[6/8,Arm.] Add pointer authentication for stack-unwinding runtime. [Was RE: [Patch 5/7, Arm. GCC] Add pointer authentication for stack-unwinding runtime.]
Commit Message
> -----Original Message-----
> From: Gcc-patches <gcc-patches-
> bounces+belagod=gcc.gnu.org@gcc.gnu.org> On Behalf Of Tejas Belagod via
> Gcc-patches
> Sent: Friday, October 8, 2021 1:18 PM
> To: gcc-patches@gcc.gnu.org
> Subject: [Patch 5/7, Arm. GCC] Add pointer authentication for stack-
> unwinding runtime.
>
> Hi,
>
> This patch adds authentication for when the stack is unwound when an
> exception is taken. All the changes here are done to the runtime code in
> libgcc's unwinder code for Arm target. All the changes are guarded under
> defined (__ARM_FEATURE_PAC_DEFAULT) and activates only if the +pacbti
> feature is switched on for the architecture. This means that switching on the
> target feature via -march or -mcpu is sufficient and -mbranch-protection
> need not be enabled. This ensures that the unwinder is authenticated only if
> the PACBTI instructions are available in the non-NOP space as it uses AUTG.
> Just generating PAC/AUT instructions using -mbranch-protection will not
> enable authentication on the unwinder.
>
> Tested on arm-none-eabi. OK for trunk?
>
> 2021-10-04 Tejas Belagod <tbelagod@arm.com>
>
> gcc/ChangeLog:
>
> * ginclude/unwind-arm-common.h (_Unwind_VRS_RegClass):
> Introduce
> new pseudo register class _UVRSC_PAC.
> * libgcc/config/arm/pr-support.c (__gnu_unwind_execute): Decode
> exception opcode (0xb4) for saving RA_AUTH_CODE and
> authenticate
> with AUTG if found.
> * libgcc/config/arm/unwind-arm.c (struct pseudo_regs): New.
> (phase1_vrs): Introduce new field to store pseudo-reg state.
> (phase2_vrs): Likewise.
> (_Unwind_VRS_Get): Load pseudo register state from virtual reg set.
> (_Unwind_VRS_Set): Store pseudo register state to virtual reg set.
> (_Unwind_VRS_Pop): Load pseudo register value from stack into
> VRS.
Rebased and respin based on reviews for previous patches.
This patch adds authentication for when the stack is unwound when
an exception is taken. All the changes here are done to the runtime
code in libgcc's unwinder code for Arm target. All the changes are
guarded under defined (__ARM_FEATURE_PAUTH) and activates only
if the +pacbti feature is switched on for the architecture. This means
that switching on the target feature via -march or -mcpu is sufficient
and -mbranch-protection need not be enabled. This ensures that the
unwinder is authenticated only if the PACBTI instructions are available
in the non-NOP space as it uses AUTG. Just generating PAC/AUT instructions
using -mbranch-protection will not enable authentication on the unwinder.
2021-10-25 Tejas Belagod <tbelagod@arm.com>
gcc/ChangeLog:
* ginclude/unwind-arm-common.h (_Unwind_VRS_RegClass): Introduce
new pseudo register class _UVRSC_PAC.
* libgcc/config/arm/pr-support.c (__gnu_unwind_execute): Decode
exception opcode (0xb4) for saving RA_AUTH_CODE and authenticate
with AUTG if found.
* libgcc/config/arm/unwind-arm.c (struct pseudo_regs): New.
(phase1_vrs): Introduce new field to store pseudo-reg state.
(phase2_vrs): Likewise.
(_Unwind_VRS_Get): Load pseudo register state from virtual reg set.
(_Unwind_VRS_Set): Store pseudo register state to virtual reg set.
(_Unwind_VRS_Pop): Load pseudo register value from stack into VRS.
Tested the following configurations, OK for trunk?
-mthumb/-march=armv8.1-m.main+pacbti/-mfloat-abi=soft
-marm/-march=armv7-a/-mfpu=vfpv3-d16/-mfloat-abi=softfp
mcmodel=small and tiny
aarch64-none-linux-gnu native test and bootstrap
Thanks,
Tejas.
Comments
On 28/10/2021 12:43, Tejas Belagod via Gcc-patches wrote:
>
>
>> -----Original Message-----
>> From: Gcc-patches <gcc-patches-
>> bounces+belagod=gcc.gnu.org@gcc.gnu.org> On Behalf Of Tejas Belagod via
>> Gcc-patches
>> Sent: Friday, October 8, 2021 1:18 PM
>> To: gcc-patches@gcc.gnu.org
>> Subject: [Patch 5/7, Arm. GCC] Add pointer authentication for stack-
>> unwinding runtime.
