Implement secure stack sealing as per ARM's recommendation
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
diff --git a/portable/ARMv8M/secure/context/secure_context.c b/portable/ARMv8M/secure/context/secure_context.c
index a51d1c1..b1d5503 100644
--- a/portable/ARMv8M/secure/context/secure_context.c
+++ b/portable/ARMv8M/secure/context/secure_context.c
@@ -52,6 +52,16 @@
#define securecontextCONTROL_VALUE_UNPRIVILEGED 0x03
/**
+ * @brief Size of stack seal values in bytes.
+ */
+#define securecontextSTACK_SEAL_SIZE 8
+
+/**
+ * @brief Stack seal value as recommended by ARM.
+ */
+#define securecontextSTACK_SEAL_VALUE 0xFEF5EDA5
+
+/**
* @brief Maximum number of secure contexts.
*/
#ifndef secureconfigMAX_SECURE_CONTEXTS
@@ -204,18 +214,22 @@
if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
{
/* Allocate the stack space. */
- pucStackMemory = pvPortMalloc( ulSecureStackSize );
+ pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
if( pucStackMemory != NULL )
{
/* Since stack grows down, the starting point will be the last
* location. Note that this location is next to the last
- * allocated byte because the hardware decrements the stack
- * pointer before writing i.e. if stack pointer is 0x2, a push
- * operation will decrement the stack pointer to 0x1 and then
- * write at 0x1. */
+ * allocated byte for stack (excluding the space for seal values)
+ * because the hardware decrements the stack pointer before
+ * writing i.e. if stack pointer is 0x2, a push operation will
+ * decrement the stack pointer to 0x1 and then write at 0x1. */
xSecureContexts[ ulSecureContextIndex ].pucStackStart = pucStackMemory + ulSecureStackSize;
+ /* Seal the created secure process stack. */
+ *( uint32_t * )( pucStackMemory + ulSecureStackSize ) = securecontextSTACK_SEAL_VALUE;
+ *( uint32_t * )( pucStackMemory + ulSecureStackSize + 4 ) = securecontextSTACK_SEAL_VALUE;
+
/* The stack cannot go beyond this location. This value is
* programmed in the PSPLIM register on context switch.*/
xSecureContexts[ ulSecureContextIndex ].pucStackLimit = pucStackMemory;
diff --git a/portable/GCC/ARM_CM23/secure/secure_context.c b/portable/GCC/ARM_CM23/secure/secure_context.c
index a51d1c1..b1d5503 100644
--- a/portable/GCC/ARM_CM23/secure/secure_context.c
+++ b/portable/GCC/ARM_CM23/secure/secure_context.c
@@ -52,6 +52,16 @@
#define securecontextCONTROL_VALUE_UNPRIVILEGED 0x03
/**
+ * @brief Size of stack seal values in bytes.
+ */
+#define securecontextSTACK_SEAL_SIZE 8
+
+/**
+ * @brief Stack seal value as recommended by ARM.
+ */
+#define securecontextSTACK_SEAL_VALUE 0xFEF5EDA5
+
+/**
* @brief Maximum number of secure contexts.
*/
#ifndef secureconfigMAX_SECURE_CONTEXTS
@@ -204,18 +214,22 @@
if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
{
/* Allocate the stack space. */
- pucStackMemory = pvPortMalloc( ulSecureStackSize );
+ pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
if( pucStackMemory != NULL )
{
/* Since stack grows down, the starting point will be the last
* location. Note that this location is next to the last
- * allocated byte because the hardware decrements the stack
- * pointer before writing i.e. if stack pointer is 0x2, a push
- * operation will decrement the stack pointer to 0x1 and then
- * write at 0x1. */
+ * allocated byte for stack (excluding the space for seal values)
+ * because the hardware decrements the stack pointer before
+ * writing i.e. if stack pointer is 0x2, a push operation will
+ * decrement the stack pointer to 0x1 and then write at 0x1. */
xSecureContexts[ ulSecureContextIndex ].pucStackStart = pucStackMemory + ulSecureStackSize;
+ /* Seal the created secure process stack. */
+ *( uint32_t * )( pucStackMemory + ulSecureStackSize ) = securecontextSTACK_SEAL_VALUE;
+ *( uint32_t * )( pucStackMemory + ulSecureStackSize + 4 ) = securecontextSTACK_SEAL_VALUE;
+
/* The stack cannot go beyond this location. This value is
* programmed in the PSPLIM register on context switch.*/
xSecureContexts[ ulSecureContextIndex ].pucStackLimit = pucStackMemory;
diff --git a/portable/GCC/ARM_CM33/secure/secure_context.c b/portable/GCC/ARM_CM33/secure/secure_context.c
index a51d1c1..b1d5503 100644
--- a/portable/GCC/ARM_CM33/secure/secure_context.c
+++ b/portable/GCC/ARM_CM33/secure/secure_context.c
@@ -52,6 +52,16 @@
#define securecontextCONTROL_VALUE_UNPRIVILEGED 0x03
/**
+ * @brief Size of stack seal values in bytes.
+ */
+#define securecontextSTACK_SEAL_SIZE 8
+
+/**
+ * @brief Stack seal value as recommended by ARM.
+ */
+#define securecontextSTACK_SEAL_VALUE 0xFEF5EDA5
+
+/**
* @brief Maximum number of secure contexts.
