[Buildroot] [PATCH 1/3] boot/arm-trusted-firmware: fix SSP support

[Buildroot] [PATCH 1/3] boot/arm-trusted-firmware: fix SSP support

[Baruch Siach via buildroot]

Commit ccac9a5bbbd ("boot/arm-trusted-firmware: don't force
ENABLE_STACK_PROTECTOR") fixed a build failure but also effectively
disabled SSP entirely for ATF. This is because ENABLE_STACK_PROTECTOR is
set to 0 unconditionally in make_helpers/defaults.mk, overwriting any
environment set value. So we must pass ENABLE_STACK_PROTECTOR in
MAKE_OPTS for it to be effective. But to avoid said build failure we
can't pass ENABLE_STACK_PROTECTOR=0.

Only pass ENABLE_STACK_PROTECTOR when
BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP is enabled. Drop SSP_LEVEL value for
the !BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP case which is now unused.

Cc: Dick Olsson <hi@senzilla.io>
Cc: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
 boot/arm-trusted-firmware/Config.in               | 4 ----
 boot/arm-trusted-firmware/arm-trusted-firmware.mk | 8 ++++++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-firmware/Config.in
index aa571502b345..5070849d9b43 100644
--- a/boot/arm-trusted-firmware/Config.in
+++ b/boot/arm-trusted-firmware/Config.in
@@ -226,10 +226,6 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP
 
 config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_LEVEL
 	string
-	# While newer versions of TF-A support "none" as
-	# ENABLE_STACK_PROTECTOR value, older versions (e.g 2.0) only
-	# supported "0" to disable SSP.
-	default "0"    	  if !BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP
 	default "default" if BR2_SSP_REGULAR
 	default "strong"  if BR2_SSP_STRONG
 	default "all"     if BR2_SSP_ALL
diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index 246c0699bb4a..34d7d80243d4 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -64,10 +64,14 @@ ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
 	PLAT=$(ARM_TRUSTED_FIRMWARE_PLATFORM) \
 	TARGET_BOARD=$(ARM_TRUSTED_FIRMWARE_TARGET_BOARD)
 
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP),y)
+ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
+	ENABLE_STACK_PROTECTOR=$(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_LEVEL))
+endif
+
 ARM_TRUSTED_FIRMWARE_MAKE_ENV += \
 	$(TARGET_MAKE_ENV) \
-	$(if $(BR2_PIC_PIE),CFLAGS="-fno-PIE") \
-	ENABLE_STACK_PROTECTOR=$(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_LEVEL))
+	$(if $(BR2_PIC_PIE),CFLAGS="-fno-PIE")
 
 ifeq ($(BR2_ARM_CPU_ARMV7A),y)
 ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ARM_ARCH_MAJOR=7
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/3] configs/solidrun_{macchiatobin, clearfog_gt_8k}: disable SSP

[Baruch Siach via buildroot]

The Armada target does not provide platform level support for SSP.

Fixes link failure:

(.text.asm.update_stack_protector_canary+0x4): undefined reference to `plat_get_stack_protector_canary'

This error does not should up on CI jobs because SSP was effectively
always disabled until the previous commit.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
 configs/solidrun_clearfog_gt_8k_defconfig | 1 +
 configs/solidrun_macchiatobin_defconfig   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/configs/solidrun_clearfog_gt_8k_defconfig b/configs/solidrun_clearfog_gt_8k_defconfig
index bec4a7daccc6..30b1e17925d6 100644
--- a/configs/solidrun_clearfog_gt_8k_defconfig
+++ b/configs/solidrun_clearfog_gt_8k_defconfig
@@ -12,6 +12,7 @@ BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
 BR2_TARGET_ARM_TRUSTED_FIRMWARE_UBOOT_AS_BL33=y
 BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_TARGETS="mrvl_flash"
 BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES="USE_COHERENT_MEM=0"
+# BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP is not set
 BR2_TARGET_BINARIES_MARVELL=y
 BR2_TARGET_MV_DDR_MARVELL=y
 
diff --git a/configs/solidrun_macchiatobin_defconfig b/configs/solidrun_macchiatobin_defconfig
index 7d06313b03db..f388e37163aa 100644
--- a/configs/solidrun_macchiatobin_defconfig
+++ b/configs/solidrun_macchiatobin_defconfig
@@ -12,6 +12,7 @@ BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
 BR2_TARGET_ARM_TRUSTED_FIRMWARE_UBOOT_AS_BL33=y
 BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_TARGETS="mrvl_flash"
 BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES="USE_COHERENT_MEM=0"
+# BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP is not set
 BR2_TARGET_BINARIES_MARVELL=y
 BR2_TARGET_MV_DDR_MARVELL=y
 
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 3/3] boot/mv-ddr-marvell: disable SSP

[Baruch Siach via buildroot]

Add a patch to disable SSP. The toolchain enables SSP by default when
one of BR2_SSP_ options is enabled. But ATF code for the Marvell
platform does not provide the required low level routines. This leads to
link time failure.

