Skip to content

Commit

Permalink
core: make pager aliased paged not always writable
Browse files Browse the repository at this point in the history 
This change lower the attack surface of executable memory in
the pager by allowing write access to aliased virtual pages
related to read-only content (including executable content)
only when pager needs to update page content.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (qemu_virt)
Tested-by: Etienne Carriere <etienne.carriere@st.com> (b2260)
  • Loading branch information
@etienne-lms
etienne-lms committed May 30, 2017
1 parent 48a91f1 commit da033e6
Showing 1 changed file with 22 additions and 1 deletion.
23 changes: 22 additions & 1 deletion core/arch/arm/mm/tee_pager.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -258,9 +258,10 @@ static void *pager_add_alias_page(paddr_t pa)
{
unsigned idx;
struct core_mmu_table_info *ti = &pager_alias_tbl_info;
/* Alias pages mapped without write permission: runtime will care */
uint32_t attr = TEE_MATTR_VALID_BLOCK | TEE_MATTR_GLOBAL |
(TEE_MATTR_CACHE_CACHED << TEE_MATTR_CACHE_SHIFT) |
TEE_MATTR_SECURE | TEE_MATTR_PRW;
TEE_MATTR_SECURE | TEE_MATTR_PR;

DMSG("0x%" PRIxPA, pa);

Expand Down Expand Up @@ -484,6 +485,21 @@ static void tee_pager_load_page(struct tee_pager_area *area, vaddr_t page_va,
{
size_t idx = (page_va - area->base) >> SMALL_PAGE_SHIFT;
const void *stored_page = area->store + idx * SMALL_PAGE_SIZE;
struct core_mmu_table_info *ti;
uint32_t attr_alias;
paddr_t pa_alias;
unsigned int idx_alias;

/* Insure we are allowed to write to aliased virtual page */
ti = &pager_alias_tbl_info;
idx_alias = core_mmu_va2idx(ti, (vaddr_t)va_alias);
core_mmu_get_entry(ti, idx_alias, &pa_alias, &attr_alias);
if (!(attr_alias & TEE_MATTR_PW)) {
attr_alias |= TEE_MATTR_PW;
core_mmu_set_entry(ti, idx_alias, pa_alias, attr_alias);
/* TODO: flush TLB for target page only */
core_tlb_maintenance(TLBINV_UNIFIEDTLB, 0);
}

switch (area->type) {
case AREA_TYPE_RO:
Expand All @@ -500,6 +516,11 @@ static void tee_pager_load_page(struct tee_pager_area *area, vaddr_t page_va,
panic();
}
}
/* Forbid write to aliases for read-only (maybe exec) pages */
attr_alias &= ~TEE_MATTR_PW;
core_mmu_set_entry(ti, idx_alias, pa_alias, attr_alias);
/* TODO: flush TLB for target page only */
core_tlb_maintenance(TLBINV_UNIFIEDTLB, 0);
break;
case AREA_TYPE_RW:
FMSG("Restore %p %#" PRIxVA " iv %#" PRIx64,
Expand Down

0 comments on commit da033e6

Please sign in to comment.