>>
>> Hi,
>>
>> This patch adds authentication for when the stack is unwound when an
>> exception is taken. All the changes here are done to the runtime code in
>> libgcc's unwinder code for Arm target. All the changes are guarded under
>> defined (__ARM_FEATURE_PAC_DEFAULT) and activates only if the +pacbti
>> feature is switched on for the architecture. This means that switching on the
>> target feature via -march or -mcpu is sufficient and -mbranch-protection
>> need not be enabled. This ensures that the unwinder is authenticated only if
>> the PACBTI instructions are available in the non-NOP space as it uses AUTG.
>> Just generating PAC/AUT instructions using -mbranch-protection will not
>> enable authentication on the unwinder.
>>
>> Tested on arm-none-eabi. OK for trunk?
>>
>> 2021-10-04 Tejas Belagod <tbelagod@arm.com>
>>
>> gcc/ChangeLog:
>>
>> * ginclude/unwind-arm-common.h (_Unwind_VRS_RegClass):
>> Introduce
>> new pseudo register class _UVRSC_PAC.
>> * libgcc/config/arm/pr-support.c (__gnu_unwind_execute): Decode
>> exception opcode (0xb4) for saving RA_AUTH_CODE and
>> authenticate
>> with AUTG if found.
>> * libgcc/config/arm/unwind-arm.c (struct pseudo_regs): New.
>> (phase1_vrs): Introduce new field to store pseudo-reg state.
>> (phase2_vrs): Likewise.
>> (_Unwind_VRS_Get): Load pseudo register state from virtual reg set.
>> (_Unwind_VRS_Set): Store pseudo register state to virtual reg set.
>> (_Unwind_VRS_Pop): Load pseudo register value from stack into
>> VRS.
>
> Rebased and respin based on reviews for previous patches.
>
> This patch adds authentication for when the stack is unwound when
> an exception is taken. All the changes here are done to the runtime
> code in libgcc's unwinder code for Arm target. All the changes are
> guarded under defined (__ARM_FEATURE_PAUTH) and activates only
> if the +pacbti feature is switched on for the architecture. This means
> that switching on the target feature via -march or -mcpu is sufficient
> and -mbranch-protection need not be enabled. This ensures that the
> unwinder is authenticated only if the PACBTI instructions are available
> in the non-NOP space as it uses AUTG. Just generating PAC/AUT instructions
> using -mbranch-protection will not enable authentication on the unwinder.
>
> 2021-10-25 Tejas Belagod <tbelagod@arm.com>
>
> gcc/ChangeLog:
>
> * ginclude/unwind-arm-common.h (_Unwind_VRS_RegClass): Introduce
> new pseudo register class _UVRSC_PAC.
> * libgcc/config/arm/pr-support.c (__gnu_unwind_execute): Decode
> exception opcode (0xb4) for saving RA_AUTH_CODE and authenticate
> with AUTG if found.
> * libgcc/config/arm/unwind-arm.c (struct pseudo_regs): New.
> (phase1_vrs): Introduce new field to store pseudo-reg state.
> (phase2_vrs): Likewise.
> (_Unwind_VRS_Get): Load pseudo register state from virtual reg set.
> (_Unwind_VRS_Set): Store pseudo register state to virtual reg set.
> (_Unwind_VRS_Pop): Load pseudo register value from stack into VRS.
>
> Tested the following configurations, OK for trunk?
>
> -mthumb/-march=armv8.1-m.main+pacbti/-mfloat-abi=soft
> -marm/-march=armv7-a/-mfpu=vfpv3-d16/-mfloat-abi=softfp
> mcmodel=small and tiny
> aarch64-none-linux-gnu native test and bootstrap
>
> Thanks,
> Tejas.
>
I'd like to try to get rid of most of the ifdefs from this patch; at
least, it shouldn't be using the ACLE PAUTH feature. The unwinder
should be able to cope with any unwind sequence thrown at it.
Things are a little more complicated for pointer authentication, though,
because some operations in the main code constructing the frame may be
using architectural NOP instructions, while the unwinder cannot do the
validation using only the architectural NOPs.
So we need a fall-back: if the unwinder is built without the PAUTH
feature it needs to unwind the pauth frames without the additional
validation (but it still needs to be able to handle them).
So the only remaining question is whether the additional support should
only be enabled for M-profile targets, or whether we should just put
this code into all builds of the unwinder. I'm not sure I have a
complete answer to that. My inclination is to put it in unconditionally
- we haven't had conditionals for any other optional architecture
feature before. If something similar is added for A/R-profiles, then
either we will share the code exactly, or we'll end up with a different
unwind code to use as a suitable discriminator.
R.
