Protect inactive EC image from code execution

This change configures MPU to prevent instruction fetch from the flash image that is not running at the time system_disable_jump is called. Violating the protection causes instruction access violation, then the EC reboots. RO image protection is tested as follows: ... [6.255696 MPU type: 00000800] [6.255874 RAM locked. Exclusion 20005680-200056a0] [6.256168 RO image locked] ... > sysjump 0 Jumping to 0x00000000 === PROCESS EXCEPTION: 03 ====== xPSR: 60000000 === r0 :00000000 r1 :2000541c r2 :00001388 r3 :20007fe8 r4 :200032f0 r5 :00000000 r6 :20002b70 r7 :20002df4 r8 :0002d308 r9 :20002df4 r10:00000000 r11:00000000 r12:00000002 sp :20002358 lr :0002a1a7 pc :00000000 Instruction access violation, Forced hard fault mmfs = 1, shcsr = 70000, hfsr = 40000000, dfsr = 0 =========== Process Stack Contents =========== 200023c0: 00000098 00000000 00000000 0002a785 200023d0: 00000002 20002dfd 00000007 20002b70 200023e0: 00000002 00025777 00000000 20002dfd 200023f0: 20002df4 20002dfc 00000000 00000000 Rebooting... Memory management fault status register has bit0 set, indicating there was an instruction fetch volation. FYI, RAM protection is still working: > sysjump 0x20000000 Jumping to 0x20000000 === PROCESS EXCEPTION: 03 ====== xPSR: 60000000 === r0 :00000000 r1 :2000541c r2 :00001388 r3 :20007fe8 r4 :200032f0 r5 :20000000 r6 :20002b70 r7 :20002df4 r8 :0002d308 r9 :20002df4 r10:00000000 r11:00000000 r12:00000002 sp :20002358 lr :0002a1a7 pc :20000000 Instruction access violation, Forced hard fault mmfs = 1, shcsr = 70000, hfsr = 40000000, dfsr = 0 =========== Process Stack Contents =========== 200023c0: 00000098 00000000 20000000 0002a785 200023d0: 00000002 20002e06 00000007 20002b70 200023e0: 00000002 00025777 00000000 20002e06 200023f0: 20002df4 20002dfc 00000000 00000000 Rebooting... TEST=Booted Peppy. Tested lid close & open. Ran Flashrom from userspace to update main firmware then software-synched an EC image. BUG=chrome-os-partner:16904 BRANCH=none Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Change-Id: Id4f84d24325566a9f648194166bde0d94d1124dc Reviewed-on: https://chromium-review.googlesource.com/169050 Reviewed-by: Bill Richardson <wfrichar@chromium.org> Reviewed-by: Randall Spangler <rspangler@chromium.org> Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Tested-by: Daisuke Nojiri <dnojiri@google.com>
author: Daisuke Nojiri <dnojiri@google.com> 2013-12-11 11:39:55 -0800
committer: chrome-internal-fetch <chrome-internal-fetch@google.com> 2013-12-17 01:32:24 +0000
commit: 3ec36e016082186da7ee43fe99e6166582c2e3b2 (patch)
tree: 12fe2768ad4647f54a429b492e2817158409b13e /common
parent: 700adf4dea7f12fef6e8f12d34005d82ca58a3a2 (diff)
download: chrome-ec-3ec36e016082186da7ee43fe99e6166582c2e3b2.tar.gz
1 files changed, 37 insertions, 16 deletions
diff --git a/common/system.c b/common/system.c
index 5a3e9f9e03..346496c087 100644
--- a/common/system.c
+++ b/common/system.c
@@ -225,32 +225,53 @@ void system_disable_jump(void)
 	disable_jump = 1;
 
 #ifdef CONFIG_MPU
-	/*
-	 * Lock down memory to prevent code execution from data areas.
-	 *
-	 * TODO(crosbug.com/p/16904): Also lock down the image which isn't
-	 * running (RO if RW, or vice versa), so a bad or malicious jump can't
-	 * execute code from that image.
-	 */
 	if (system_is_locked()) {
+		int ret;
+		int enable_mpu = 0;
+		enum system_image_copy_t copy;
+
+		CPRINTF("[%T MPU type: %08x]\n", mpu_get_type());
 		/*
-		 * Protect memory from code execution
+		 * Protect RAM from code execution
 		 */
-		int mpu_error = mpu_protect_ram();
-		if (mpu_error == EC_SUCCESS) {
-			mpu_enable();
+		ret = mpu_protect_ram();
+		if (ret == EC_SUCCESS) {
+			enable_mpu = 1;
 			CPRINTF("[%T RAM locked. Exclusion %08x-%08x]\n",
 				&__iram_text_start, &__iram_text_end);
 		} else {
-			CPRINTF("[%T Failed to lock RAM (%d). mpu_type:%08x]\n",
-				mpu_error, mpu_get_type());
+			CPRINTF("[%T Failed to lock RAM (%d)]\n", ret);
 		}
+
 		/*
-		 * Protect the other image from code execution
-		 * TODO: https://chromium-review.googlesource.com/#/c/169050/
+		 * Protect inactive image (ie. RO if running RW, vice versa)
+		 * from code execution.
 		 */
+		switch (system_get_image_copy()) {
+		case SYSTEM_IMAGE_RO:
+			ret =  mpu_lock_rw_flash();
+			copy = SYSTEM_IMAGE_RW;
+			break;
+		case SYSTEM_IMAGE_RW:
+			ret =  mpu_lock_ro_flash();
+			copy = SYSTEM_IMAGE_RO;
+			break;
+		default:
+			copy = SYSTEM_IMAGE_UNKNOWN;
+			ret = !EC_SUCCESS;
+		}
+		if (ret == EC_SUCCESS) {
+			enable_mpu = 1;
+			CPRINTF("[%T %s image locked]\n", image_names[copy]);
+		} else {
+			CPRINTF("[%T Failed to lock %s image (%d)]\n",
+				image_names[copy], ret);
+		}
+
+		if (enable_mpu)
+			mpu_enable();
 	} else {
-		CPRINTF("[%T RAM not locked]\n");
+		CPRINTF("[%T System is unlocked. Skip MPU configuration\n");
 	}
 #endif
 }
author	Daisuke Nojiri <dnojiri@google.com>	2013-12-11 11:39:55 -0800
committer	chrome-internal-fetch <chrome-internal-fetch@google.com>	2013-12-17 01:32:24 +0000
commit	3ec36e016082186da7ee43fe99e6166582c2e3b2 (patch)
tree	12fe2768ad4647f54a429b492e2817158409b13e /common
parent	700adf4dea7f12fef6e8f12d34005d82ca58a3a2 (diff)
download	chrome-ec-3ec36e016082186da7ee43fe99e6166582c2e3b2.tar.gz