[1/5][AArch64] Return address protection on AArch64

Andrew Pinski pinskia@gmail.com
Fri Jan 20 04:15:00 GMT 2017 

On Fri, Jan 6, 2017 at 3:47 AM, Jiong Wang <jiong.wang@foss.arm.com> wrote:
> On 11/11/16 18:22, Jiong Wang wrote:
>>
>> As described in the cover letter, this patch implements return address
>> signing
>> for AArch64, it's controlled by the new option:
>>
>>    -msign-return-address=[none | non-leaf | all]
>>
>> "none" means don't do return address signing at all on any function.
>> "non-leaf"
>> means only sign non-leaf function.  "all" means sign all functions.
>> Return
>> address signing is currently disabled on ILP32.  I haven't tested it.
>>
>> The instructions added in the architecture are of 2 kinds.
>>
>> * In the NOP instruction space, which allows binaries to run without any
>> traps
>> on older versions of the architecture. This doesn't give any additional
>> protection on older hardware but allows for the same binary to be used on
>> earlier versions of the architecture and newer versions of the
>> architecture.
>>
>> * New instructions that are only valid for v8.3 and will trap if used on
>> earlier
>> versions of the architecture.
>>
>> At default, once return address signing is enabled, it will only generates
>> NOP
>> instruction.
>>
>> While if -march=armv8.3-a specified, GCC will try to use the most
>> efficient
>> pointer authentication instruction as it can.
>>
>> The architecture has 2 user invisible system keys for signing and creating
>> signed addresses as part of these instructions. For some use case, the
>> user
>> might want to use difference key for different functions.  The new option
>> "-msign-return-address-key=key_name" let GCC select the key used for
>> return
>> address signing.  Permissible values are "a_key" for A key and "b_key" for
>> B
>> key, and this option are supported by function target attribute and LTO
>> will
>> hopefully just work.
>>
>>
>>
>> gcc/
>> 2016-11-09  Jiong Wang<jiong.wang@arm.com>
>>
>>          * config/aarch64/aarch64-opts.h (aarch64_pauth_key_index): New
>> enum.
>>          (aarch64_function_type): New enum.
>>          * config/aarch64/aarch64-protos.h (aarch64_output_sign_auth_reg):
>> New
>>          declaration.
>>          * config/aarch64/aarch64.c (aarch64_expand_prologue): Sign return
>>          address before it's pushed onto stack.
>>          (aarch64_expand_epilogue): Authenticate return address fetched
>> from
>>          stack.
>>          (aarch64_output_sign_auth_reg): New function.
>>          (aarch64_override_options): Sanity check for ILP32 and ISA level.
>>          (aarch64_attributes): New function attributes for
>> "sign-return-address",
>>          "pauth-key".
>>          * config/aarch64/aarch64.md (UNSPEC_AUTH_REG,
>> UNSPEC_AUTH_REG1716,
>>          UNSPEC_SIGN_REG, UNSPEC_SIGN_REG1716, UNSPEC_STRIP_REG_SIGN,
>>          UNSPEC_STRIP_X30_SIGN): New unspecs.
>>          ("*do_return"): Generate combined instructions according to key
>> index.
>>          ("sign_reg", "sign_reg1716", "auth_reg", "auth_reg1716",
>>          "strip_reg_sign", "strip_lr_sign"): New.
>>          * config/aarch64/aarch64.opt (msign-return-address, mpauth-key):
>> New.
>>          * config/aarch64/predicates.md (aarch64_const0_const1): New
>> predicate.
>>          * doc/extend.texi (AArch64 Function Attributes): Documents
>>          "sign-return-address=", "pauth-key".
>>          * doc/invoke.texi (AArch64 Options): Documents
>> "-msign-return-address=",
>>          "-pauth-key".
>>
>> gcc/testsuite/
>> 2016-11-09  Jiong Wang<jiong.wang@arm.com>
>>
>>          * gcc.target/aarch64/return_address_sign_1.c: New testcase.
>>          * gcc.target/aarch64/return_address_sign_scope_1.c: New testcase.
>
>
> Update the patchset according to new DWARF proposal described at
>
>   https://gcc.gnu.org/ml/gcc-patches/2016-11/msg03010.html

One of these patches of this patch set break ILP32 building for
aarch64-elf and most likely also aarch64-linux-gnu.

