pulling it into the .rodata output section.

One way to address this issue could have been to fix the section
name. However, this approach does not work well for BL1. Being the
first image in the boot flow, it typically is sitting in real ROM
so we don't have the capacity to update the key buffer at any time.

The dummy implementation of plat_init_apiakey() provided at the moment
is just there to demonstrate the Pointer Authentication feature in
action. Proper key management and key generation would have to be a
lot more careful on a production system.

Therefore, the approach chosen here to leave the key buffer in
writable memory but move it to the BSS section. This does mean that
the key buffer could be maliciously updated for intalling unintended
keys on the warm boot path but at the feature is only at an
experimental stage right now, this is deemed acceptable.

Change-Id: I121ccf35fe7bc86c73275a4586b32d4bc14698d6
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

WIP_v2.3-LS master v2.2-LS v2.4-LS v2.3-rc2 v2.3-rc1 v2.3-rc0 v2.3 v2.2-rc2 v2.2-rc1 v2.2-rc0 v2.2 v2.1-rc1 v2.1-rc0 v2.1

1 parent 3ca26be commit 47102b35d644a8c5a1343f9ec05c29b5d1e0e1b0

Sandrine Bailleux authored on 13 Mar 2019

Patch

Unified Split

Showing 1 changed file

Ignore Space Show notes View plat/arm/common/aarch64/arm_pauth.c

Show line notes below