281 lines
8.7 KiB
Diff
281 lines
8.7 KiB
Diff
From 7ed0f8d04d56320b034f2e15ef7867c5724947e0 Mon Sep 17 00:00:00 2001
|
|
From: Bill Roberts <bill.roberts@arm.com>
|
|
Date: Thu, 18 Jul 2024 10:13:07 -0500
|
|
Subject: [PATCH 2/2] aarch64: support PAC and BTI
|
|
|
|
Enable Pointer Authentication Codes (PAC) and Branch Target
|
|
Identification (BTI) support for ARM 64 targets.
|
|
|
|
PAC works by signing the LR with either an A key or B key and verifying
|
|
the return address. There are quite a few instructions capable of doing
|
|
this, however, the Linux ARM ABI is to use hint compatible instructions
|
|
that can be safely NOP'd on older hardware and can be assembled and
|
|
linked with older binutils. This limits the instruction set to paciasp,
|
|
pacibsp, autiasp and autibsp. Instructions prefixed with pac are for
|
|
signing and instructions prefixed with aut are for signing. Both
|
|
instructions are then followed with an a or b to indicate which signing
|
|
key they are using. The keys can be controlled using
|
|
-mbranch-protection=pac-ret for the A key and
|
|
-mbranch-protection=pac-ret+b-key for the B key.
|
|
|
|
BTI works by marking all call and jump positions with bti c and bti
|
|
j instructions. If execution control transfers to an instruction other
|
|
than a BTI instruction, the execution is killed via SIGILL. Note that
|
|
to remove one instruction, the aforementioned pac instructions will
|
|
also work as a BTI landing pad for bti c usages.
|
|
|
|
For BTI to work, all object files linked for a unit of execution,
|
|
whether an executable or a library must have the GNU Notes section of
|
|
the ELF file marked to indicate BTI support. This is so loader/linkers
|
|
can apply the proper permission bits (PROT_BRI) on the memory region.
|
|
|
|
PAC can also be annotated in the GNU ELF notes section, but it's not
|
|
required for enablement, as interleaved PAC and non-pac code works as
|
|
expected since it's the callee that performs all the checking. The
|
|
linker follows the same rules as BTI for discarding the PAC flag from
|
|
the GNU Notes section.
|
|
|
|
Testing was done under the following CFLAGS and CXXFLAGS for all
|
|
combinations:
|
|
1. -mbranch-protection=none
|
|
2. -mbranch-protection=standard
|
|
3. -mbranch-protection=pac-ret
|
|
4. -mbranch-protection=pac-ret+b-key
|
|
5. -mbranch-protection=bti
|
|
|
|
Signed-off-by: Bill Roberts <bill.roberts@arm.com>
|
|
---
|
|
pixman/pixman-arm-asm.h | 43 ++++++++++++++++++++++++
|
|
pixman/pixman-arma64-neon-asm-bilinear.S | 1 +
|
|
pixman/pixman-arma64-neon-asm.S | 1 +
|
|
pixman/pixman-arma64-neon-asm.h | 32 +++++++++++++-----
|
|
4 files changed, 69 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/pixman/pixman-arm-asm.h b/pixman/pixman-arm-asm.h
|
|
index 1fe40b3..c13837c 100644
|
|
--- a/pixman/pixman-arm-asm.h
|
|
+++ b/pixman/pixman-arm-asm.h
|
|
@@ -30,6 +30,48 @@
|
|
|
|
#include "pixman-config.h"
|
|
|
|
+/*
|
|
+ * References:
|
|
+ * - https://developer.arm.com/documentation/101028/0012/5--Feature-test-macros
|
|
+ * - https://github.com/ARM-software/abi-aa/blob/main/aaelf64/aaelf64.rst
