Page MenuHomePhabricator

Tf-M: Core: tfm_memory_check should be called privileged=true in case of NS caller
Closed, ResolvedPublic


tfm_memory_check uses the cmse_check_address_range function to check whether the current (S or NS) MPU settings allow the caller to access the memory region provided to the function.

In the current call sites the 'privileged' parameter of the function is calculated with the tfm_spm_partition_get_privileged_mode(...); function, which returns unprivileged for NS callers. When tfm_core_has_[read|write]_access_to_region is called with the 'privileged' field calculated earlier, that function sets the flag passed to cmse_check_address_range to CMSE_MPU_UNPRIV if 'privileged' is false.

cmse_check_address_range uses the TT (TTT, TTA, TTAT) instructions to check access. If 'privileged' is set to false, the TTT and TTAT instructions are used, which are checking the MPU states from the viewpoint of unprivileged access.

This means that if a privileged NS code called the secure service, the memory check will fail if the code provided a privileged memory area in the iovecs.

In tfm_core_has_[read|write]_access_to_region CMSE_MPU_UNPRIV flags should not be added if the caller is NS.

Event Timeline

matetothpal triaged this task as Normal priority.Oct 21 2019, 6:47 AM
matetothpal created this task.
matetothpal closed this task as Resolved.Jan 13 2020, 9:34 AM

Change for this issue had been merged