Hi Sandrine,
On Wed, Sep 27 2023, Sandrine Bailleux via TF-A wrote:
Following up on our previous discussion in this thread, I've posted a patch to disable getc() by default:
https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/23549
The aim is not only to disable getc() - as in, not being able to call it anymore - but also to remove all getc-related code from the firmware binaries so that there is no remnant getc code which could be used as a gadget as part of a bigger security attack.
Let me explain the changes introduced by this patch and the design choices I have made - which are all up for discussion!
Changes
- By default, getc() is now compiled out at the multi-console framework
level.
This means it is no longer possible to invoke any of the console drivers's getc() callbacks through the multi-console framework.
Note that TF-A libc does not provide getc() so console_getc() is the highest-level API we've got in this area.
- By default, if a console driver attempts to register a getc() callback into
the multi-console framework, TF-A now fails to build.
For example with the Arm PL011 console driver: drivers/arm/pl011/aarch64/pl011_console.S: Assembler messages: drivers/arm/pl011/aarch64/pl011_console.S:110: Error: getc() support is disabled. Do not register a getc() console callback.
- By default, all console drivers which registered a getc() callback no
longer do.
All of these changes can be reverted by building TF-A with ENABLE_CONSOLE_GETC=1.
These changes are fine by me as they draw good security/usability balance. For what it's worth:
Acked-by: Baruch Siach baruch@tkos.co.il
Thanks, baruch