*/
#ifndef secureconfigMAX_SECURE_CONTEXTS
@@ -204,18 +214,22 @@
if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
{
/* Allocate the stack space. */
- pucStackMemory = pvPortMalloc( ulSecureStackSize );
+ pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
if( pucStackMemory != NULL )
{
/* Since stack grows down, the starting point will be the last
* location. Note that this location is next to the last
- * allocated byte because the hardware decrements the stack
- * pointer before writing i.e. if stack pointer is 0x2, a push
- * operation will decrement the stack pointer to 0x1 and then
- * write at 0x1. */
+ * allocated byte for stack (excluding the space for seal values)
+ * because the hardware decrements the stack pointer before
+ * writing i.e. if stack pointer is 0x2, a push operation will
+ * decrement the stack pointer to 0x1 and then write at 0x1. */
xSecureContexts[ ulSecureContextIndex ].pucStackStart = pucStackMemory + ulSecureStackSize;
+ /* Seal the created secure process stack. */
+ *( uint32_t * )( pucStackMemory + ulSecureStackSize ) = securecontextSTACK_SEAL_VALUE;
+ *( uint32_t * )( pucStackMemory + ulSecureStackSize + 4 ) = securecontextSTACK_SEAL_VALUE;
+
/* The stack cannot go beyond this location. This value is
* programmed in the PSPLIM register on context switch.*/
xSecureContexts[ ulSecureContextIndex ].pucStackLimit = pucStackMemory;
diff --git a/portable/IAR/ARM_CM23/secure/secure_context.c b/portable/IAR/ARM_CM23/secure/secure_context.c
index a51d1c1..b1d5503 100644
--- a/portable/IAR/ARM_CM23/secure/secure_context.c
+++ b/portable/IAR/ARM_CM23/secure/secure_context.c
@@ -52,6 +52,16 @@
#define securecontextCONTROL_VALUE_UNPRIVILEGED 0x03
/**
+ * @brief Size of stack seal values in bytes.
+ */
+#define securecontextSTACK_SEAL_SIZE 8
+
+/**
+ * @brief Stack seal value as recommended by ARM.
+ */
+#define securecontextSTACK_SEAL_VALUE 0xFEF5EDA5
+
+/**
* @brief Maximum number of secure contexts.
*/
#ifndef secureconfigMAX_SECURE_CONTEXTS
@@ -204,18 +214,22 @@
if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
{
/* Allocate the stack space. */
- pucStackMemory = pvPortMalloc( ulSecureStackSize );
+ pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
if( pucStackMemory != NULL )
{
/* Since stack grows down, the starting point will be the last
* location. Note that this location is next to the last
- * allocated byte because the hardware decrements the stack
- * pointer before writing i.e. if stack pointer is 0x2, a push
- * operation will decrement the stack pointer to 0x1 and then
- * write at 0x1. */
+ * allocated byte for stack (excluding the space for seal values)
+ * because the hardware decrements the stack pointer before
+ * writing i.e. if stack pointer is 0x2, a push operation will
+ * decrement the stack pointer to 0x1 and then write at 0x1. */
xSecureContexts[ ulSecureContextIndex ].pucStackStart = pucStackMemory + ulSecureStackSize;
+ /* Seal the created secure process stack. */
+ *( uint32_t * )( pucStackMemory + ulSecureStackSize ) = securecontextSTACK_SEAL_VALUE;
+ *( uint32_t * )( pucStackMemory + ulSecureStackSize + 4 ) = securecontextSTACK_SEAL_VALUE;
+
/* The stack cannot go beyond this location. This value is
* programmed in the PSPLIM register on context switch.*/
xSecureContexts[ ulSecureContextIndex ].pucStackLimit = pucStackMemory;
diff --git a/portable/IAR/ARM_CM33/secure/secure_context.c b/portable/IAR/ARM_CM33/secure/secure_context.c
index a51d1c1..b1d5503 100644
--- a/portable/IAR/ARM_CM33/secure/secure_context.c
+++ b/portable/IAR/ARM_CM33/secure/secure_context.c
@@ -52,6 +52,16 @@
#define securecontextCONTROL_VALUE_UNPRIVILEGED 0x03
/**
+ * @brief Size of stack seal values in bytes.
+ */
+#define securecontextSTACK_SEAL_SIZE 8
+
+/**
+ * @brief Stack seal value as recommended by ARM.
+ */
+#define securecontextSTACK_SEAL_VALUE 0xFEF5EDA5
+
+/**
* @brief Maximum number of secure contexts.
*/
#ifndef secureconfigMAX_SECURE_CONTEXTS
@@ -204,18 +214,22 @@
if( ulSecureContextIndex < secureconfigMAX_SECURE_CONTEXTS )
{
/* Allocate the stack space. */
- pucStackMemory = pvPortMalloc( ulSecureStackSize );
+ pucStackMemory = pvPortMalloc( ulSecureStackSize + securecontextSTACK_SEAL_SIZE );
if( pucStackMemory != NULL )
{
/* Since stack grows down, the starting point will be the last
* location. Note that this location is next to the last
- * allocated byte because the hardware decrements the stack
- * pointer before writing i.e. if stack pointer is 0x2, a push
- * operation will decrement the stack pointer to 0x1 and then
- * write at 0x1. */
+ * allocated byte for stack (excluding the space for seal values)
+ * because the hardware decrements the stack pointer before
+ * writing i.e. if stack pointer is 0x2, a push operation will
+ * decrement the stack pointer to 0x1 and then write at 0x1. */
xSecureContexts[ ulSecureContextIndex ].pucStackStart = pucStackMemory + ulSecureStackSize;
+ /* Seal the created secure process stack. */
+ *( uint32_t * )( pucStackMemory + ulSecureStackSize ) = securecontextSTACK_SEAL_VALUE;
+ *( uint32_t * )( pucStackMemory + ulSecureStackSize + 4 ) = securecontextSTACK_SEAL_VALUE;
+
/* The stack cannot go beyond this location. This value is
* programmed in the PSPLIM register on context switch.*/
xSecureContexts[ ulSecureContextIndex ].pucStackLimit = pucStackMemory;