/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/libgcc/unwind-dw2.c:
In function ‘uw_init_context_1’:
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/libgcc/unwind-dw2.c:1567:6:
internal compiler error: in emit_move_insn, at expr.c:3698
   ra = MD_POST_EXTRACT_ROOT_ADDR (ra);
0x8270cf emit_move_insn(rtx_def*, rtx_def*)
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/expr.c:3697
0x80867b force_reg(machine_mode, rtx_def*)
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/explow.c:648
0xe9143f aarch64_expand_builtin(tree_node*, rtx_def*, rtx_def*,
machine_mode, int)
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/config/aarch64/aarch64-builtins.c:1336
0x6fae09 expand_builtin(tree_node*, rtx_def*, rtx_def*, machine_mode, int)
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/builtins.c:6359
0x8227bb expand_expr_real_1(tree_node*, rtx_def*, machine_mode,
expand_modifier, rtx_def**, bool)
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/expr.c:10782
0x82de70 expand_expr
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/expr.h:276
0x82de70 store_expr_with_bounds(tree_node*, rtx_def*, int, bool, bool,
tree_node*)
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/expr.c:5459
0x82f3b8 expand_assignment(tree_node*, tree_node*, bool)
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/expr.c:5321
0x71e8da expand_call_stmt
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/cfgexpand.c:2656
0x71e8da expand_gimple_stmt_1
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/cfgexpand.c:3571
0x71e8da expand_gimple_stmt
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/cfgexpand.c:3737
0x72085f expand_gimple_basic_block
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/cfgexpand.c:5744
0x726826 execute
/home/jenkins/workspace/BuildToolchainAARCH64_thunder_elf_upstream/toolchain/scripts/../src/gcc/cfgexpand.c:6357
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <http://www.cavium.com/support.html> for instructions.


Thanks,
Andrew




>
> While A key support for return address signing using DW_CFA_GNU_window_save
> only
> needs simple modifications on code and associated DWARF generation, B key
> support is complexer, it needs multiple CIE support in GCC and Binutils, so
> currently we fall back to DWARF value expression which fully works although
> requires longer encodings. Value expression also requires a few changes on
> AArch64 prologue and epilogue hooks that code review will not be easy.
>
> Therefore I have removed all B key support code in the initial support patch
> set,
> and will organize them into a seperate follow up patchset so that we can do
> A key
> code review first.
>
> This patch is an update on the return address signing code generation.
>
> gcc/
> 2017-01-06  Jiong Wang  <jiong.wang@arm.com>
>
>         * config/aarch64/aarch64-opts.h (aarch64_function_type): New enum.
>         * config/aarch64/aarch64-protos.h
>         (aarch64_return_address_signing_enabled): New declaration.
>         * config/aarch64/aarch64.c (aarch64_return_address_signing_enabled):
>         New function.
>         (aarch64_expand_prologue): Sign return address before it's pushed
> onto
>         stack.
>         (aarch64_expand_epilogue): Authenticate return address fetched from
>         stack.
>         (aarch64_override_options): Sanity check for ILP32 and ISA level.
>         (aarch64_attributes): New function attributes for
> "sign-return-address".
>         * config/aarch64/aarch64.md (UNSPEC_AUTI1716, UNSPEC_AUTISP,
>         UNSPEC_PACI1716, UNSPEC_PACISP, UNSPEC_XPACLRI): New unspecs.
>         ("*do_return"): Generate combined instructions according to key
> index.
>         ("<pauth_mnem_prefix>sp", "<pauth_mnem_prefix1716", "xpaclri"): New.
>         * config/aarch64/iterators.md (PAUTH_LR_SP, PAUTH_17_16): New
> integer
>         iterators.
>         (pauth_mnem_prefix, pauth_hint_num_a): New integer attributes.
>         * config/aarch64/aarch64.opt (msign-return-address=): New.
>         * doc/extend.texi (AArch64 Function Attributes): Documents
>         "sign-return-address=".
>         * doc/invoke.texi (AArch64 Options): Documents
> "-msign-return-address=".
>
> gcc/testsuite/
> 2017-01-06  Jiong Wang  <jiong.wang@arm.com>
>
>
>         * gcc.target/aarch64/return_address_sign_1.c: New testcase.
>         * gcc.target/aarch64/return_address_sign_scope_1.c: New testcase.
>
>

More information about the Gcc-patches mailing list