Hi all

 

I have created a fix for this issue: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/21280

 

It is under review and is expected to be merged soon if no objections

 

 

Regards,

Bohdan Hunko

 

Cypress Semiconductor Ukraine

Engineer

CSUKR CSS ICW SW FW

Mobile: +38099 50 19 714
Bohdan.Hunko@infineon.com

 

 

From: Sherry Zhang <Sherry.Zhang2@arm.com>
Sent: 30 May 2023 05:26
To: Hunko Bohdan (CSUKR CSS ICW SW FW 3) <Bohdan.Hunko@infineon.com>; tf-m@lists.trustedfirmware.org
Cc: nd <nd@arm.com>
Subject: RE: ARMCLANG protections bug

 

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe.

 

Hi Bohdan,

 

You are right. armclang does not support aligning the end of a section directly. That’s why an empty section is inserted. cfg_limit is a bit different from cfg_base, because the actual mpu region limit is cfg_limit[31:5]:0x1F. So cfg_limit can be unaligned or aligned as long as there is no overlap between this section and the next section as commented here.  But the current implementation cannot guarantee no overlap if TFM_LINKER_UNPRIV_CODE_ALIGNMENT is greater than 4. So, I think this should be fixed and solution 2 is preferred.

 

Regards,

Sherry Zhang

 

From: Bohdan.Hunko--- via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Monday, May 29, 2023 9:46 PM
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] ARMCLANG protections bug

 

Hi all,

 

In GCC linker scripts ands of sections are aligned using following syntax:

 

. = ALIGN(TFM_LINKER_XXX_ALIGNMENT);

 

 

But in ARMClang TFM does not use similar approach, instead it creates Position tags sections like following:

    TFM_APP_CODE_START +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT EMPTY 0x0 {

    }

 

    TFM_APP_ROT_LINKER +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT {

        *tfm_app_rot_partition* (+RO-CODE, +RO-DATA)

        *libplatform_s* (TFM_*_APP-ROT_ATTR_FN)

        *.o (TFM_*_APP-ROT_ATTR_FN)

    }

 

    /*

     * This empty, zero long execution region is here to mark the end address

     * of APP RoT code.

     */

    TFM_APP_CODE_END +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT EMPTY 0x0 {

    }

 

 

I believe this is done because clang does not have syntaxes for aligning end of the section (please correct me if I am wrong).

 

This approach results in bug in TFM_UNPRIV_CODE section protections,  because TFM_UNPRIV_CODE Base and Limit are used directly and Limit is not aligned.

 

For now this problem stayed undetected because present platforms does not validate region_limit when applying protections.

I have created this patch  , which adds validation of region_limit and ran Ci on it and I can see that CI failed in tests for Clang builds

 

So I guess this is the problem that have to be fixed. I see following possible solutions:

  1. Align and of TFM_UNPRIV_CODE section (but I guess clang does not support that)
  2. Add position tags for _START and END

 

Solution 1 will simpler as it will not require changed in platform code, but I guess clang syntaxes is limiting us here.

 

So my question would be whether there is a plan to fix this issue ?

 

Regards,

Bohdan Hunko

 

Cypress Semiconductor Ukraine

Engineer

CSUKR CSS ICW SW FW

Mobile: +38099 50 19 714
Bohdan.Hunko@infineon.com