首页
社区
课程
招聘
[原创]ATF-FUZZ
发表于: 2024-5-4 13:01 9146

[原创]ATF-FUZZ

2024-5-4 13:01
9146

https://developer.arm.com/Tools%20and%20Software/Fixed%20Virtual%20Platforms

image-20240422164011956

推荐直接下载:

Armv-A Base RevC AEM FVP (x86 Linux)

Armv-A Base RevC AEM FVP (AArch64 Linux, beta)

下载完成后解压的到Base_RevC_AEMvA_pkg

image-20240422165953399

注意对应的binary文件在AEMv8R_base_pkg/models/Linux64_GCC-9.3目录下

image-20240422174544894

FVP的快捷的两种启动方法:1. ARM Develop Studio可视化启动 2.command line启动。本教程主要使用command line方式启动。

BL33作为None-security world镜像,一般情况下为uboot,当然也可以直接跳转到kernel。

image-20240422181720100

image-20240422175940401

使用FVP_Base_RevC-2xAEMv8A运行

运行命令:

image-20240422190557018

image-20240422192642093

重编译ATF,指定bl33.bin为tftf.bin

image-20240422192823075

重新使用FVP运行,成功引导进入tftf中

image-20240422193006244

运行完成后会输出测试结果并提示退出

image-20240422193154845

推荐阅读:https://www.trustedfirmware.org/docs/Directed_Radomized_SMC_Presentation.pdf

注意这里的SMC_FUZZ_DTS是可以自定义的,这里使用了官方提供的top.dts

image-20240423103107010

重编译ATF,并替换tftf.bin

image-20240423102154343

再次运行

image-20240423153625590

先来通过目录结构确定需要扩展的文件1. Dts 2. fuzz helper

image-20240423162629887

创建对应的test.dts ,主要定义了两个功能test_add和test_mov,并且对应的函数均为test_funcid。

将run_test_fuzz添加到runtestfunction_helpers.c

image-20240423163625289

tftf/tests/tests-smcfuzzing.mk 中的编译依赖中添加test_fuzz_helper.c

image-20240423163901129

调整运行的次数和并发数,tftf/tests/tests-smcfuzzing.mk

image-20240423163940075

编译仅包含smcfuzz的tftf

image-20240423164346413

对BL1、BL2、BL31、BL32阶段的代码实现功能测试。此阶段代码多数为厂商定制。

待补充

image-20240428094155981

本教程主要提供了ATF官方的FUZZ教程。BL1 demo-fuzz目前没有想到更好的解决方式,希望能一起讨论分析。

sudo apt install xterm
tar -xzvf FVP_Base_RevC-2xAEMvA_11.25_15_Linux64.tgz
# Base_RevC_AEMvA_pkg
sudo apt install xterm
tar -xzvf FVP_Base_RevC-2xAEMvA_11.25_15_Linux64.tgz
# Base_RevC_AEMvA_pkg
export CROSS_COMPILE=/data/toolchains/SYS_PUBLIC_TOOLS/.toolchain/gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu-linux-5.10/bin/aarch64-none-linux-gnu-
git clone https://github.com/u-boot/u-boot.git
cd u-boot
make vexpress_aemv8a_semi_defconfig
make -j 9
export CROSS_COMPILE=/data/toolchains/SYS_PUBLIC_TOOLS/.toolchain/gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu-linux-5.10/bin/aarch64-none-linux-gnu-
git clone https://github.com/u-boot/u-boot.git
cd u-boot
make vexpress_aemv8a_semi_defconfig
make -j 9
cd /data/Project/arm-trusted-firmware-lts-v2.8.4/
export CROSS_COMPILE=/data/toolchains/SYS_PUBLIC_TOOLS/.toolchain/gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu-linux-5.10/bin/aarch64-none-linux-gnu-
 
