From 1ea63d77a186a7aff8fb25b9f0a09e22501c8cb0 Mon Sep 17 00:00:00 2001
From: Soby Mathew <soby.mathew@arm.com>
Date: Tue, 13 Jun 2017 18:00:53 +0100
Subject: [PATCH] CSS: Prevent SCP_BL2/2U from overwriting BL1 RW data

On ARM CSS platforms, the SCP_BL2/2U image is loaded below
BL1 read-write data. This same memory is used to load BL31
later on. But sufficient checks were not done to ensure that the
SCP_BL2 would not overwrite BL1 rw data. This patch adds the
required CASSERT checks to prevent overwrite into BL1 or BL2
memory by load of SCP_BL2/2U. Also the size of BL31 is increased
and SCP_BL2/2U size is decreased to accomodate it within the
allocated region.

Change-Id: I23b28b5e1589e91150852a06452bd52b273216ee
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
---
 include/plat/arm/css/common/css_def.h         | 18 ++++++++++++------
 plat/arm/css/drivers/scp/css_bom_bootloader.c | 13 +++++++++++++
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/include/plat/arm/css/common/css_def.h b/include/plat/arm/css/common/css_def.h
index 0b74cede..9d025f66 100644
--- a/include/plat/arm/css/common/css_def.h
+++ b/include/plat/arm/css/common/css_def.h
@@ -128,16 +128,22 @@
  * an SCP_BL2/SCP_BL2U image.
  */
 #if CSS_LOAD_SCP_IMAGES
+
+#if ARM_BL31_IN_DRAM
+#error "SCP_BL2 is not expected to be loaded by BL2 for ARM_BL31_IN_DRAM config"
+#endif
+
 /*
  * Load address of SCP_BL2 in CSS platform ports
- * SCP_BL2 is loaded to the same place as BL31.  Once SCP_BL2 is transferred to the
- * SCP, it is discarded and BL31 is loaded over the top.
+ * SCP_BL2 is loaded to the same place as BL31 but it shouldn't overwrite BL1
+ * rw data.  Once SCP_BL2 is transferred to the SCP, it is discarded and BL31
+ * is loaded over the top.
  */
-#define SCP_BL2_BASE			BL31_BASE
-#define SCP_BL2_LIMIT			(SCP_BL2_BASE + PLAT_CSS_MAX_SCP_BL2_SIZE)
+#define SCP_BL2_BASE			(BL1_RW_BASE - PLAT_CSS_MAX_SCP_BL2_SIZE)
+#define SCP_BL2_LIMIT			BL1_RW_BASE
 
-#define SCP_BL2U_BASE			BL31_BASE
-#define SCP_BL2U_LIMIT			(SCP_BL2U_BASE + PLAT_CSS_MAX_SCP_BL2U_SIZE)
+#define SCP_BL2U_BASE			(BL1_RW_BASE - PLAT_CSS_MAX_SCP_BL2U_SIZE)
+#define SCP_BL2U_LIMIT			BL1_RW_BASE
 #endif /* CSS_LOAD_SCP_IMAGES */
 
 /* Load address of Non-Secure Image for CSS platform ports */
diff --git a/plat/arm/css/drivers/scp/css_bom_bootloader.c b/plat/arm/css/drivers/scp/css_bom_bootloader.c
index e4a44fe6..047e0696 100644
--- a/plat/arm/css/drivers/scp/css_bom_bootloader.c
+++ b/plat/arm/css/drivers/scp/css_bom_bootloader.c
@@ -6,6 +6,7 @@
 
 #include <arch_helpers.h>
 #include <assert.h>
+#include <cassert.h>
 #include <css_def.h>
 #include <debug.h>
 #include <platform.h>
@@ -44,6 +45,18 @@ typedef struct {
 	uint32_t block_size;
 } cmd_data_payload_t;
 
+/*
+ * All CSS platforms load SCP_BL2/SCP_BL2U just below BL rw-data and above
+ * BL2/BL2U (this is where BL31 usually resides except when ARM_BL31_IN_DRAM is
+ * set. Ensure that SCP_BL2/SCP_BL2U do not overflow into BL1 rw-data nor
+ * BL2/BL2U.
+ */
+CASSERT(SCP_BL2_LIMIT <= BL1_RW_BASE, assert_scp_bl2_overwrite_bl1);
+CASSERT(SCP_BL2U_LIMIT <= BL1_RW_BASE, assert_scp_bl2u_overwrite_bl1);
+
+CASSERT(SCP_BL2_BASE >= BL2_LIMIT, assert_scp_bl2_overwrite_bl2);
+CASSERT(SCP_BL2U_BASE >= BL2U_LIMIT, assert_scp_bl2u_overwrite_bl2u);
+
 static void scp_boot_message_start(void)
 {
 	mhu_secure_message_start(BOM_MHU_SLOT_ID);
-- 
2.30.2