|
|
+ */
|
|
+#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
|
|
+ #define BTI_C hint 34 /* bti c: for calls, IE bl instructions */
|
|
+ #define GNU_PROPERTY_AARCH64_BTI 1 /* bit 0 GNU Notes is for BTI support */
|
|
+#else
|
|
+ #define BTI_C
|
|
+ #define GNU_PROPERTY_AARCH64_BTI 0
|
|
+#endif
|
|
+
|
|
+#if defined(__ARM_FEATURE_PAC_DEFAULT)
|
|
+ #if __ARM_FEATURE_PAC_DEFAULT & 1
|
|
+ #define SIGN_LR hint 25 /* paciasp: sign with the A key */
|
|
+ #define VERIFY_LR hint 29 /* autiasp: verify with the b key */
|
|
+ #elif __ARM_FEATURE_PAC_DEFAULT & 2
|
|
+ #define SIGN_LR hint 27 /* pacibsp: sign with the b key */
|
|
+ #define VERIFY_LR hint 31 /* autibsp: verify with the b key */
|
|
+ #endif
|
|
+ #define GNU_PROPERTY_AARCH64_POINTER_AUTH 2 /* bit 1 GNU Notes is for PAC support */
|
|
+#else
|
|
+ #define SIGN_LR BTI_C
|
|
+ #define VERIFY_LR
|
|
+ #define GNU_PROPERTY_AARCH64_POINTER_AUTH 0
|
|
+#endif
|
|
+
|
|
+/* Add the BTI support to GNU Notes section for ASM files */
|
|
+#if GNU_PROPERTY_AARCH64_BTI != 0 || GNU_PROPERTY_AARCH64_POINTER_AUTH != 0
|
|
+ .pushsection .note.gnu.property, "a"; /* Start a new allocatable section */
|
|
+ .balign 8; /* align it on a byte boundry */
|
|
+ .long 4; /* size of "GNU\0" */
|
|
+ .long 0x10; /* size of descriptor */
|
|
+ .long 0x5; /* NT_GNU_PROPERTY_TYPE_0 */
|
|
+ .asciz "GNU";
|
|
+ .long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */
|
|
+ .long 4; /* Four bytes of data */
|
|
+ .long (GNU_PROPERTY_AARCH64_BTI|GNU_PROPERTY_AARCH64_POINTER_AUTH); /* BTI or PAC is enabled */
|
|
+ .long 0; /* padding for 8 byte alignment */
|
|
+ .popsection; /* end the section */
|
|
+#endif
|
|
|
|
/* Supplementary macro for setting function attributes */
|
|
.macro pixman_asm_function_impl fname
|
|
@@ -42,6 +84,7 @@
|
|
.type \fname, %function
|
|
#endif
|
|
\fname:
|
|
+ SIGN_LR
|
|
.endm
|
|
|
|
.macro pixman_asm_function fname
|
|
diff --git a/pixman/pixman-arma64-neon-asm-bilinear.S b/pixman/pixman-arma64-neon-asm-bilinear.S
|
|
index 7303bdc..f11f8c8 100644
|
|
--- a/pixman/pixman-arma64-neon-asm-bilinear.S
|
|
+++ b/pixman/pixman-arma64-neon-asm-bilinear.S
|
|
@@ -812,6 +812,7 @@ pixman_asm_function \fname
|
|
mov sp, x29
|
|
ldp x29, x30, [sp], 16
|
|
.endif
|
|
+ VERIFY_LR
|
|
ret
|
|
|
|
.unreq OUT
|
|
diff --git a/pixman/pixman-arma64-neon-asm.S b/pixman/pixman-arma64-neon-asm.S
|
|
index 107c133..7329d4b 100644
|
|
--- a/pixman/pixman-arma64-neon-asm.S
|
|
+++ b/pixman/pixman-arma64-neon-asm.S
|
|
@@ -3541,6 +3541,7 @@ pixman_asm_function \fname
|
|
ldp x12, x13, [x29, -104]
|
|
mov sp, x29
|
|
ldp x29, x30, [sp], 16
|
|
+ VERIFY_LR
|
|
ret
|
|
|
|
.unreq OUT
|
|
diff --git a/pixman/pixman-arma64-neon-asm.h b/pixman/pixman-arma64-neon-asm.h
|
|
index 6aa6838..ec3d76f 100644
|
|
--- a/pixman/pixman-arma64-neon-asm.h
|
|
+++ b/pixman/pixman-arma64-neon-asm.h
|
|
@@ -47,6 +47,8 @@
|
|
* - maybe add an option to do reverse scanline processing
|
|
*/
|
|
|
|
+#include "pixman-arm-asm.h"
|
|
+
|
|
/*
|
|
* Bit flags for 'generate_composite_function' macro which are used
|
|
* to tune generated functions behavior.
