[v3,11/13] aarch64: Add pac-ret support to assembly files

Message ID 55c2f030bcb0c66c855e823b60bbd624d7d5bff9.1589552055.git.szabolcs.nagy@arm.com
State Superseded
Headers show
Series
  • aarch64: branch protection support
Related show

Commit Message

Szabolcs Nagy May 15, 2020, 2:40 p.m.
Use return address signing in assembly files for functions that save
LR when pac-ret is enabled in the compiler.

The GNU property note for PAC-RET is not meaningful to the dynamic
linker so it is not strictly required, but it may be used to track
the security property of binaries. (The PAC-RET property is only set
if BTI is set too because BTI implies working GNU property support.)
---
 sysdeps/aarch64/crti.S          |  8 ++++++++
 sysdeps/aarch64/crtn.S          |  6 ++++++
 sysdeps/aarch64/dl-tlsdesc.S    |  8 ++++++++
 sysdeps/aarch64/dl-trampoline.S | 18 ++++++++++++++++++
 sysdeps/aarch64/sysdep.h        |  8 +++++++-
 5 files changed, 47 insertions(+), 1 deletion(-)

-- 
2.17.1

Comments

Jakub Jelinek via Libc-alpha May 26, 2020, 11:26 a.m. | #1
On 15/05/2020 11:40, Szabolcs Nagy wrote:
> Use return address signing in assembly files for functions that save

> LR when pac-ret is enabled in the compiler.

> 

> The GNU property note for PAC-RET is not meaningful to the dynamic

> linker so it is not strictly required, but it may be used to track

> the security property of binaries. (The PAC-RET property is only set

> if BTI is set too because BTI implies working GNU property support.)


With the suggestion from previous HAVE_AARCH64_PAC_RET patch,
these tests could be used as #if HAVE_AARCH64_PAC_RET.

Besides that, LGTM.

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>


> ---

>  sysdeps/aarch64/crti.S          |  8 ++++++++

>  sysdeps/aarch64/crtn.S          |  6 ++++++

>  sysdeps/aarch64/dl-tlsdesc.S    |  8 ++++++++

>  sysdeps/aarch64/dl-trampoline.S | 18 ++++++++++++++++++

>  sysdeps/aarch64/sysdep.h        |  8 +++++++-

>  5 files changed, 47 insertions(+), 1 deletion(-)

> 

> diff --git a/sysdeps/aarch64/crti.S b/sysdeps/aarch64/crti.S

> index c346bcad72..02ec7d015e 100644

> --- a/sysdeps/aarch64/crti.S

> +++ b/sysdeps/aarch64/crti.S

> @@ -75,7 +75,11 @@ call_weak_fn:

>  	.hidden	_init

>  	.type	_init, %function

>  _init:

> +#ifdef HAVE_AARCH64_PAC_RET

> +	PACIASP

> +#else

>  	BTI_C

> +#endif

>  	stp	x29, x30, [sp, -16]!

>  	mov	x29, sp

>  #if PREINIT_FUNCTION_WEAK

> @@ -90,6 +94,10 @@ _init:

>  	.hidden	_fini

>  	.type	_fini, %function

>  _fini:

> +#ifdef HAVE_AARCH64_PAC_RET

> +	PACIASP

> +#else

>  	BTI_C

> +#endif

>  	stp	x29, x30, [sp, -16]!

>  	mov	x29, sp


Ok.

> diff --git a/sysdeps/aarch64/crtn.S b/sysdeps/aarch64/crtn.S

> index 0c1ef112c2..4b93b90411 100644

> --- a/sysdeps/aarch64/crtn.S

> +++ b/sysdeps/aarch64/crtn.S

> @@ -41,8 +41,14 @@

>  

>  	.section .init,"ax",%progbits

>  	ldp	x29, x30, [sp], 16

> +#ifdef HAVE_AARCH64_PAC_RET

> +	AUTIASP

> +#endif

>  	RET

>  

>  	.section .fini,"ax",%progbits

>  	ldp	x29, x30, [sp], 16

> +#ifdef HAVE_AARCH64_PAC_RET

> +	AUTIASP

> +#endif

>  	RET


Ok.

> diff --git a/sysdeps/aarch64/dl-tlsdesc.S b/sysdeps/aarch64/dl-tlsdesc.S

> index 9d96c8632a..3746dbec17 100644

> --- a/sysdeps/aarch64/dl-tlsdesc.S

> +++ b/sysdeps/aarch64/dl-tlsdesc.S

> @@ -183,6 +183,10 @@ _dl_tlsdesc_dynamic:

>  	   callee will trash.  */

>  

>  	/* Save the remaining registers that we must treat as caller save.  */

> +# ifdef HAVE_AARCH64_PAC_RET

> +	PACIASP

> +	cfi_window_save

> +# endif

>  # define NSAVEXREGPAIRS 8

>  	stp	x29, x30, [sp,#-16*NSAVEXREGPAIRS]!

