Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ARMv8.1-M: Add task dedicated PAC key support #1195

Merged
merged 5 commits into from
Jan 14, 2025
Merged

ARMv8.1-M: Add task dedicated PAC key support #1195

merged 5 commits into from
Jan 14, 2025

Conversation

AhmedIsmail02
Copy link
Contributor

@AhmedIsmail02 AhmedIsmail02 commented Nov 19, 2024
edited
Loading

Description

To harden the security, each task is assigned with a dedicated PAC key, so that attackers needs to get the all the PAC keys right to exploit the system using Return Oriented Programming. The kernel is updated to support the following:

  • A PAC key set with a user defined random number generator is generated and is pushed onto the task's stack when a task is created.
  • As part of scheduling, the task's PAC key is stacked/unstacked to/from the task's stack when a task is unscheduled/scheduled from/to run.

This commit is an improvement for MR!1216 to support MPU port variants stack overflow check.

Test Steps

Checklist:

  • I have tested my changes. No regression in existing tests.
  • I have modified and/or added unit-tests to cover the code changes in this Pull Request.

Related Issue

Blocks FreeRTOS/FreeRTOS-Partner-Supported-Demos#19

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@AhmedIsmail02 AhmedIsmail02 requested a review from a team as a code owner November 19, 2024 14:15
@AhmedIsmail02 AhmedIsmail02 force-pushed the add-task-dedicated-pac-key-support branch from d7e9592 to 05a1578 Compare November 19, 2024 16:39
urutva
urutva previously approved these changes Nov 19, 2024
View reviewed changes
@urutva urutva mentioned this pull request Nov 21, 2024
Merged
@aggarg
Copy link
Member

aggarg commented Dec 18, 2024
edited
Loading

Thank you for your contribution @AhmedIsmail02! I have reviewed the code and I have the following suggestions -

  1. We should make the RandomKeyGeneration a mandatory function for the application to provide. It has the following benefits:
    a. The application writer need to make an explicit choice if they want to use cryptographically weak random generator (like srand) rather than accidentally defaulting to one.
    b. It is consistent with heap protector - https://github.com/FreeRTOS/FreeRTOS-Kernel/blob/main/portable/MemMang/heap_4.c#L117.
    c. We do not need to take a dependency on time.h in the port files.
  2. I am not sure if we really need all those __ICCARM__ guards. I removed all those and I am still able to build and run on the code on Cortex-M33 using IAR.
  3. One code path missed saving and restoring PAC keys in the Cortex-M33 PendSV Handler.

All of my suggestions are in the following patch - 0001-Code-review-suggestions.patch. Please take a look and let me know what you think.

@AhmedIsmail02 AhmedIsmail02 force-pushed the add-task-dedicated-pac-key-support branch from d690416 to 506969c Compare January 8, 2025 15:47
@AhmedIsmail02
Copy link
Contributor Author

@aggarg Thank you for the valuable review.
I do agree with all your review comments and have fixed them in the latest version, can you please rer-eview the PR?
Thanks!

@AhmedIsmail02 AhmedIsmail02 force-pushed the add-task-dedicated-pac-key-support branch 2 times, most recently from 906aef5 to 5fc248c Compare January 9, 2025 12:49
urutva
urutva previously approved these changes Jan 10, 2025
View reviewed changes
@aggarg
Copy link
Member

aggarg commented Jan 12, 2025

Thanks you, @AhmedIsmail02! I have the following 2 suggestions:

  1. Minor formatting updates which uncrustify does not seem to get right - 0001-Formatting-suggestions.patch.
  2. We do not want to add platform specific code in common files. What do you think about this alternative way of addressing the issue with stack overflow checking when MPU wrapper v2 is used - 0002-Update-implementation-of-taskCHECK_FOR_STACK_OVERFLO.patch?

Note that I have not tested the second patch yet.

@AhmedIsmail02
armv8-m: Modify ARMv8-M registers stacking procedure
c84fc72 
ARMv8-M TrustZone variant registers stacking
procedure is modified to be consistent with the NTZ port
variant where one `stmdb` instruction is used instead of
using 'subs' instruction along with `stmia` instruction, also,
this result in more efficient context switching
handling (lower latency).

Signed-off-by: Ahmed Ismail <[email protected]>
@AhmedIsmail02
armv8.1-m: Add task dedicated PAC key
029545f 
To harden the security, each task is assigned
a dedicated PAC key, so that attackers needs
to guess the all the tasks' PAC keys right to
exploit the system using Return Oriented Programming.

The kernel is now updated to support the following:
* A PAC key set with a random number generated and
is pushed onto the task's stack when a task is created.

* As part of scheduling, the task's PAC key is stacked/unstacked
to/from the task's stack when a task is unscheduled/scheduled
from/to run.

Signed-off-by: Ahmed Ismail <[email protected]>
@AhmedIsmail02 AhmedIsmail02 force-pushed the add-task-dedicated-pac-key-support branch from 5fc248c to 5720e85 Compare January 13, 2025 16:08
@AhmedIsmail02
stack-overflow-check: Introduce portGET_CURRENT_TOP_OF_STACK macro
3f23eab 
When MPU wrapper v2 is used, the task's context is stored in TCB and
`pxTopOfStack`` member of TCB points to the context location in TCB. We,
therefore, need to read PSP to find the task's current top of stack.

Signed-off-by: Ahmed Ismail <[email protected]>
Signed-off-by: Gaurav Aggarwal <[email protected]>
@AhmedIsmail02
formatting: Fix uncrustify findings
326cbe1 
Signed-off-by: Ahmed Ismail <[email protected]>
Signed-off-by: Gaurav Aggarwal <[email protected]>
@AhmedIsmail02 AhmedIsmail02 force-pushed the add-task-dedicated-pac-key-support branch from 5720e85 to 326cbe1 Compare January 13, 2025 16:18
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@aggarg aggarg merged commit 78e0cc7 into FreeRTOS:main Jan 14, 2025
17 checks passed
@aggarg aggarg mentioned this pull request Jan 23, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@urutva urutva urutva approved these changes

@aggarg aggarg aggarg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AhmedIsmail02 @aggarg @urutva