Hi Bohdan,
You are right. armclang does not support aligning the end of a section directly. That’s why an empty section is inserted. cfg_limit is a bit different from cfg_base, because the actual mpu region limit is cfg_limit[31:5]:0x1F. So cfg_limit
can be unaligned or aligned as long as there is no overlap between this section and the next section as commented
here. But the current implementation cannot guarantee no overlap if TFM_LINKER_UNPRIV_CODE_ALIGNMENT is greater than 4. So, I think this should be fixed and solution 2 is preferred.
Regards,
Sherry Zhang
From: Bohdan.Hunko--- via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Monday, May 29, 2023 9:46 PM
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] ARMCLANG protections bug
Hi all,
In GCC linker scripts ands of sections are aligned using following syntax:
.
=
ALIGN(TFM_LINKER_XXX_ALIGNMENT);
But in ARMClang TFM does not use similar approach, instead it creates Position tags sections like following:
TFM_APP_CODE_START +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT EMPTY 0x0 {
}
TFM_APP_ROT_LINKER +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT {
*tfm_app_rot_partition* (+RO-CODE, +RO-DATA)
*libplatform_s* (TFM_*_APP-ROT_ATTR_FN)
*.o (TFM_*_APP-ROT_ATTR_FN)
}
/*
* This empty, zero long execution region is here to mark the end address
* of APP RoT code.
*/
TFM_APP_CODE_END +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT EMPTY 0x0 {
}
I believe this is done because clang does not have syntaxes for aligning end of the section (please correct me if I am wrong).
This approach results in bug in TFM_UNPRIV_CODE section protections, because TFM_UNPRIV_CODE Base and Limit are used directly and Limit is not aligned.
For now this problem stayed undetected because present platforms does not validate
region_limit when applying protections.
I have created
this patch , which adds validation of region_limit and ran Ci on it and I can see that CI failed in tests for Clang builds
So I guess this is the problem that have to be fixed. I see following possible solutions:
Solution 1 will simpler as it will not require changed in platform code, but I guess clang syntaxes is limiting us here.
So my question would be whether there is a plan to fix this issue ?
Regards,
Bohdan Hunko
Cypress Semiconductor Ukraine
Engineer
CSUKR CSS ICW SW FW
Mobile: +38099 50 19 714
Bohdan.Hunko@infineon.com