>  	cfi_adjust_cfa_offset (16*NSAVEXREGPAIRS)

> @@ -233,6 +237,10 @@ _dl_tlsdesc_dynamic:

>  	cfi_adjust_cfa_offset (-16*NSAVEXREGPAIRS)

>  	cfi_restore (x29)

>  	cfi_restore (x30)

> +# ifdef HAVE_AARCH64_PAC_RET

> +	AUTIASP

> +	cfi_window_save

> +# endif

>  	b	1b

>  	cfi_endproc

>  	.size	_dl_tlsdesc_dynamic, .-_dl_tlsdesc_dynamic


Ok.

> diff --git a/sysdeps/aarch64/dl-trampoline.S b/sysdeps/aarch64/dl-trampoline.S

> index 2cbfa81434..53f92d68bf 100644

> --- a/sysdeps/aarch64/dl-trampoline.S

> +++ b/sysdeps/aarch64/dl-trampoline.S

> @@ -127,7 +127,12 @@ _dl_runtime_resolve:

>  	cfi_startproc

>  	.align 2

>  _dl_runtime_profile:

> +# ifdef HAVE_AARCH64_PAC_RET

> +	PACIASP

> +	cfi_window_save

> +# else

>  	BTI_C

> +# endif

>  	/* AArch64 we get called with:

>  	   ip0		&PLTGOT[2]

>  	   ip1		temp(dl resolver entry point)

> @@ -239,8 +244,17 @@ _dl_runtime_profile:

>  	cfi_restore(x29)

>  	cfi_restore(x30)

>  

> +# ifdef HAVE_AARCH64_PAC_RET

> +	add	sp, sp, SF_SIZE

> +	cfi_adjust_cfa_offset (-SF_SIZE)

> +	AUTIASP

> +	cfi_window_save

> +	add	sp, sp, 16

> +	cfi_adjust_cfa_offset (-16)

> +# else

>  	add	sp, sp, SF_SIZE + 16

>  	cfi_adjust_cfa_offset (- SF_SIZE - 16)

> +# endif

>  

>  	/* Jump to the newly found address.  */

>  	br	ip0

> @@ -287,6 +301,10 @@ _dl_runtime_profile:

>  	/* LR from within La_aarch64_reg */

>  	ldr	lr, [x29, #OFFSET_RG + DL_OFFSET_RG_LR]

>  	cfi_restore(lr)

> +# ifdef HAVE_AARCH64_PAC_RET

> +	/* Note: LR restored from La_aarch64_reg has no PAC.  */

> +	cfi_window_save

> +# endif

>  	mov	sp, x29

>  	cfi_def_cfa_register (sp)

>  	ldr	x29, [x29, #0]


Ok.

> diff --git a/sysdeps/aarch64/sysdep.h b/sysdeps/aarch64/sysdep.h

> index 086fc84b53..c51572a690 100644

> --- a/sysdeps/aarch64/sysdep.h

> +++ b/sysdeps/aarch64/sysdep.h

> @@ -45,6 +45,10 @@

>  #define BTI_C		hint	34

>  #define BTI_J		hint	36

>  

> +/* Return address signing support (pac-ret).  */

> +#define PACIASP		hint	25

> +#define AUTIASP		hint	29

> +

>  /* GNU_PROPERTY_AARCH64_* macros from elf.h for use in asm code.  */

>  #define FEATURE_1_AND 0xc0000000

>  #define FEATURE_1_BTI 1

> @@ -66,7 +70,9 @@

>  

>  /* Add GNU property note with the supported features to all asm code

>     where sysdep.h is included.  */

> -#if defined HAVE_AARCH64_BTI

> +#if defined HAVE_AARCH64_BTI && defined HAVE_AARCH64_PAC_RET

> +GNU_PROPERTY (FEATURE_1_AND, FEATURE_1_BTI|FEATURE_1_PAC)

> +#elif defined HAVE_AARCH64_BTI

>  GNU_PROPERTY (FEATURE_1_AND, FEATURE_1_BTI)

>  #endif

>  

> 


Ok.

Patch

diff --git a/sysdeps/aarch64/crti.S b/sysdeps/aarch64/crti.S
index c346bcad72..02ec7d015e 100644
--- a/sysdeps/aarch64/crti.S
+++ b/sysdeps/aarch64/crti.S
@@ -75,7 +75,11 @@  call_weak_fn:
 	.hidden	_init
 	.type	_init, %function
 _init:
+#ifdef HAVE_AARCH64_PAC_RET
+	PACIASP
+#else
 	BTI_C
+#endif
 	stp	x29, x30, [sp, -16]!
 	mov	x29, sp
 #if PREINIT_FUNCTION_WEAK
@@ -90,6 +94,10 @@  _init:
 	.hidden	_fini
 	.type	_fini, %function
 _fini:
+#ifdef HAVE_AARCH64_PAC_RET
+	PACIASP
+#else
 	BTI_C
+#endif
 	stp	x29, x30, [sp, -16]!
 	mov	x29, sp
diff --git a/sysdeps/aarch64/crtn.S b/sysdeps/aarch64/crtn.S
index 0c1ef112c2..4b93b90411 100644
--- a/sysdeps/aarch64/crtn.S
+++ b/sysdeps/aarch64/crtn.S
@@ -41,8 +41,14 @@ 
 
