cr50: add placeholder for FIPS module at fixed location

We compute sha256 for this block to check integrity, but don't use
position independent code, so placing block closer to start of code
with as much constant address as possible to prevent sudden relocations
from breaking self-integrity check.

BUG=b:138578318
TEST=make buildall -j

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I81289fec8ed7fc73b34e2334c45c360cdabbcd88
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2988196
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Mary Ruthven <mruthven@chromium.org>

1 files changed, 23 insertions, 0 deletions

diff --git a/core/cortex-m/ec.lds.S b/core/cortex-m/ec.lds.S
index 3697a72516..4471287404 100644
--- a/core/cortex-m/ec.lds.S
+++ b/core/cortex-m/ec.lds.S
@@ -99,6 +99,24 @@ SECTIONS
 		. = ALIGN(4);
 		KEEP(*(.rodata.pstate))
 
+		/**
+		 * Reserve a space for FIPS crypto module.
+		 * We compute sha256 for this block to check integrity, but
+		 * don't use position independent code, so placing block
+		 * closer to start of code with as much constant address as
+		 * possible to prevent sudden relocations from breaking
+		 * integrity check.
+		 */
+		. = ALIGN(4);
+		__fips_module_start = .;
+		KEEP(*(.text.fips))
+		KEEP(*(.rodata.fips))
+		__fips_module_end = .;
+		. = ALIGN(4);
+		__fips_module_checksum_start = .;
+		KEEP(*(.rodata.fips.checksum))
+		__fips_module_checksum_end = .;
+
 		. = ALIGN(4);
 		STRINGIFY(OUTDIR/core/CORE/init.o) (.text)
 #if defined(CHIP_FAMILY_NPCX7) && !defined(CONFIG_HIBERNATE_PSL)
@@ -306,6 +324,11 @@ SECTIONS
 		 */
 		. = ALIGN(512);
 		__bss_start = .;
+		/**
+		 * Reserve a space for data used by FIPS crypto module.
+		 */
+		KEEP(*(.bss.fips))
+
 		*(.bss.big_align)
 		/* Stacks must be 64-bit aligned */
 		. = ALIGN(8);