1*e63f5d12SPaul BeesleySecure Development Guidelines 2*e63f5d12SPaul Beesley============================= 32e302371SAmbroise Vincent 42e302371SAmbroise VincentThis page contains guidance on what to check for additional security measures, 52e302371SAmbroise Vincentincluding build options that can be modified to improve security or catch issues 62e302371SAmbroise Vincentearly in development. 72e302371SAmbroise Vincent 8*e63f5d12SPaul BeesleySecurity considerations 9*e63f5d12SPaul Beesley----------------------- 10*e63f5d12SPaul Beesley 11*e63f5d12SPaul BeesleyPart of the security of a platform is handling errors correctly, as described in 12*e63f5d12SPaul Beesleythe previous section. There are several other security considerations covered in 13*e63f5d12SPaul Beesleythis section. 14*e63f5d12SPaul Beesley 15*e63f5d12SPaul BeesleyDo not leak secrets to the normal world 16*e63f5d12SPaul Beesley^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 17*e63f5d12SPaul Beesley 18*e63f5d12SPaul BeesleyThe secure world **must not** leak secrets to the normal world, for example in 19*e63f5d12SPaul Beesleyresponse to an SMC. 20*e63f5d12SPaul Beesley 21*e63f5d12SPaul BeesleyHandling Denial of Service attacks 22*e63f5d12SPaul Beesley^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 23*e63f5d12SPaul Beesley 24*e63f5d12SPaul BeesleyThe secure world **should never** crash or become unusable due to receiving too 25*e63f5d12SPaul Beesleymany normal world requests (a *Denial of Service* or *DoS* attack). It should 26*e63f5d12SPaul Beesleyhave a mechanism for throttling or ignoring normal world requests. 27*e63f5d12SPaul Beesley 282e302371SAmbroise VincentBuild options 292e302371SAmbroise Vincent------------- 302e302371SAmbroise Vincent 312e302371SAmbroise VincentSeveral build options can be used to check for security issues. Refer to the 3243f35ef5SPaul Beesley:ref:`Build Options` for detailed information on these. 332e302371SAmbroise Vincent 342e302371SAmbroise Vincent- The ``BRANCH_PROTECTION`` build flag can be used to enable Pointer 352e302371SAmbroise Vincent Authentication and Branch Target Identification. 362e302371SAmbroise Vincent 372e302371SAmbroise Vincent- The ``ENABLE_STACK_PROTECTOR`` build flag can be used to identify buffer 382e302371SAmbroise Vincent overflows. 392e302371SAmbroise Vincent 402e302371SAmbroise Vincent- The ``W`` build flag can be used to enable a number of compiler warning 412e302371SAmbroise Vincent options to detect potentially incorrect code. 422e302371SAmbroise Vincent 432e302371SAmbroise Vincent - W=0 (default value) 442e302371SAmbroise Vincent 452e302371SAmbroise Vincent The ``Wunused`` with ``Wno-unused-parameter``, ``Wdisabled-optimization`` 462e302371SAmbroise Vincent and ``Wvla`` flags are enabled. 472e302371SAmbroise Vincent 482e302371SAmbroise Vincent The ``Wunused-but-set-variable``, ``Wmaybe-uninitialized`` and 492e302371SAmbroise Vincent ``Wpacked-bitfield-compat`` are GCC specific flags that are also enabled. 502e302371SAmbroise Vincent 512e302371SAmbroise Vincent - W=1 522e302371SAmbroise Vincent 5311a96e0eSJustin Chadwell Adds ``Wextra``, ``Wmissing-format-attribute``, ``Wmissing-prototypes``, 5411a96e0eSJustin Chadwell ``Wold-style-definition`` and ``Wunused-const-variable``. 552e302371SAmbroise Vincent 562e302371SAmbroise Vincent - W=2 572e302371SAmbroise Vincent 582e302371SAmbroise Vincent Adds ``Waggregate-return``, ``Wcast-align``, ``Wnested-externs``, 59b8baa934SJustin Chadwell ``Wshadow``, ``Wlogical-op``. 602e302371SAmbroise Vincent 612e302371SAmbroise Vincent - W=3 622e302371SAmbroise Vincent 632e302371SAmbroise Vincent Adds ``Wbad-function-cast``, ``Wcast-qual``, ``Wconversion``, ``Wpacked``, 6411a96e0eSJustin Chadwell ``Wpointer-arith``, ``Wredundant-decls`` and 652e302371SAmbroise Vincent ``Wswitch-default``. 662e302371SAmbroise Vincent 672e302371SAmbroise Vincent Refer to the GCC or Clang documentation for more information on the individual 682e302371SAmbroise Vincent options: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html and 692e302371SAmbroise Vincent https://clang.llvm.org/docs/DiagnosticsReference.html. 702e302371SAmbroise Vincent 712e302371SAmbroise Vincent NB: The ``Werror`` flag is enabled by default in TF-A and can be disabled by 722e302371SAmbroise Vincent setting the ``E`` build flag to 0. 732e302371SAmbroise Vincent 7434760951SPaul Beesley-------------- 752e302371SAmbroise Vincent 76*e63f5d12SPaul Beesley*Copyright (c) 2019-2020, Arm Limited. All rights reserved.* 77