test: normal world can't share root memory
In [1] the invalid access test was removed from the respective
tests xml file, as it was leveraging a security vulnerability in
our SPM implementation.
As part of the same patchstack, we have harnessed and limited the
memory that an SP can use via manifest, or memory sharing operations.
This patch reestablishes the invalid access that was discarded,
this time however only validating that the memory sharing of root
memory fails, which should be indicative that the SP can't access it.
Also set missing dependency to the source file: spm_test_helpers.c
to make file tests-invalid-access.mk.
Future patches will include tests to the GPC.
[1] https://review.trustedfirmware.org/q/topic:%22ja%252Fmem_region_fix%22+(status:open%20OR%20status:merged)
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I6ee21586a2e94810fb4656054b26b2a51c97a544
diff --git a/tftf/tests/misc_tests/test_invalid_access.c b/tftf/tests/misc_tests/test_invalid_access.c
index 5c173c5..343a553 100644
--- a/tftf/tests/misc_tests/test_invalid_access.c
+++ b/tftf/tests/misc_tests/test_invalid_access.c
@@ -271,13 +271,13 @@
/**
* @Test_Aim@ Check a root region cannot be accessed from a secure partition.
*
- * This change adds TFTF and cactus test to permit checking a root region
- * cannot be accessed from secure world.
* A hardcoded address marked Root in the GPT is shared to a secure
- * partition. The SP retrieves the region from the SPM, maps it and
- * attempts a read access to the region. It is expected to trigger a GPF
- * data abort on the PE caught by a custom exception handler.
- *
+ * partition. The operation fails given the memory shared needs to be
+ * preconfigured in the memory ranges described in the SPMC manifest. The ranges
+ * related with S/NS memory that the SP can access shall never contain
+ * realm/root memory as this incurs into a configuration error.
+ * This test validates the SP can't get access to root memory via FF-A memory
+ * sharing interfaces.
*/
test_result_t rt_memory_cannot_be_accessed_in_s(void)
{
@@ -297,8 +297,6 @@
return TEST_RESULT_SKIPPED;
}
- SKIP_TEST_IF_FFA_VERSION_LESS_THAN(1,1);
-
CHECK_SPMC_TESTING_SETUP(1, 1, expected_sp_uuids);
GET_TFTF_MAILBOX(mb);
@@ -309,32 +307,10 @@
FFA_MEM_SHARE_SMC32, &ret);
if (handle == FFA_MEMORY_HANDLE_INVALID) {
- return TEST_RESULT_FAIL;
+ return TEST_RESULT_SUCCESS;
}
- VERBOSE("TFTF - Handle: %llx Address: %p\n",
- handle, constituents[0].address);
-
- /* Retrieve the shared page and attempt accessing it. */
- ret = cactus_mem_send_cmd(SENDER, RECEIVER, FFA_MEM_SHARE_SMC32,
- handle, 0, true, 1);
-
- if (is_ffa_call_error(ffa_mem_reclaim(handle, 0))) {
- ERROR("Memory reclaim failed!\n");
- return TEST_RESULT_FAIL;
- }
-
- /*
- * Expect success response with value 1 hinting an exception
- * triggered while the SP accessed the region.
- */
- if (!(cactus_get_response(ret) == CACTUS_SUCCESS &&
- cactus_error_code(ret) == 1)) {
- ERROR("Exceptions test failed!\n");
- return TEST_RESULT_FAIL;
- }
-
- return TEST_RESULT_SUCCESS;
+ return TEST_RESULT_FAIL;
}
test_result_t s_memory_cannot_be_accessed_in_rl(void)
diff --git a/tftf/tests/tests-invalid-access.mk b/tftf/tests/tests-invalid-access.mk
index 3b05349..346ba9d 100644
--- a/tftf/tests/tests-invalid-access.mk
+++ b/tftf/tests/tests-invalid-access.mk
@@ -25,4 +25,5 @@
ffa_helpers.c \
spm_common.c \
test_ffa_setup_and_discovery.c \
+ spm_test_helpers.c \
)
diff --git a/tftf/tests/tests-invalid-access.xml b/tftf/tests/tests-invalid-access.xml
index 0cd8234..33b85c5 100644
--- a/tftf/tests/tests-invalid-access.xml
+++ b/tftf/tests/tests-invalid-access.xml
@@ -22,5 +22,7 @@
function="s_memory_cannot_be_accessed_in_rl" />
<testcase name="Access Root memory from Realm world"
function="rt_memory_cannot_be_accessed_in_rl" />
+ <testcase name="Share memory to an SP from a Root region"
+ function="rt_memory_cannot_be_accessed_in_s" />
</testsuite>
</testsuites>