 	.section .init,"ax",%progbits
 	ldp	x29, x30, [sp], 16
+#ifdef HAVE_AARCH64_PAC_RET
+	AUTIASP
+#endif
 	RET
 
 	.section .fini,"ax",%progbits
 	ldp	x29, x30, [sp], 16
+#ifdef HAVE_AARCH64_PAC_RET
+	AUTIASP
+#endif
 	RET
diff --git a/sysdeps/aarch64/dl-tlsdesc.S b/sysdeps/aarch64/dl-tlsdesc.S
index 9d96c8632a..3746dbec17 100644
--- a/sysdeps/aarch64/dl-tlsdesc.S
+++ b/sysdeps/aarch64/dl-tlsdesc.S
@@ -183,6 +183,10 @@  _dl_tlsdesc_dynamic:
 	   callee will trash.  */
 
 	/* Save the remaining registers that we must treat as caller save.  */
+# ifdef HAVE_AARCH64_PAC_RET
+	PACIASP
+	cfi_window_save
+# endif
 # define NSAVEXREGPAIRS 8
 	stp	x29, x30, [sp,#-16*NSAVEXREGPAIRS]!
 	cfi_adjust_cfa_offset (16*NSAVEXREGPAIRS)
@@ -233,6 +237,10 @@  _dl_tlsdesc_dynamic:
 	cfi_adjust_cfa_offset (-16*NSAVEXREGPAIRS)
 	cfi_restore (x29)
 	cfi_restore (x30)
+# ifdef HAVE_AARCH64_PAC_RET
+	AUTIASP
+	cfi_window_save
+# endif
 	b	1b
 	cfi_endproc
 	.size	_dl_tlsdesc_dynamic, .-_dl_tlsdesc_dynamic
diff --git a/sysdeps/aarch64/dl-trampoline.S b/sysdeps/aarch64/dl-trampoline.S
index 2cbfa81434..53f92d68bf 100644
--- a/sysdeps/aarch64/dl-trampoline.S
+++ b/sysdeps/aarch64/dl-trampoline.S
@@ -127,7 +127,12 @@  _dl_runtime_resolve:
 	cfi_startproc
 	.align 2
 _dl_runtime_profile:
+# ifdef HAVE_AARCH64_PAC_RET
+	PACIASP
+	cfi_window_save
+# else
 	BTI_C
+# endif
 	/* AArch64 we get called with:
 	   ip0		&PLTGOT[2]
 	   ip1		temp(dl resolver entry point)
@@ -239,8 +244,17 @@  _dl_runtime_profile:
 	cfi_restore(x29)
 	cfi_restore(x30)
 
+# ifdef HAVE_AARCH64_PAC_RET
+	add	sp, sp, SF_SIZE
+	cfi_adjust_cfa_offset (-SF_SIZE)
+	AUTIASP
+	cfi_window_save
+	add	sp, sp, 16
+	cfi_adjust_cfa_offset (-16)
+# else
 	add	sp, sp, SF_SIZE + 16
 	cfi_adjust_cfa_offset (- SF_SIZE - 16)
+# endif
 
 	/* Jump to the newly found address.  */
 	br	ip0
@@ -287,6 +301,10 @@  _dl_runtime_profile:
 	/* LR from within La_aarch64_reg */
 	ldr	lr, [x29, #OFFSET_RG + DL_OFFSET_RG_LR]
 	cfi_restore(lr)
+# ifdef HAVE_AARCH64_PAC_RET
+	/* Note: LR restored from La_aarch64_reg has no PAC.  */
+	cfi_window_save
+# endif
 	mov	sp, x29
 	cfi_def_cfa_register (sp)
 	ldr	x29, [x29, #0]
diff --git a/sysdeps/aarch64/sysdep.h b/sysdeps/aarch64/sysdep.h
index 086fc84b53..c51572a690 100644
--- a/sysdeps/aarch64/sysdep.h
+++ b/sysdeps/aarch64/sysdep.h
@@ -45,6 +45,10 @@ 
 #define BTI_C		hint	34
 #define BTI_J		hint	36
 
+/* Return address signing support (pac-ret).  */
+#define PACIASP		hint	25
+#define AUTIASP		hint	29
+
 /* GNU_PROPERTY_AARCH64_* macros from elf.h for use in asm code.  */
 #define FEATURE_1_AND 0xc0000000
 #define FEATURE_1_BTI 1
@@ -66,7 +70,9 @@ 
 
 /* Add GNU property note with the supported features to all asm code
    where sysdep.h is included.  */
-#if defined HAVE_AARCH64_BTI
+#if defined HAVE_AARCH64_BTI && defined HAVE_AARCH64_PAC_RET
+GNU_PROPERTY (FEATURE_1_AND, FEATURE_1_BTI|FEATURE_1_PAC)
+#elif defined HAVE_AARCH64_BTI
 GNU_PROPERTY (FEATURE_1_AND, FEATURE_1_BTI)
 #endif