// 调试编译
make PLAT=fvp BL33=/data/Project/u-boot/u-boot.bin DEBUG=1 all fip
// 正常编译
make PLAT=fvp BL33=/data/Project/u-boot/u-boot.bin all fip
cd /data/Project/arm-trusted-firmware-lts-v2.8.4/
export CROSS_COMPILE=/data/toolchains/SYS_PUBLIC_TOOLS/.toolchain/gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu-linux-5.10/bin/aarch64-none-linux-gnu-
 
// 调试编译
make PLAT=fvp BL33=/data/Project/u-boot/u-boot.bin DEBUG=1 all fip
// 正常编译
make PLAT=fvp BL33=/data/Project/u-boot/u-boot.bin all fip
cd /data/Project/arm-trusted-firmware-lts-v2.8.4/build/fvp/debug/
export DISPLAY=:0
cd /data/Project/arm-trusted-firmware-lts-v2.8.4/build/fvp/debug/
export DISPLAY=:0
/data/Project/Base_RevC_AEMvA_pkg/models/Linux64_GCC-9.3/FVP_Base_RevC-2xAEMvA \
-C pctl.startup=0.0.0.0                                     \
-C bp.secure_memory=1                                       \
-C bp.tzc_400.diagnostics=1                                 \
-C cluster0.NUM_CORES=4                                     \
-C cluster1.NUM_CORES=4                                     \
-C cache_state_modelled=1                                   \
-C bp.secureflashloader.fname="./bl1.bin"      \
-C bp.flashloader0.fname="./fip.bin"
 
# 如果需要运行到rootfs请添加下方参数,
--data cluster0.cpu0="<path-to>/<kernel-binary>"@0x80080000 \
--data cluster0.cpu0="<path-to>/<ramdisk>"@0x84000000
/data/Project/Base_RevC_AEMvA_pkg/models/Linux64_GCC-9.3/FVP_Base_RevC-2xAEMvA \
-C pctl.startup=0.0.0.0                                     \
-C bp.secure_memory=1                                       \
-C bp.tzc_400.diagnostics=1                                 \
-C cluster0.NUM_CORES=4                                     \
-C cluster1.NUM_CORES=4                                     \
-C cache_state_modelled=1                                   \
-C bp.secureflashloader.fname="./bl1.bin"      \
-C bp.flashloader0.fname="./fip.bin"
 
# 如果需要运行到rootfs请添加下方参数,
--data cluster0.cpu0="<path-to>/<kernel-binary>"@0x80080000 \
--data cluster0.cpu0="<path-to>/<ramdisk>"@0x84000000
export CROSS_COMPILE=/data/toolchains/SYS_PUBLIC_TOOLS/.toolchain/gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu-linux-5.10/bin/aarch64-none-linux-gnu-
git clone https://review.trustedfirmware.orgTF-A/tf-a-tests.git
cd tf-a-tests
make PLAT=fvp tftf
export CROSS_COMPILE=/data/toolchains/SYS_PUBLIC_TOOLS/.toolchain/gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu-linux-5.10/bin/aarch64-none-linux-gnu-
git clone https://review.trustedfirmware.orgTF-A/tf-a-tests.git
cd tf-a-tests
make PLAT=fvp tftf
cd /data/Project/arm-trusted-firmware-lts-v2.8.4/
export CROSS_COMPILE=/data/toolchains/SYS_PUBLIC_TOOLS/.toolchain/gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu-linux-5.10/bin/aarch64-none-linux-gnu-
make PLAT=fvp BL33=/data/Project/tf-a-tests/build/fvp/release/tftf.bin all fip
cd /data/Project/arm-trusted-firmware-lts-v2.8.4/
export CROSS_COMPILE=/data/toolchains/SYS_PUBLIC_TOOLS/.toolchain/gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu-linux-5.10/bin/aarch64-none-linux-gnu-
make PLAT=fvp BL33=/data/Project/tf-a-tests/build/fvp/release/tftf.bin all fip
export CROSS_COMPILE=/data/toolchains/SYS_PUBLIC_TOOLS/.toolchain/gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu-linux-5.10/bin/aarch64-none-linux-gnu-
make PLAT=fvp SMC_FUZZING=1 SMC_FUZZ_DTS=/data/Project/tf-a-tests/smc_fuzz/dts/top.dts TESTS=smcfuzzing tftf
export CROSS_COMPILE=/data/toolchains/SYS_PUBLIC_TOOLS/.toolchain/gcc-arm-10.3-2021.07-x86_64-aarch64-none-linux-gnu-linux-5.10/bin/aarch64-none-linux-gnu-
make PLAT=fvp SMC_FUZZING=1 SMC_FUZZ_DTS=/data/Project/tf-a-tests/smc_fuzz/dts/top.dts TESTS=smcfuzzing tftf
/*
 * Copyright (c) 2023, Arm Limited. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
 