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/3101770000
https://gitlab.com/buildroot.org/buildroot/-/jobs/3134230006

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
 ...01-Makefile-disable-stack-protection.patch | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 boot/mv-ddr-marvell/0001-Makefile-disable-stack-protection.patch

diff --git a/boot/mv-ddr-marvell/0001-Makefile-disable-stack-protection.patch b/boot/mv-ddr-marvell/0001-Makefile-disable-stack-protection.patch
new file mode 100644
index 000000000000..62b1000727f8
--- /dev/null
+++ b/boot/mv-ddr-marvell/0001-Makefile-disable-stack-protection.patch
@@ -0,0 +1,34 @@
+From 53e34e3bff26fcbb7cc14178fa9fc80e7a73d556 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Tue, 11 Oct 2022 16:34:44 +0300
+Subject: [PATCH] Makefile: disable stack protection
+
+The Buildroot toolchain might enable stack protection by default. That
+breaks linking because ATF does not provide the required __stack_chk
+routines.
+
+The mv-ddr-marvell Makefile provides no way to add custom CFLAGS. Patch
+Makefile to disable stack protection.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: not applicable; Buildroot specific
+---
+ Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Makefile b/Makefile
+index 3f0dd89a7381..feae75cc16e4 100644
+--- a/Makefile
++++ b/Makefile
+@@ -331,6 +331,7 @@ OBJ_DIR ?= $(MV_DDR_ROOT)
+ CFLAGS = -DMV_DDR_ATF -DCONFIG_DDR4
+ CFLAGS += -Wall -Werror -Os -ffreestanding -mlittle-endian -g -gdwarf-2 -nostdinc
+ CFLAGS += -march=armv8-a -fpie
++CFLAGS += -fno-stack-protector
+ 
+ # PLATFORM is set in ble/ble.mk
+ ifneq ($(findstring a80x0,$(PLATFORM)),)
+-- 
+2.35.1
+
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/3] boot/arm-trusted-firmware: fix SSP support

[Peter Korsgaard]

>>>>> "Baruch" == Baruch Siach via buildroot <buildroot@buildroot.org> writes:

 > Commit ccac9a5bbbd ("boot/arm-trusted-firmware: don't force
 > ENABLE_STACK_PROTECTOR") fixed a build failure but also effectively
 > disabled SSP entirely for ATF. This is because ENABLE_STACK_PROTECTOR is
 > set to 0 unconditionally in make_helpers/defaults.mk, overwriting any
 > environment set value. So we must pass ENABLE_STACK_PROTECTOR in
 > MAKE_OPTS for it to be effective. But to avoid said build failure we
 > can't pass ENABLE_STACK_PROTECTOR=0.

 > Only pass ENABLE_STACK_PROTECTOR when
 > BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP is enabled. Drop SSP_LEVEL value for
 > the !BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP case which is now unused.

 > Cc: Dick Olsson <hi@senzilla.io>
 > Cc: Sergey Matyukevich <geomatsi@gmail.com>
 > Signed-off-by: Baruch Siach <baruch@tkos.co.il>

Heh, I just spent some time investigating some ATF link failures for
avenger96_defconfig after we moved to glibc by default (which enables
SSP support) and got to the same conclusion ;)

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/3] configs/solidrun_{macchiatobin, clearfog_gt_8k}: disable SSP

[Peter Korsgaard]

>>>>> "Baruch" == Baruch Siach via buildroot <buildroot@buildroot.org> writes:

 > The Armada target does not provide platform level support for SSP.
 > Fixes link failure:

 > (.text.asm.update_stack_protector_canary+0x4): undefined reference to `plat_get_stack_protector_canary'

 > This error does not should up on CI jobs because SSP was effectively
 > always disabled until the previous commit.

 > Signed-off-by: Baruch Siach <baruch@tkos.co.il>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] boot/mv-ddr-marvell: disable SSP

[Peter Korsgaard]

>>>>> "Baruch" == Baruch Siach via buildroot <buildroot@buildroot.org> writes:

 > Add a patch to disable SSP. The toolchain enables SSP by default when
 > one of BR2_SSP_ options is enabled. But ATF code for the Marvell
 > platform does not provide the required low level routines. This leads to
 > link time failure.

 > Fixes:
 > https://gitlab.com/buildroot.org/buildroot/-/jobs/3101770000
 > https://gitlab.com/buildroot.org/buildroot/-/jobs/3134230006

 > Signed-off-by: Baruch Siach <baruch@tkos.co.il>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/3] boot/arm-trusted-firmware: fix SSP support

[Peter Korsgaard]

>>>>> "Baruch" == Baruch Siach via buildroot <buildroot@buildroot.org> writes:

 > Commit ccac9a5bbbd ("boot/arm-trusted-firmware: don't force
 > ENABLE_STACK_PROTECTOR") fixed a build failure but also effectively
 > disabled SSP entirely for ATF. This is because ENABLE_STACK_PROTECTOR is
 > set to 0 unconditionally in make_helpers/defaults.mk, overwriting any
 > environment set value. So we must pass ENABLE_STACK_PROTECTOR in
 > MAKE_OPTS for it to be effective. But to avoid said build failure we
 > can't pass ENABLE_STACK_PROTECTOR=0.

 > Only pass ENABLE_STACK_PROTECTOR when
 > BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP is enabled. Drop SSP_LEVEL value for
 > the !BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP case which is now unused.

 > Cc: Dick Olsson <hi@senzilla.io>
 > Cc: Sergey Matyukevich <geomatsi@gmail.com>
 > Signed-off-by: Baruch Siach <baruch@tkos.co.il>

Committed to 2022.08.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] boot/mv-ddr-marvell: disable SSP

[Peter Korsgaard]

>>>>> "Baruch" == Baruch Siach via buildroot <buildroot@buildroot.org> writes:

 > Add a patch to disable SSP. The toolchain enables SSP by default when
 > one of BR2_SSP_ options is enabled. But ATF code for the Marvell
 > platform does not provide the required low level routines. This leads to
 > link time failure.

 > Fixes:
 > https://gitlab.com/buildroot.org/buildroot/-/jobs/3101770000
 > https://gitlab.com/buildroot.org/buildroot/-/jobs/3134230006

 > Signed-off-by: Baruch Siach <baruch@tkos.co.il>

Committed to 2022.08.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot