TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-A / trusted-firmware-a / e63f5d129fadf520f42110d9a16c4192cba48784 / . / docs / process / security-hardening.rst
blob: 43a5721251dc14c3dc4e6b30612c30e53456a44c [file] [log] [blame]
Paul Beesleye63f5d12019-05-16 13:33:18 +0100[diff] [blame^]1Secure Development Guidelines
2=============================
Ambroise Vincent2e302372019-06-05 15:40:29 +0100[diff] [blame]3
4This page contains guidance on what to check for additional security measures,
5including build options that can be modified to improve security or catch issues
6early in development.
7
Paul Beesleye63f5d12019-05-16 13:33:18 +0100[diff] [blame^]8Security considerations
9-----------------------
10
11Part of the security of a platform is handling errors correctly, as described in
12the previous section. There are several other security considerations covered in
13this section.
14
15Do not leak secrets to the normal world
16^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
17
18The secure world **must not** leak secrets to the normal world, for example in
19response to an SMC.
20
21Handling Denial of Service attacks
22^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
23
24The secure world **should never** crash or become unusable due to receiving too
25many normal world requests (a *Denial of Service* or *DoS* attack). It should
26have a mechanism for throttling or ignoring normal world requests.
27
Ambroise Vincent2e302372019-06-05 15:40:29 +0100[diff] [blame]28Build options
29-------------
30
31Several build options can be used to check for security issues. Refer to the
Paul Beesley43f35ef2019-05-29 13:59:40 +0100[diff] [blame]32:ref:`Build Options` for detailed information on these.
Ambroise Vincent2e302372019-06-05 15:40:29 +0100[diff] [blame]33
34- The ``BRANCH_PROTECTION`` build flag can be used to enable Pointer
35 Authentication and Branch Target Identification.
36
37- The ``ENABLE_STACK_PROTECTOR`` build flag can be used to identify buffer
38 overflows.
39
40- The ``W`` build flag can be used to enable a number of compiler warning
41 options to detect potentially incorrect code.
42
43 - W=0 (default value)
44
45 The ``Wunused`` with ``Wno-unused-parameter``, ``Wdisabled-optimization``
46 and ``Wvla`` flags are enabled.
47
48 The ``Wunused-but-set-variable``, ``Wmaybe-uninitialized`` and
49 ``Wpacked-bitfield-compat`` are GCC specific flags that are also enabled.
50
51 - W=1
52
Justin Chadwell11a96e02019-09-18 14:47:19 +0100[diff] [blame]53 Adds ``Wextra``, ``Wmissing-format-attribute``, ``Wmissing-prototypes``,
54 ``Wold-style-definition`` and ``Wunused-const-variable``.
Ambroise Vincent2e302372019-06-05 15:40:29 +0100[diff] [blame]55
56 - W=2
57
58 Adds ``Waggregate-return``, ``Wcast-align``, ``Wnested-externs``,
Justin Chadwellb8baa932019-07-31 11:44:42 +0100[diff] [blame]59 ``Wshadow``, ``Wlogical-op``.
Ambroise Vincent2e302372019-06-05 15:40:29 +0100[diff] [blame]60
61 - W=3
62
63 Adds ``Wbad-function-cast``, ``Wcast-qual``, ``Wconversion``, ``Wpacked``,
Justin Chadwell11a96e02019-09-18 14:47:19 +0100[diff] [blame]64 ``Wpointer-arith``, ``Wredundant-decls`` and
Ambroise Vincent2e302372019-06-05 15:40:29 +0100[diff] [blame]65 ``Wswitch-default``.
66
67 Refer to the GCC or Clang documentation for more information on the individual
68 options: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html and
69 https://clang.llvm.org/docs/DiagnosticsReference.html.
70
71 NB: The ``Werror`` flag is enabled by default in TF-A and can be disabled by
72 setting the ``E`` build flag to 0.
73
Paul Beesley34760952019-04-12 14:19:42 +0100[diff] [blame]74--------------
Ambroise Vincent2e302372019-06-05 15:40:29 +0100[diff] [blame]75
Paul Beesleye63f5d12019-05-16 13:33:18 +0100[diff] [blame^]76*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*