1Secure Development Guidelines
2=============================
3
4This page contains guidance on what to check for additional security measures,
5including build options that can be modified to improve security or catch issues
6early in development.
7
8Security considerations
9-----------------------
10
11Part of the security of a platform is handling errors correctly, as described in
12the previous section. There are several other security considerations covered in
13this section.
14
15Do not leak secrets to the normal world
16^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
17
18The secure world **must not** leak secrets to the normal world, for example in
19response to an SMC.
20
21Handling Denial of Service attacks
22^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
23
24The secure world **should never** crash or become unusable due to receiving too
25many normal world requests (a *Denial of Service* or *DoS* attack). It should
26have a mechanism for throttling or ignoring normal world requests.
27
28Preventing Secure-world timing information leakage via PMU counters
29^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
30
31The Secure world needs to implement some defenses to prevent the Non-secure
32world from making it leak timing information. In general, higher privilege
33levels must defend from those below when the PMU is treated as an attack
34vector.
35
36Refer to the :ref:`Performance Monitoring Unit` guide for detailed information
37on the PMU registers.
38
39Timing leakage attacks from the Non-secure world
40~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41
42Since the Non-secure world has access to the ``PMCR`` register, it can
43configure the PMU to increment counters at any exception level and in both
44Secure and Non-secure state. Thus, it attempts to leak timing information from
45the Secure world.
46
47Shown below is an example of such a configuration:
48
49-  ``PMEVTYPER0_EL0`` and ``PMCCFILTR_EL0``:
50
51   -  Set ``P`` to ``0``.
52   -  Set ``NSK`` to ``1``.
53   -  Set ``M`` to ``0``.
54   -  Set ``NSH`` to ``0``.
55   -  Set ``SH`` to ``1``.
56
57-  ``PMCNTENSET_EL0``:
58
59   -  Set ``P[0]`` to ``1``.
60   -  Set ``C`` to ``1``.
61
62-  ``PMCR_EL0``:
63
64   -  Set ``DP`` to ``0``.
65   -  Set ``E`` to ``1``.
66
67This configuration instructs ``PMEVCNTR0_EL0`` and ``PMCCNTR_EL0`` to increment
68at Secure EL1, Secure EL2 (if implemented) and EL3.
69
70Since the Non-secure world has fine-grained control over where (at which
71exception levels) it instructs counters to increment, obtaining event counts
72would allow it to carry out side-channel timing attacks against the Secure
73world. Examples include Spectre, Meltdown, as well as extracting secrets from
74cryptographic algorithms with data-dependent variations in their execution
75time.
76
77Secure world mitigation strategies
78~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
79
80The ``MDCR_EL3`` register allows EL3 to configure the PMU (among other things).
81The `Arm ARM`_ details all of the bit fields in this register, but for the PMU
82there are two bits which determine the permissions of the counters:
83
84-  ``SPME`` for the programmable counters.
85-  ``SCCD`` for the cycle counter.
86
87Depending on the implemented features, the Secure world can prohibit counting
88in AArch64 state via the following:
89
90-  ARMv8.2-Debug not implemented:
91
92   -  Prohibit general event counters and the cycle counter:
93      ``MDCR_EL3.SPME == 0 && PMCR_EL0.DP == 1 && !ExternalSecureNoninvasiveDebugEnabled()``.
94
95      -  ``MDCR_EL3.SPME`` resets to ``0``, so by default general events should
96         not be counted in the Secure world.
97      -  The ``PMCR_EL0.DP`` bit therefore needs to be set to ``1`` when EL3 is
98         entered and ``PMCR_EL0`` needs to be saved and restored in EL3.
99      -  ``ExternalSecureNoninvasiveDebugEnabled()`` is an authentication
100         interface which is implementation-defined unless ARMv8.4-Debug is
101         implemented. The `Arm ARM`_ has detailed information on this topic.
102
103   -  The only other way is to disable the ``PMCR_EL0.E`` bit upon entering
104      EL3, which disables counting altogether.
105
106-  ARMv8.2-Debug implemented:
107
108   -  Prohibit general event counters: ``MDCR_EL3.SPME == 0``.
109   -  Prohibit cycle counter: ``MDCR_EL3.SPME == 0 && PMCR_EL0.DP == 1``.
110      ``PMCR_EL0`` therefore needs to be saved and restored in EL3.
111
112-  ARMv8.5-PMU implemented:
113
114   -  Prohibit general event counters: as in ARMv8.2-Debug.
115   -  Prohibit cycle counter: ``MDCR_EL3.SCCD == 1``
116
117In Aarch32 execution state the ``MDCR_EL3`` alias is the ``SDCR`` register,
118which has some of the bit fields of ``MDCR_EL3``, most importantly the ``SPME``
119and ``SCCD`` bits.
120
121Build options
122-------------
123
124Several build options can be used to check for security issues. Refer to the
125:ref:`Build Options` for detailed information on these.
126
127- The ``BRANCH_PROTECTION`` build flag can be used to enable Pointer
128  Authentication and Branch Target Identification.
129
130- The ``ENABLE_STACK_PROTECTOR`` build flag can be used to identify buffer
131  overflows.
132
133- The ``W`` build flag can be used to enable a number of compiler warning
134  options to detect potentially incorrect code.
135
136  - W=0 (default value)
137
138    The ``Wunused`` with ``Wno-unused-parameter``, ``Wdisabled-optimization``
139    and ``Wvla`` flags are enabled.
140
141    The ``Wunused-but-set-variable``, ``Wmaybe-uninitialized`` and
142    ``Wpacked-bitfield-compat`` are GCC specific flags that are also enabled.
143
144  - W=1
145
146    Adds ``Wextra``, ``Wmissing-format-attribute``, ``Wmissing-prototypes``,
147    ``Wold-style-definition`` and ``Wunused-const-variable``.
148
149  - W=2
150
151    Adds ``Waggregate-return``, ``Wcast-align``, ``Wnested-externs``,
152    ``Wshadow``, ``Wlogical-op``.
153
154  - W=3
155
156    Adds ``Wbad-function-cast``, ``Wcast-qual``, ``Wconversion``, ``Wpacked``,
157    ``Wpointer-arith``, ``Wredundant-decls`` and
158    ``Wswitch-default``.
159
160  Refer to the GCC or Clang documentation for more information on the individual
161  options: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html and
162  https://clang.llvm.org/docs/DiagnosticsReference.html.
163
164  NB: The ``Werror`` flag is enabled by default in TF-A and can be disabled by
165  setting the ``E`` build flag to 0.
166
167.. rubric:: References
168
169-  `Arm ARM`_
170
171--------------
172
173*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*
174
175.. _Arm ARM: https://developer.arm.com/docs/ddi0487/latest
176