You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mynewt.apache.org by je...@apache.org on 2021/11/02 05:55:28 UTC

[mynewt-core] branch master updated: mcu/nrf5340: Clear RAM before switching to non-secure

This is an automated email from the ASF dual-hosted git repository.

jerzy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mynewt-core.git


The following commit(s) were added to refs/heads/master by this push:
     new a5f994c  mcu/nrf5340: Clear RAM before switching to non-secure
a5f994c is described below

commit a5f994ce192ef11c8cec877bcb44fa8b0498cb27
Author: Jerzy Kasenberg <je...@codecoup.pl>
AuthorDate: Thu Oct 28 15:48:01 2021 +0200

    mcu/nrf5340: Clear RAM before switching to non-secure
    
    To prevent information leak from ARM TrusZone secure to non-secure code,
    on-secure RAM (whole as of now) is cleared before switching to non-secure mode.
---
 hw/mcu/nordic/nrf5340/src/hal_system_start.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/hw/mcu/nordic/nrf5340/src/hal_system_start.c b/hw/mcu/nordic/nrf5340/src/hal_system_start.c
index fca96a4..4ab854e 100644
--- a/hw/mcu/nordic/nrf5340/src/hal_system_start.c
+++ b/hw/mcu/nordic/nrf5340/src/hal_system_start.c
@@ -21,6 +21,7 @@
 #include <inttypes.h>
 #include <mcu/cortex_m33.h>
 #include <mcu/nrf5340_hal.h>
+#include <bsp/bsp.h>
 
 #if MCUBOOT_MYNEWT
 #include <bootutil/bootutil.h>
@@ -66,6 +67,8 @@ hal_system_start(void *img_start)
     int bootloader_flash_regions;
     __attribute__((cmse_nonsecure_call, noreturn)) void (* app_reset)(void);
 
+    __disable_irq();
+
     /* Mark selected peripherals as unsecure */
     for (i = 0; i < ARRAY_SIZE(ns_peripheral_ids); ++i) {
         for (j = ns_peripheral_ids[i].first; j <= ns_peripheral_ids[i].last; ++j) {
@@ -103,6 +106,28 @@ hal_system_start(void *img_start)
     NRF_SPU->GPIOPORT[0].PERM = 0;
     NRF_SPU->GPIOPORT[1].PERM = 0;
 
+    /*
+     * For now whole RAM is marked as non-secure. To prevent data leak from secure to
+     * non-secure, whole RAM is cleared before starting application code.
+     * Interrupt VTOR for secure world that was previously put in RAM is moved to
+     * flash again.
+     */
+    SCB->VTOR = 0;
+    /*
+     * Normal loop here is inlined by GCC to call to memset hence asm version of
+     * memset that does not use stack (that just get erased).
+     */
+    asm volatile("    add     %1, %1, %0    \n"
+                 "    mov     r0, #0        \n"
+                 "1:  stmia   %0!, {r0}     \n"
+                 "    cmp     %0, %1        \n"
+                 "    blt     1b            \n"
+        :
+        : "r" (&_ram_start), "r" (RAM_SIZE)
+        : "r0");
+    /* Application startup code expects interrupts to be enabled */
+    __enable_irq();
+
     img_data = img_start;
     app_reset = (void *)(img_data[1]);
     __TZ_set_MSP_NS(img_data[0]);