[1/5][AArch64] Return address protection on AArch64
Jiong Wang
jiong.wang@foss.arm.com
Fri Jan 6 11:47:00 GMT 2017
On 11/11/16 18:22, Jiong Wang wrote:
> As described in the cover letter, this patch implements return address signing
> for AArch64, it's controlled by the new option:
>
> -msign-return-address=[none | non-leaf | all]
>
> "none" means don't do return address signing at all on any function. "non-leaf"
> means only sign non-leaf function. "all" means sign all functions. Return
> address signing is currently disabled on ILP32. I haven't tested it.
>
> The instructions added in the architecture are of 2 kinds.
>
> * In the NOP instruction space, which allows binaries to run without any traps
> on older versions of the architecture. This doesn't give any additional
> protection on older hardware but allows for the same binary to be used on
> earlier versions of the architecture and newer versions of the architecture.
>
> * New instructions that are only valid for v8.3 and will trap if used on earlier
> versions of the architecture.
>
> At default, once return address signing is enabled, it will only generates NOP
> instruction.
>
> While if -march=armv8.3-a specified, GCC will try to use the most efficient
> pointer authentication instruction as it can.
>
> The architecture has 2 user invisible system keys for signing and creating
> signed addresses as part of these instructions. For some use case, the user
> might want to use difference key for different functions. The new option
> "-msign-return-address-key=key_name" let GCC select the key used for return
> address signing. Permissible values are "a_key" for A key and "b_key" for B
> key, and this option are supported by function target attribute and LTO will
> hopefully just work.
>
>
>
> gcc/
> 2016-11-09 Jiong Wang<jiong.wang@arm.com>
>
> * config/aarch64/aarch64-opts.h (aarch64_pauth_key_index): New enum.
> (aarch64_function_type): New enum.
> * config/aarch64/aarch64-protos.h (aarch64_output_sign_auth_reg): New
> declaration.
> * config/aarch64/aarch64.c (aarch64_expand_prologue): Sign return
> address before it's pushed onto stack.
> (aarch64_expand_epilogue): Authenticate return address fetched from
> stack.
> (aarch64_output_sign_auth_reg): New function.
> (aarch64_override_options): Sanity check for ILP32 and ISA level.
> (aarch64_attributes): New function attributes for "sign-return-address",
> "pauth-key".
> * config/aarch64/aarch64.md (UNSPEC_AUTH_REG, UNSPEC_AUTH_REG1716,
> UNSPEC_SIGN_REG, UNSPEC_SIGN_REG1716, UNSPEC_STRIP_REG_SIGN,
> UNSPEC_STRIP_X30_SIGN): New unspecs.
> ("*do_return"): Generate combined instructions according to key index.
> ("sign_reg", "sign_reg1716", "auth_reg", "auth_reg1716",
> "strip_reg_sign", "strip_lr_sign"): New.
> * config/aarch64/aarch64.opt (msign-return-address, mpauth-key): New.
> * config/aarch64/predicates.md (aarch64_const0_const1): New predicate.
> * doc/extend.texi (AArch64 Function Attributes): Documents
> "sign-return-address=", "pauth-key".
> * doc/invoke.texi (AArch64 Options): Documents "-msign-return-address=",
> "-pauth-key".
>
> gcc/testsuite/
> 2016-11-09 Jiong Wang<jiong.wang@arm.com>
>
> * gcc.target/aarch64/return_address_sign_1.c: New testcase.
> * gcc.target/aarch64/return_address_sign_scope_1.c: New testcase.
Update the patchset according to new DWARF proposal described at
https://gcc.gnu.org/ml/gcc-patches/2016-11/msg03010.html
While A key support for return address signing using DW_CFA_GNU_window_save only
needs simple modifications on code and associated DWARF generation, B key
support is complexer, it needs multiple CIE support in GCC and Binutils, so
currently we fall back to DWARF value expression which fully works although
requires longer encodings. Value expression also requires a few changes on
AArch64 prologue and epilogue hooks that code review will not be easy.
Therefore I have removed all B key support code in the initial support patch set,
and will organize them into a seperate follow up patchset so that we can do A key
code review first.
This patch is an update on the return address signing code generation.
gcc/
2017-01-06 Jiong Wang <jiong.wang@arm.com>
* config/aarch64/aarch64-opts.h (aarch64_function_type): New enum.
* config/aarch64/aarch64-protos.h
(aarch64_return_address_signing_enabled): New declaration.
* config/aarch64/aarch64.c (aarch64_return_address_signing_enabled):
New function.
(aarch64_expand_prologue): Sign return address before it's pushed onto
stack.
(aarch64_expand_epilogue): Authenticate return address fetched from
stack.
(aarch64_override_options): Sanity check for ILP32 and ISA level.
(aarch64_attributes): New function attributes for "sign-return-address".
* config/aarch64/aarch64.md (UNSPEC_AUTI1716, UNSPEC_AUTISP,
UNSPEC_PACI1716, UNSPEC_PACISP, UNSPEC_XPACLRI): New unspecs.
("*do_return"): Generate combined instructions according to key index.
("<pauth_mnem_prefix>sp", "<pauth_mnem_prefix1716", "xpaclri"): New.
* config/aarch64/iterators.md (PAUTH_LR_SP, PAUTH_17_16): New integer
iterators.
(pauth_mnem_prefix, pauth_hint_num_a): New integer attributes.
* config/aarch64/aarch64.opt (msign-return-address=): New.
* doc/extend.texi (AArch64 Function Attributes): Documents
"sign-return-address=".
* doc/invoke.texi (AArch64 Options): Documents "-msign-return-address=".
gcc/testsuite/
2017-01-06 Jiong Wang <jiong.wang@arm.com>
* gcc.target/aarch64/return_address_sign_1.c: New testcase.
* gcc.target/aarch64/return_address_sign_scope_1.c: New testcase.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.patch
Type: text/x-diff
Size: 13645 bytes
Desc: not available
URL: <http://gcc.gnu.org/pipermail/gcc-patches/attachments/20170106/a84e250c/attachment.bin>
More information about the Gcc-patches
mailing list