@@ -127,7 +127,10 @@ extern "C" {
_UVRSC_VFP = 1, /* vfp */
_UVRSC_FPA = 2, /* fpa */
_UVRSC_WMMXD = 3, /* Intel WMMX data register */
- _UVRSC_WMMXC = 4 /* Intel WMMX control register */
+ _UVRSC_WMMXC = 4, /* Intel WMMX control register */
+#if defined(__ARM_FEATURE_PAUTH)
+ _UVRSC_PAC = 5 /* Armv8.1-M Mainline PAC/AUTH pseudo-register */
+#endif
}
_Unwind_VRS_RegClass;
@@ -106,6 +106,9 @@ __gnu_unwind_execute (_Unwind_Context * context, __gnu_unwind_state * uws)
{
_uw op;
int set_pc;
+#if defined(__ARM_FEATURE_PAUTH)
+ int set_pac = 0;
+#endif
_uw reg;
set_pc = 0;
@@ -114,6 +117,22 @@ __gnu_unwind_execute (_Unwind_Context * context, __gnu_unwind_state * uws)
op = next_unwind_byte (uws);
if (op == CODE_FINISH)
{
+#if defined(__ARM_FEATURE_PAUTH)
+ /* When we reach end, we have to authenticate R12 we just popped earlier. */
+ if (set_pac)
+ {
+ _uw sp;
+ _uw lr;
+ _uw pac;
+ _Unwind_VRS_Get (context, _UVRSC_CORE, R_SP, _UVRSD_UINT32, &sp);
+ _Unwind_VRS_Get (context, _UVRSC_CORE, R_LR, _UVRSD_UINT32, &lr);
+ _Unwind_VRS_Get (context, _UVRSC_PAC, R_IP,
+ _UVRSD_UINT32, &pac);
+ __asm__ __volatile__
+ ("autg %0, %1, %2" : : "r"(pac), "r"(lr), "r"(sp) :);
+ }
+#endif
+
/* If we haven't already set pc then copy it from lr. */
if (!set_pc)
{
@@ -227,6 +246,19 @@ __gnu_unwind_execute (_Unwind_Context * context, __gnu_unwind_state * uws)
return _URC_FAILURE;
continue;
}
+#if defined(__ARM_FEATURE_PAUTH)
+ /* Pop PAC off the stack into VRS pseudo.pac. */
+ if (op == 0xb4)
+ {
+ if (_Unwind_VRS_Pop (context, _UVRSC_PAC, 0, _UVRSD_UINT32)
+ != _UVRSR_OK)
+ return _URC_FAILURE;
+ set_pac = 1;
+ continue;
+ }
+
+#endif
+
if ((op & 0xfc) == 0xb4) /* Obsolete FPA. */
return _URC_FAILURE;
@@ -64,6 +64,14 @@ struct wmmxc_regs
_uw wc[4];
};
+#if defined(__ARM_FEATURE_PAUTH)
+/* Holds value of pseudo registers eg. PAC. */
+struct pseudo_regs
+{
+ _uw pac;
+};
+#endif
+
/* The ABI specifies that the unwind routines may only use core registers,
except when actually manipulating coprocessor state. This allows
us to write one implementation that works on all platforms by
@@ -78,6 +86,11 @@ typedef struct
/* The first fields must be the same as a phase2_vrs. */
_uw demand_save_flags;
struct core_regs core;
+#if defined(__ARM_FEATURE_PAUTH)
+ /* Armv8.1-M Mainline PAC/AUTH values. This field should be in the same field
+ order as phase2_vrs. */
+ struct pseudo_regs pseudo;
+#endif
_uw prev_sp; /* Only valid during forced unwinding. */
struct vfp_regs vfp;
struct vfpv3_regs vfp_regs_16_to_31;
@@ -99,6 +112,9 @@ typedef struct
{
_uw demand_save_flags;
struct core_regs core;
+#if defined(__ARM_FEATURE_PAUTH)
+ struct pseudo_regs pac;
+#endif
} phase2_vrs;
/* Coprocessor register state manipulation functions. */
@@ -175,6 +191,12 @@ _Unwind_VRS_Result _Unwind_VRS_Get (_Unwind_Context *context,
case _UVRSC_WMMXC:
return _UVRSR_NOT_IMPLEMENTED;
+#if defined(__ARM_FEATURE_PAUTH)
+ case _UVRSC_PAC:
+ *(_uw *) valuep = vrs->pseudo.pac;
+ return _UVRSR_OK;
+#endif
+
default:
return _UVRSR_FAILED;
}
@@ -206,6 +228,12 @@ _Unwind_VRS_Result _Unwind_VRS_Set (_Unwind_Context *context,
case _UVRSC_WMMXC:
return _UVRSR_NOT_IMPLEMENTED;
+#if defined(__ARM_FEATURE_PAUTH)
+ case _UVRSC_PAC:
+ vrs->pseudo.pac = *(_uw *) valuep;
+ return _UVRSR_OK;
+#endif
+
default:
return _UVRSR_FAILED;
}
@@ -246,6 +274,16 @@ _Unwind_VRS_Result _Unwind_VRS_Pop (_Unwind_Context *context,
}
return _UVRSR_OK;
+#if defined(__ARM_FEATURE_PAUTH)
+ case _UVRSC_PAC:
+ {
+ if (discriminator != 0)
+ return _UVRSR_FAILED;
+ vrs->pseudo.pac = *(_uw *) vrs->core.r[R_SP];
+ return _UVRSR_OK;
+ }
+#endif
+
case _UVRSC_VFP:
{
_uw start = discriminator >> 16;