| /optee_os/core/include/kernel/ |
| H A D | thread.h | b89b3da240a6829de49134a1398534c91cf5ee9d Fri Apr 21 07:45:38 UTC 2023 Vincent Chuang <Vincent.Chuang@mediatek.com> core: thread: Add support for canary value randomization
Currently hardcoded magic number is used as thread stack canary,
an attacker with full control over the overflow can embed the
hardcoded canary value on the right location to bypass the overflow
detection.
To add extra layer of security, redefine the canary value as variable,
such that the canary can be initialized during runtime.
The canaries are initialized with static values from thread_init_canaries()
during the early boot stage. The plat_get_random_stack_canaries() is
refactored to support arbitrary-length random numbers, and a new function
called thread_update_canaries() is created to fetch the random values and
update the thread canaries. For CFG_NS_VIRTUALIZATION=y, the updated
function is disabled.
Signed-off-by: Vincent Chuang <Vincent.Chuang@mediatek.com>
Signed-off-by: Randy Hsu <Randy-CY.Hsu@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
|
| H A D | boot.h | b89b3da240a6829de49134a1398534c91cf5ee9d Fri Apr 21 07:45:38 UTC 2023 Vincent Chuang <Vincent.Chuang@mediatek.com> core: thread: Add support for canary value randomization
Currently hardcoded magic number is used as thread stack canary,
an attacker with full control over the overflow can embed the
hardcoded canary value on the right location to bypass the overflow
detection.
To add extra layer of security, redefine the canary value as variable,
such that the canary can be initialized during runtime.
The canaries are initialized with static values from thread_init_canaries()
during the early boot stage. The plat_get_random_stack_canaries() is
refactored to support arbitrary-length random numbers, and a new function
called thread_update_canaries() is created to fetch the random values and
update the thread canaries. For CFG_NS_VIRTUALIZATION=y, the updated
function is disabled.
Signed-off-by: Vincent Chuang <Vincent.Chuang@mediatek.com>
Signed-off-by: Randy Hsu <Randy-CY.Hsu@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
|
| /optee_os/core/kernel/ |
| H A D | thread.c | b89b3da240a6829de49134a1398534c91cf5ee9d Fri Apr 21 07:45:38 UTC 2023 Vincent Chuang <Vincent.Chuang@mediatek.com> core: thread: Add support for canary value randomization
Currently hardcoded magic number is used as thread stack canary,
an attacker with full control over the overflow can embed the
hardcoded canary value on the right location to bypass the overflow
detection.
To add extra layer of security, redefine the canary value as variable,
such that the canary can be initialized during runtime.
The canaries are initialized with static values from thread_init_canaries()
during the early boot stage. The plat_get_random_stack_canaries() is
refactored to support arbitrary-length random numbers, and a new function
called thread_update_canaries() is created to fetch the random values and
update the thread canaries. For CFG_NS_VIRTUALIZATION=y, the updated
function is disabled.
Signed-off-by: Vincent Chuang <Vincent.Chuang@mediatek.com>
Signed-off-by: Randy Hsu <Randy-CY.Hsu@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
|
| /optee_os/core/arch/arm/kernel/ |
| H A D | entry_a32.S | b89b3da240a6829de49134a1398534c91cf5ee9d Fri Apr 21 07:45:38 UTC 2023 Vincent Chuang <Vincent.Chuang@mediatek.com> core: thread: Add support for canary value randomization
Currently hardcoded magic number is used as thread stack canary,
an attacker with full control over the overflow can embed the
hardcoded canary value on the right location to bypass the overflow
detection.
To add extra layer of security, redefine the canary value as variable,
such that the canary can be initialized during runtime.
The canaries are initialized with static values from thread_init_canaries()
during the early boot stage. The plat_get_random_stack_canaries() is
refactored to support arbitrary-length random numbers, and a new function
called thread_update_canaries() is created to fetch the random values and
update the thread canaries. For CFG_NS_VIRTUALIZATION=y, the updated
function is disabled.
Signed-off-by: Vincent Chuang <Vincent.Chuang@mediatek.com>
Signed-off-by: Randy Hsu <Randy-CY.Hsu@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
|
| H A D | entry_a64.S | b89b3da240a6829de49134a1398534c91cf5ee9d Fri Apr 21 07:45:38 UTC 2023 Vincent Chuang <Vincent.Chuang@mediatek.com> core: thread: Add support for canary value randomization
Currently hardcoded magic number is used as thread stack canary,
an attacker with full control over the overflow can embed the
hardcoded canary value on the right location to bypass the overflow
detection.
To add extra layer of security, redefine the canary value as variable,
such that the canary can be initialized during runtime.
The canaries are initialized with static values from thread_init_canaries()
during the early boot stage. The plat_get_random_stack_canaries() is
refactored to support arbitrary-length random numbers, and a new function
called thread_update_canaries() is created to fetch the random values and
update the thread canaries. For CFG_NS_VIRTUALIZATION=y, the updated
function is disabled.
Signed-off-by: Vincent Chuang <Vincent.Chuang@mediatek.com>
Signed-off-by: Randy Hsu <Randy-CY.Hsu@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
|
| H A D | boot.c | b89b3da240a6829de49134a1398534c91cf5ee9d Fri Apr 21 07:45:38 UTC 2023 Vincent Chuang <Vincent.Chuang@mediatek.com> core: thread: Add support for canary value randomization
Currently hardcoded magic number is used as thread stack canary,
an attacker with full control over the overflow can embed the
hardcoded canary value on the right location to bypass the overflow
detection.
To add extra layer of security, redefine the canary value as variable,
such that the canary can be initialized during runtime.
The canaries are initialized with static values from thread_init_canaries()
during the early boot stage. The plat_get_random_stack_canaries() is
refactored to support arbitrary-length random numbers, and a new function
called thread_update_canaries() is created to fetch the random values and
update the thread canaries. For CFG_NS_VIRTUALIZATION=y, the updated
function is disabled.
Signed-off-by: Vincent Chuang <Vincent.Chuang@mediatek.com>
Signed-off-by: Randy Hsu <Randy-CY.Hsu@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
|