|
|
@@ -232,14 +234,16 @@
|
|
asr TMP1, VX, #16
|
|
adds VX, VX, UNIT_X
|
|
bmi 55f
|
|
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
+5:
|
|
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
bpl 5b
|
|
55:
|
|
add TMP1, \mem_operand, TMP1, lsl #1
|
|
asr TMP2, VX, #16
|
|
adds VX, VX, UNIT_X
|
|
bmi 55f
|
|
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
+5:
|
|
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
bpl 5b
|
|
55:
|
|
add TMP2, \mem_operand, TMP2, lsl #1
|
|
@@ -247,7 +251,8 @@
|
|
asr TMP1, VX, #16
|
|
adds VX, VX, UNIT_X
|
|
bmi 55f
|
|
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
+5:
|
|
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
bpl 5b
|
|
55:
|
|
add TMP1, \mem_operand, TMP1, lsl #1
|
|
@@ -255,7 +260,8 @@
|
|
asr TMP2, VX, #16
|
|
adds VX, VX, UNIT_X
|
|
bmi 55f
|
|
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
+5:
|
|
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
bpl 5b
|
|
55:
|
|
add TMP2, \mem_operand, TMP2, lsl #1
|
|
@@ -265,14 +271,16 @@
|
|
asr TMP1, VX, #16
|
|
adds VX, VX, UNIT_X
|
|
bmi 55f
|
|
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
+5:
|
|
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
bpl 5b
|
|
55:
|
|
add TMP1, \mem_operand, TMP1, lsl #2
|
|
asr TMP2, VX, #16
|
|
adds VX, VX, UNIT_X
|
|
bmi 55f
|
|
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
+5:
|
|
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
bpl 5b
|
|
55:
|
|
add TMP2, \mem_operand, TMP2, lsl #2
|
|
@@ -312,7 +320,8 @@
|
|
asr TMP1, VX, #16
|
|
adds VX, VX, UNIT_X
|
|
bmi 55f
|
|
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
+5:
|
|
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
bpl 5b
|
|
55:
|
|
add TMP1, \mem_operand, TMP1, lsl #1
|
|
@@ -322,7 +331,8 @@
|
|
mov TMP1, DUMMY
|
|
adds VX, VX, UNIT_X
|
|
bmi 55f
|
|
-5: subs VX, VX, SRC_WIDTH_FIXED
|
|
+5:
|
|
+ subs VX, VX, SRC_WIDTH_FIXED
|
|
bpl 5b
|
|
55:
|
|
add TMP1, \mem_operand, TMP1, lsl #2
|
|
@@ -917,6 +927,7 @@
|
|
ldr x28, [x29, -232]
|
|
mov sp, x29
|
|
ldp x29, x30, [sp], 16
|
|
+ VERIFY_LR
|
|
ret /* exit */
|
|
/*
|
|
* This is the start of the loop, designed to process images with small width
|
|
@@ -974,6 +985,7 @@
|
|
ldr x28, [x29, -232]
|
|
mov sp, x29
|
|
ldp x29, x30, [sp], 16
|
|
+ VERIFY_LR
|
|
ret /* exit */
|
|
|
|
.purgem fetch_src_pixblock
|
|
@@ -1155,6 +1167,7 @@
|
|
ldr x10, [x29, -96]
|
|
mov sp, x29
|
|
ldp x29, x30, [sp], 16
|
|
+ VERIFY_LR
|
|
ret /* exit */
|
|
.else
|
|
sub x29, x29, 64
|
|
@@ -1162,6 +1175,7 @@
|
|
ld1 {v12.8b, v13.8b, v14.8b, v15.8b}, [x29], 32
|
|
mov sp, x29
|
|
ldp x29, x30, [sp], 16
|
|
+ VERIFY_LR
|
|
ret /* exit */
|
|
.endif
|
|
800:
|
|
@@ -1180,6 +1194,7 @@
|
|
ldr x10, [x29, -88]
|
|
mov sp, x29
|
|
ldp x29, x30, [sp], 16
|
|
+ VERIFY_LR
|
|
ret /* exit */
|
|
|
|
.unreq DUMMY
|
|
@@ -1200,6 +1215,7 @@
|
|
ld1 {v12.8b, v13.8b, v14.8b, v15.8b}, [x29], 32
|
|
mov sp, x29
|
|
ldp x29, x30, [sp], 16
|
|
+ VERIFY_LR
|
|
ret /* exit */
|
|
|
|
.unreq DUMMY
|
|
--
|
|
2.46.0
|
|
|