Hello, Solving it with Sizeof(__func__) is a reasonable option . it solves the described fault injection.
Best Regards Michel
-----Original Message----- From: Raef Coles Raef.Coles@arm.com Sent: vendredi 30 avril 2021 16:15 To: tf-m@lists.trustedfirmware.org; Michel JAOUEN michel.jaouen@st.com Subject: Re: [FIH lib] : fih question on a specific fault injection
I think at the moment that wouldn't get caught by the flow control countermeasures. However, we did have an idea for an improvement (which didn't get implemented), that should resolve it.
At the moment, calling a function with FIH_CALL increases the flow control counter by 1. The alternative we considered was to instead increase the counter by a value that was generated based on the function that was called.
Exactly how to generate this number is tricky, since we can't really implement a proper hash function in the preprocessor. The compromise we came to was that we could increase it by sizeof(__func__), (the length of the function name). This is accessible to both the call and the ret, and should be reasonably easily implementable. This wouldn't solve your issue immediately, but one function could then be renamed to be of different length.
Another alternative is that you could manually increment and check the flow-control counter, though having to do that manually isn't ideal.
Do either of these options seem reasonable?
Raef
________________________________________ From: TF-M tf-m-bounces@lists.trustedfirmware.org on behalf of Michel JAOUEN via TF-M tf-m@lists.trustedfirmware.org Sent: 30 April 2021 13:55 To: tf-m@lists.trustedfirmware.org Subject: [TF-M] [FIH lib] : fih question on a specific fault injection
Hello I start using FIH library and I doubt that it can solve following fault injection :
Here are 2 tests function being placed by linker very closed from each other to make possible to jump from test_1 start address to test_2 start address with a fault injection. fih_int test_1(void) { fih_int fih_rc = FIH_FAILURE; fih_rc = fih_int_encode(TFM_PLAT_ERR_SUCCESS); FIH_RET(fih_rc); }
fih_int test_2(void) { fih_int fih_rc = FIH_FAILURE; fih_rc = fih_int_encode(TFM_PLAT_ERR_SUCCESS); FIH_RET(fih_rc); }
Is the following able to detect that code return from test_2 instead of test_1 after such fault ? FIH_CALL(test_1()); if (fih_not_eq(fih_rc, fih_int_encode(TFM_HAL_SUCCESS))) { tfm_core_panic(); }
Best regards Michel