base-fvp: enable branch protection in firmware

Introduce a new machine feature called "arm-branch-protection". When set
TF-A, optee and Trusted Services SPs will be configured to enable PAC
and BTI. In addition the fvp-is configured to emulate arm-v8.5 and
PAC+BTI.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>

meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc

@@ -46,6 +46,9 @@ BL32 = "${@oe.utils.conditional('SPMC_IS_OPTEE', '1',\
 EXTRA_OEMAKE += "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', \
                 ' BL32=${BL32}', '', d)}"
 
+# Enable memory safety in TF-A if machine supports it.
+EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-branch-protection', ' BRANCH_PROTECTION=1', '', d)}"
+
 # Generic configuration
 COMPATIBLE_MACHINE = "fvp-base"
 TFA_PLATFORM = "fvp"

meta-arm/recipes-security/optee/optee-os.inc

@@ -31,6 +31,9 @@ EXTRA_OEMAKE += " \
 EXTRA_OEMAKE += " HOST_PREFIX=${HOST_PREFIX}"
 EXTRA_OEMAKE += " CROSS_COMPILE64=${HOST_PREFIX}"
 
+# Enable BTI in optee
+EXTREA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-branch-protection', ' CFG_CORE_BTI=1 CFG_TA_BTI=1 CFG_CORE_PAUTH=y CFG_TA_PAUTH=y', '', d)}"
+
 LDFLAGS[unexport] = "1"
 CPPFLAGS[unexport] = "1"
 AS[unexport] = "1"

meta-arm/recipes-security/trusted-services/ts-sp-common.inc

@@ -41,3 +41,5 @@ OECMAKE_CXX_FLAGS:remove = "-D_FORTIFY_SOURCE=2"
 # will add a proper tooclhain option.
 OECMAKE_ARGS:remove = "-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake"
 
+# Set BranchProtection to standard
+EXTRA_OECMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-branch-protection', ' -DBRANCH_PROTECTION=1', '', d)}"