Re: [PATCH 10/15 V4] arm: Implement cortex-M return signing address codegen

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

From: Richard Earnshaw <Richard.Earnshaw@foss.arm.com>
To: Andrea Corallo <andrea.corallo@arm.com>
Cc: Andrea Corallo via Gcc-patches <gcc-patches@gcc.gnu.org>,
	Richard Earnshaw <Richard.Earnshaw@arm.com>, nd <nd@arm.com>
Subject: Re: [PATCH 10/15 V4] arm: Implement cortex-M return signing address codegen
Date: Tue, 6 Dec 2022 16:24:21 +0000	[thread overview]
Message-ID: <4917eabd-7b0b-a402-3680-f5591a7bb039@foss.arm.com> (raw)
In-Reply-To: <gkrr0xcttzo.fsf@arm.com>



On 06/12/2022 15:46, Andrea Corallo wrote:
> Hi Richard,
> 
> thanks for reviewing.
> 
> Just one clarification before I complete the respin of this patch.
> 
> Richard Earnshaw <Richard.Earnshaw@foss.arm.com> writes:
> 
> [...]
> 
>> Also, I think (out of an abundance of caution) we really need a
>> scheduling barrier placed before calls to gen_aut_nop() pattern is
>> emitted, to ensure that the scheduler never tries to move this
>> instruction away from the position we place it.  Use gen_blockage()
>> for that (see TARGET_SCHED_PROLOG).  Alternatively, we could make the
>> UNSPEC_PAC_NOP an unspec_volatile, which has the same effect (IIRC)
>> without needing an additional insn - if you use this approach, then
>> please make sure this is explained in a comment.
>>
>> +(define_insn "pacbti_nop"
>> +  [(set (reg:SI IP_REGNUM)
>> +	(unspec:SI [(reg:SI SP_REGNUM) (reg:SI LR_REGNUM)]
>> +		   UNSPEC_PACBTI_NOP))]
>> +  "arm_arch8m_main"
>> +  "pacbti\t%|ip, %|lr, %|sp"
>> +  [(set_attr "conds" "unconditional")])
>>
>> The additional side-effect of this being a BTI landing pad means that
>> we mustn't move any other instruction before it.  So I think this
>> needs to be an unspec_volatile as well.
> 
> IIUC from this we want to make all the three (UNSPEC_PAC_NOP,
> UNSPEC_PACBTI_NOP, UNSPEC_AUT_NOP) unspec volatile, correct?

UNSPEC_PAC_NOP doesn't need to be volatile. The register constraints 
will be enough to ensure it is run before any instruction that consumes 
the result it produces.

UNSPEC_PAC_BTI_NOP needs to be volatile, as it's essential that when we 
have an instruction (for example ldr r3, [r3]) early in the program that 
doesn't interact with the prologue then it cannot be migrated before the 
BTI as the BTI is a landing pad and must be the first instruction in the 
function.  This is why UNSPEC_BTI_NOP is volatile.

UNSPEC_AUT_NOP must be volatile because we want to ensure that no 
instruction is moved after this one and before the return as that might 
expose a ROP gadget to hackers.

R.

> 
> IIUC correctly the scheduler should not reorder them as we have
> expressed which register they consume and produce but is for double
> caution correct?
> 
>> On the tests, they are OK as they stand, but we lack anything that
>> will be tested when suitable hardware is unavailable (all tests are
>> "dg-do run").  Can we please have some compile-only tests as well?
> 
> Ack.
> 
> BR
> 
>    Andrea

next prev parent reply	other threads:[~2022-12-06 16:24 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-06 15:46 Andrea Corallo
2022-12-06 16:24 ` Richard Earnshaw [this message]
2022-12-06 17:19   ` Andrea Corallo
  -- strict thread matches above, loose matches on Subject: below --
2022-08-12 14:26 [PATCH 0/15] arm: Enables return address verification and branch target identification on Cortex-M Andrea Corallo
2022-08-12 15:36 ` [PATCH 10/15] arm: Implement cortex-M return signing address codegen Andrea Corallo
2022-09-14 14:20   ` [PATCH 10/15 V2] " Andrea Corallo
2022-10-21 12:58     ` Richard Earnshaw
2022-10-26 15:48       ` Andrea Corallo
2022-10-28 16:34         ` [PATCH 10/15 V3] " Andrea Corallo
2022-11-07  8:57           ` [PATCH 10/15 V4] " Andrea Corallo
2022-12-05 16:38             ` Richard Earnshaw

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4917eabd-7b0b-a402-3680-f5591a7bb039@foss.arm.com \
    --to=richard.earnshaw@foss.arm.com \
    --cc=Richard.Earnshaw@arm.com \
    --cc=andrea.corallo@arm.com \
    --cc=gcc-patches@gcc.gnu.org \
    --cc=nd@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).