 
/*
 * Top level device tree file to bias the SMC calls.  T
 * he biases are arbitrary and can be any value.
 * They are only significant when weighted against the
 * other biases.  30 was chosen arbitrarily.
 */
 
/dts-v1/;
 
/ {
 
    sdei {
        bias = <30>;
        sdei_version {
            bias = <30>;
            functionname = "sdei_version_funcid";
        };
        sdei_pe_unmask {
            bias = <30>;
            functionname = "sdei_pe_unmask_funcid";
        };
        sdei_pe_mask {
            bias = <30>;
            functionname = "sdei_pe_mask_funcid";
        };
        sdei_event_status {
            bias = <30>;
            functionname = "sdei_event_status_funcid";
        };
        sdei_event_signal {
            bias = <30>;
            functionname = "sdei_event_signal_funcid";
        };
        sdei_private_reset {
            bias = <30>;
            functionname = "sdei_private_reset_funcid";
        };
        sdei_shared_reset {
            bias = <30>;
            functionname = "sdei_shared_reset_funcid";
        };
    };
    tsp {
        bias = <30>;
        tsp_add_op {
            bias = <30>;
            functionname = "tsp_add_op_funcid";
        };
        tsp_sub_op {
            bias = <30>;
            functionname = "tsp_sub_op_funcid";
        };
        tsp_mul_op {
            bias = <30>;
            functionname = "tsp_mul_op_funcid";
        };
        tsp_div_op {
            bias = <30>;
            functionname = "tsp_div_op_funcid";
        };
    };
};
/*
 * Copyright (c) 2023, Arm Limited. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
 
 
/*
 * Top level device tree file to bias the SMC calls.  T
 * he biases are arbitrary and can be any value.
 * They are only significant when weighted against the
 * other biases.  30 was chosen arbitrarily.
 */
 
/dts-v1/;
 
/ {
 
    sdei {
        bias = <30>;
        sdei_version {
            bias = <30>;
            functionname = "sdei_version_funcid";
        };
        sdei_pe_unmask {
            bias = <30>;
            functionname = "sdei_pe_unmask_funcid";
        };
        sdei_pe_mask {
            bias = <30>;
            functionname = "sdei_pe_mask_funcid";
        };
        sdei_event_status {
            bias = <30>;
            functionname = "sdei_event_status_funcid";
        };
        sdei_event_signal {
            bias = <30>;
            functionname = "sdei_event_signal_funcid";
        };
        sdei_private_reset {
            bias = <30>;
            functionname = "sdei_private_reset_funcid";
        };
        sdei_shared_reset {
            bias = <30>;
            functionname = "sdei_shared_reset_funcid";
        };
    };
    tsp {
        bias = <30>;
        tsp_add_op {
            bias = <30>;
            functionname = "tsp_add_op_funcid";

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 1
支持
分享
最新回复 (1)
雪    币: 2937
活跃值: (30841)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
感谢分享
2024-5-4 14:11
1
游客
登录 | 注册 方可回帖
返回
//