diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc index 4f0d34ea..bdf51f64 100644 --- a/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc +++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc @@ -46,6 +46,9 @@ BL32 = "${@oe.utils.conditional('SPMC_IS_OPTEE', '1',\ EXTRA_OEMAKE += "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', \ ' BL32=${BL32}', '', d)}" +# Enable memory safety in TF-A if machine supports it. +EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-branch-protection', ' BRANCH_PROTECTION=1', '', d)}" + # Generic configuration COMPATIBLE_MACHINE = "fvp-base" TFA_PLATFORM = "fvp" diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc index 5a89e5ba..7f515cb4 100644 --- a/meta-arm/recipes-security/optee/optee-os.inc +++ b/meta-arm/recipes-security/optee/optee-os.inc @@ -31,6 +31,9 @@ EXTRA_OEMAKE += " \ EXTRA_OEMAKE += " HOST_PREFIX=${HOST_PREFIX}" EXTRA_OEMAKE += " CROSS_COMPILE64=${HOST_PREFIX}" +# Enable BTI in optee +EXTREA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-branch-protection', ' CFG_CORE_BTI=1 CFG_TA_BTI=1 CFG_CORE_PAUTH=y CFG_TA_PAUTH=y', '', d)}" + LDFLAGS[unexport] = "1" CPPFLAGS[unexport] = "1" AS[unexport] = "1" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-common.inc b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc index 65065880..eb89127b 100644 --- a/meta-arm/recipes-security/trusted-services/ts-sp-common.inc +++ b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc @@ -41,3 +41,5 @@ OECMAKE_CXX_FLAGS:remove = "-D_FORTIFY_SOURCE=2" # will add a proper tooclhain option. OECMAKE_ARGS:remove = "-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake" +# Set BranchProtection to standard +EXTRA_OECMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-branch-protection', ' -DBRANCH_PROTECTION=1', '', d)}"