mirror of
https://github.com/ARM-software/arm-trusted-firmware.git
synced 2026-07-02 18:32:40 +00:00
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
96 lines
3.1 KiB
C
96 lines
3.1 KiB
C
/*
|
|
* Copyright (c) 2013-2023, ARM Limited and Contributors. All rights reserved.
|
|
*
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
*/
|
|
|
|
#ifndef CONSOLE_H
|
|
#define CONSOLE_H
|
|
|
|
#include <lib/utils_def.h>
|
|
|
|
#define CONSOLE_T_NEXT (U(0) * REGSZ)
|
|
#define CONSOLE_T_FLAGS (U(1) * REGSZ)
|
|
#define CONSOLE_T_PUTC (U(2) * REGSZ)
|
|
#if ENABLE_CONSOLE_GETC
|
|
#define CONSOLE_T_GETC (U(3) * REGSZ)
|
|
#define CONSOLE_T_FLUSH (U(4) * REGSZ)
|
|
#define CONSOLE_T_BASE (U(5) * REGSZ)
|
|
#define CONSOLE_T_DRVDATA (U(6) * REGSZ)
|
|
#else
|
|
#define CONSOLE_T_FLUSH (U(3) * REGSZ)
|
|
#define CONSOLE_T_BASE (U(4) * REGSZ)
|
|
#define CONSOLE_T_DRVDATA (U(5) * REGSZ)
|
|
#endif
|
|
|
|
#define CONSOLE_FLAG_BOOT (U(1) << 0)
|
|
#define CONSOLE_FLAG_RUNTIME (U(1) << 1)
|
|
#define CONSOLE_FLAG_CRASH (U(1) << 2)
|
|
/* Bits 3 to 7 reserved for additional scopes in future expansion. */
|
|
#define CONSOLE_FLAG_SCOPE_MASK ((U(1) << 8) - 1)
|
|
/* Bits 8 to 31 for non-scope use. */
|
|
#define CONSOLE_FLAG_TRANSLATE_CRLF (U(1) << 8)
|
|
|
|
/* Returned by getc callbacks when receive FIFO is empty. */
|
|
#define ERROR_NO_PENDING_CHAR (-1)
|
|
/* Returned by console_xxx() if no registered console implements xxx. */
|
|
#define ERROR_NO_VALID_CONSOLE (-128)
|
|
|
|
#ifndef __ASSEMBLER__
|
|
|
|
#include <stdint.h>
|
|
|
|
typedef struct console {
|
|
struct console *next;
|
|
/*
|
|
* Only the low 32 bits are used. The type is u_register_t to align the
|
|
* fields of the struct to 64 bits in AArch64 and 32 bits in AArch32
|
|
*/
|
|
u_register_t flags;
|
|
int (*const putc)(int character, struct console *console);
|
|
#if ENABLE_CONSOLE_GETC
|
|
int (*const getc)(struct console *console);
|
|
#endif
|
|
void (*const flush)(struct console *console);
|
|
uintptr_t base;
|
|
/* Additional private driver data may follow here. */
|
|
} console_t;
|
|
|
|
extern console_t *console_list;
|
|
|
|
/* offset macro assertions for console_t */
|
|
#include <drivers/console_assertions.h>
|
|
|
|
/*
|
|
* Add a console_t instance to the console list. This should only be called by
|
|
* console drivers after they have initialized all fields in the console
|
|
* structure. Platforms seeking to register a new console need to call the
|
|
* respective console__register() function instead.
|
|
*/
|
|
int console_register(console_t *console);
|
|
/* Remove a single console_t instance from the console list. Return a pointer to
|
|
* the console that was removed if it was found, or NULL if not. */
|
|
console_t *console_unregister(console_t *console);
|
|
/* Returns 1 if this console is already registered, 0 if not */
|
|
int console_is_registered(console_t *console);
|
|
/*
|
|
* Set scope mask of a console that determines in what states it is active.
|
|
* By default they are registered with (CONSOLE_FLAG_BOOT|CONSOLE_FLAG_CRASH).
|
|
*/
|
|
void console_set_scope(console_t *console, unsigned int scope);
|
|
|
|
/* Switch to a new global console state (CONSOLE_FLAG_BOOT/RUNTIME/CRASH). */
|
|
void console_switch_state(unsigned int new_state);
|
|
/* Output a character on all consoles registered for the current state. */
|
|
int console_putc(int c);
|
|
#if ENABLE_CONSOLE_GETC
|
|
/* Read a character (blocking) from any console registered for current state. */
|
|
int console_getc(void);
|
|
#endif
|
|
/* Flush all consoles registered for the current state. */
|
|
void console_flush(void);
|
|
|
|
#endif /* __ASSEMBLER__ */
|
|
|
|
#endif /* CONSOLE_H */
|