Merge changes from topic "sls-lts-v2.8" into lts-v2.8
* changes:
feat(security): add support for SLS mitigation
fix(build): allow lower address access with gcc-12
diff --git a/Makefile b/Makefile
index c7ee8a3..0ffdc27 100644
--- a/Makefile
+++ b/Makefile
@@ -382,6 +382,14 @@
WARNINGS += -Wunused-but-set-variable -Wmaybe-uninitialized \
-Wpacked-bitfield-compat -Wshift-overflow=2 \
-Wlogical-op
+
+# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105523
+TF_CFLAGS += $(call cc_option, --param=min-pagesize=0)
+
+ifeq ($(HARDEN_SLS), 1)
+ TF_CFLAGS_aarch64 += $(call cc_option, -mharden-sls=all)
+endif
+
else
# using clang
WARNINGS += -Wshift-overflow -Wshift-sign-overflow \
@@ -1045,6 +1053,7 @@
GENERATE_COT \
GICV2_G0_FOR_EL3 \
HANDLE_EA_EL3_FIRST_NS \
+ HARDEN_SLS \
HW_ASSISTED_COHERENCY \
INVERTED_MEMMAP \
MEASURED_BOOT \
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index 3ebdbcc..d80a97f 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -671,6 +671,19 @@
This option defaults to 0.
+- ``HARDEN_SLS``: used to pass -mharden-sls=all from the TF-A build
+ options to the compiler currently supporting only of the options.
+ GCC documentation:
+ https://gcc.gnu.org/onlinedocs/gcc/AArch64-Options.html#index-mharden-sls
+
+ An example usage:
+
+ .. code:: make
+
+ HARDEN_SLS := 1
+
+ This option defaults to 0.
+
- ``NON_TRUSTED_WORLD_KEY``: This option is used when ``GENERATE_COT=1``. It
specifies the file that contains the Non-Trusted World private key in PEM
format. If ``SAVE_KEYS=1``, this file name will be used to save the key.
diff --git a/make_helpers/build_macros.mk b/make_helpers/build_macros.mk
index a2a94ef..840714d 100644
--- a/make_helpers/build_macros.mk
+++ b/make_helpers/build_macros.mk
@@ -103,6 +103,12 @@
$(shell if $(LD) $(1) -v >/dev/null 2>&1; then echo $(1); fi )
endef
+# Convenience function to check for a given compiler option. A call to
+# $(call cc_option, --no-XYZ) will return --no-XYZ if supported by the compiler
+define cc_option
+ $(shell if $(CC) $(1) -c -x c /dev/null -o /dev/null >/dev/null 2>&1; then echo $(1); fi )
+endef
+
# CREATE_SEQ is a recursive function to create sequence of numbers from 1 to
# $(2) and assign the sequence to $(1)
define CREATE_SEQ
diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk
index 61e9dd6..d9c6483 100644
--- a/make_helpers/defaults.mk
+++ b/make_helpers/defaults.mk
@@ -220,6 +220,10 @@
# by lower ELs.
HANDLE_EA_EL3_FIRST_NS := 0
+# Enables support for the gcc compiler option "-mharden-sls=all".
+# By default, disables all SLS hardening.
+HARDEN_SLS := 0
+
# Secure hash algorithm flag, accepts 3 values: sha256, sha384 and sha512.
# The default value is sha256.
HASH_ALG := sha256