@@ -46,6 +46,9 @@ BL32 = "${@oe.utils.conditional('SPMC_IS_OPTEE', '1',\
EXTRA_OEMAKE += "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', \
' BL32=${BL32}', '', d)}"
+# Enable memory safety in TF-A if machine supports it.
+EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-branch-protection', ' BRANCH_PROTECTION=1', '', d)}"
+
# Generic configuration
COMPATIBLE_MACHINE = "fvp-base"
TFA_PLATFORM = "fvp"
@@ -31,6 +31,9 @@ EXTRA_OEMAKE += " \
EXTRA_OEMAKE += " HOST_PREFIX=${HOST_PREFIX}"
EXTRA_OEMAKE += " CROSS_COMPILE64=${HOST_PREFIX}"
+# Enable BTI in optee
+EXTREA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-branch-protection', ' CFG_CORE_BTI=1 CFG_TA_BTI=1 CFG_CORE_PAUTH=y CFG_TA_PAUTH=y', '', d)}"
+
LDFLAGS[unexport] = "1"
CPPFLAGS[unexport] = "1"
AS[unexport] = "1"
@@ -41,3 +41,5 @@ OECMAKE_CXX_FLAGS:remove = "-D_FORTIFY_SOURCE=2"
# will add a proper tooclhain option.
OECMAKE_ARGS:remove = "-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"
+# Set BranchProtection to standard
+EXTRA_OECMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-branch-protection', ' -DBRANCH_PROTECTION=1', '', d)}"
Introduce a new machine feature called "arm-branch-protection". When set TF-A, optee and Trusted Services SPs will be configured to enable PAC and BTI. In addition the fvp-is configured to emulate arm-v8.5 and PAC+BTI. Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com> --- .../trusted-firmware-a/trusted-firmware-a-fvp-base.inc | 3 +++ meta-arm/recipes-security/optee/optee-os.inc | 3 +++ meta-arm/recipes-security/trusted-services/ts-sp-common.inc | 2 ++ 3 files changed, 8 insertions(+)