Hi Bohdan,
You are right. armclang does not support aligning the end of a section directly. That's why an empty section is inserted. cfg_limit is a bit different from cfg_base, because the actual mpu region limit is cfg_limit[31:5]:0x1F. So cfg_limit can be unaligned or aligned as long as there is no overlap between this section and the next section as commented herehttps://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/ext/target/arm/musca_b1/Native_Driver/mpu_armv8m_drv.c#n79. But the current implementation cannot guarantee no overlap if TFM_LINKER_UNPRIV_CODE_ALIGNMENT is greater than 4. So, I think this should be fixed and solution 2 is preferred.
Regards, Sherry Zhang
From: Bohdan.Hunko--- via TF-M tf-m@lists.trustedfirmware.org Sent: Monday, May 29, 2023 9:46 PM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] ARMCLANG protections bug
Hi all,
In GCC linker scripts ands of sections are aligned using following syntax:
. = ALIGN(TFM_LINKER_XXX_ALIGNMENT);
But in ARMClang TFM does not use similar approach, instead it creates Position tags sections like following: TFM_APP_CODE_START +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT EMPTY 0x0 { }
TFM_APP_ROT_LINKER +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT { *tfm_app_rot_partition* (+RO-CODE, +RO-DATA) *libplatform_s* (TFM_*_APP-ROT_ATTR_FN) *.o (TFM_*_APP-ROT_ATTR_FN) }
/* * This empty, zero long execution region is here to mark the end address * of APP RoT code. */ TFM_APP_CODE_END +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT EMPTY 0x0 { }
I believe this is done because clang does not have syntaxes for aligning end of the section (please correct me if I am wrong).
This approach results in bug in TFM_UNPRIV_CODE section protections, because TFM_UNPRIV_CODE Base and Limit are used directly and Limit is not aligned.
For now this problem stayed undetected because present platforms does not validate region_limit when applying protections. I have created this patchhttps://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/21169 , which adds validation of region_limit and ran Ci on it and I can see that CI failed in tests for Clang builds
So I guess this is the problem that have to be fixed. I see following possible solutions:
1. Align and of TFM_UNPRIV_CODE section (but I guess clang does not support that) 2. Add position tags for _START and END
Solution 1 will simpler as it will not require changed in platform code, but I guess clang syntaxes is limiting us here.
So my question would be whether there is a plan to fix this issue ?
Regards, Bohdan Hunko
Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com