From: Andrea Corallo <andrea.corallo@arm.com>
To: Richard Earnshaw <Richard.Earnshaw@foss.arm.com>
Cc: Andrea Corallo via Gcc-patches <gcc-patches@gcc.gnu.org>,
"Richard Earnshaw" <Richard.Earnshaw@arm.com>, nd <nd@arm.com>
Subject: Re: [PATCH 10/15 V4] arm: Implement cortex-M return signing address codegen
Date: Tue, 6 Dec 2022 18:19:33 +0100 [thread overview]
Message-ID: <gkrmt80tpp6.fsf@arm.com> (raw)
In-Reply-To: <4917eabd-7b0b-a402-3680-f5591a7bb039@foss.arm.com> (Richard Earnshaw's message of "Tue, 6 Dec 2022 16:24:21 +0000")
Richard Earnshaw <Richard.Earnshaw@foss.arm.com> writes:
> On 06/12/2022 15:46, Andrea Corallo wrote:
>> Hi Richard,
>> thanks for reviewing.
>> Just one clarification before I complete the respin of this patch.
>> Richard Earnshaw <Richard.Earnshaw@foss.arm.com> writes:
>> [...]
>>
>>> Also, I think (out of an abundance of caution) we really need a
>>> scheduling barrier placed before calls to gen_aut_nop() pattern is
>>> emitted, to ensure that the scheduler never tries to move this
>>> instruction away from the position we place it. Use gen_blockage()
>>> for that (see TARGET_SCHED_PROLOG). Alternatively, we could make the
>>> UNSPEC_PAC_NOP an unspec_volatile, which has the same effect (IIRC)
>>> without needing an additional insn - if you use this approach, then
>>> please make sure this is explained in a comment.
>>>
>>> +(define_insn "pacbti_nop"
>>> + [(set (reg:SI IP_REGNUM)
>>> + (unspec:SI [(reg:SI SP_REGNUM) (reg:SI LR_REGNUM)]
>>> + UNSPEC_PACBTI_NOP))]
>>> + "arm_arch8m_main"
>>> + "pacbti\t%|ip, %|lr, %|sp"
>>> + [(set_attr "conds" "unconditional")])
>>>
>>> The additional side-effect of this being a BTI landing pad means that
>>> we mustn't move any other instruction before it. So I think this
>>> needs to be an unspec_volatile as well.
>> IIUC from this we want to make all the three (UNSPEC_PAC_NOP,
>> UNSPEC_PACBTI_NOP, UNSPEC_AUT_NOP) unspec volatile, correct?
>
> UNSPEC_PAC_NOP doesn't need to be volatile. The register constraints
> will be enough to ensure it is run before any instruction that
> consumes the result it produces.
>
> UNSPEC_PAC_BTI_NOP needs to be volatile, as it's essential that when
> we have an instruction (for example ldr r3, [r3]) early in the program
> that doesn't interact with the prologue then it cannot be migrated
> before the BTI as the BTI is a landing pad and must be the first
> instruction in the function. This is why UNSPEC_BTI_NOP is volatile.
>
> UNSPEC_AUT_NOP must be volatile because we want to ensure that no
> instruction is moved after this one and before the return as that
> might expose a ROP gadget to hackers.
>
> R.
Understood now, thanks.
Andrea
next prev parent reply other threads:[~2022-12-06 17:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-06 15:46 Andrea Corallo
2022-12-06 16:24 ` Richard Earnshaw
2022-12-06 17:19 ` Andrea Corallo [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-08-12 14:26 [PATCH 0/15] arm: Enables return address verification and branch target identification on Cortex-M Andrea Corallo
2022-08-12 15:36 ` [PATCH 10/15] arm: Implement cortex-M return signing address codegen Andrea Corallo
2022-09-14 14:20 ` [PATCH 10/15 V2] " Andrea Corallo
2022-10-21 12:58 ` Richard Earnshaw
2022-10-26 15:48 ` Andrea Corallo
2022-10-28 16:34 ` [PATCH 10/15 V3] " Andrea Corallo
2022-11-07 8:57 ` [PATCH 10/15 V4] " Andrea Corallo
2022-12-05 16:38 ` Richard Earnshaw
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=gkrmt80tpp6.fsf@arm.com \
--to=andrea.corallo@arm.com \
--cc=Richard.Earnshaw@arm.com \
--cc=Richard.Earnshaw@foss.arm.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=nd@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).