From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70040.outbound.protection.outlook.com [40.107.7.40]) by sourceware.org (Postfix) with ESMTPS id 3C5E13858404 for ; Fri, 10 Dec 2021 14:29:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 3C5E13858404 Received: from DB9PR01CA0008.eurprd01.prod.exchangelabs.com (2603:10a6:10:1d8::13) by AM6PR08MB4676.eurprd08.prod.outlook.com (2603:10a6:20b:d0::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4778.14; Fri, 10 Dec 2021 14:29:38 +0000 Received: from DB5EUR03FT034.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:1d8:cafe::c0) by DB9PR01CA0008.outlook.office365.com (2603:10a6:10:1d8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.17 via Frontend Transport; Fri, 10 Dec 2021 14:29:38 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT034.mail.protection.outlook.com (10.152.20.87) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4778.12 via Frontend Transport; Fri, 10 Dec 2021 14:29:38 +0000 Received: ("Tessian outbound 9a8c656e7c94:v110"); Fri, 10 Dec 2021 14:29:38 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: 17eb82e4497cdbb8 X-CR-MTA-TID: 64aa7808 Received: from ef2e143167f8.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id ECB8BEA9-A869-4E08-B969-DDC53E2DB93B.1; Fri, 10 Dec 2021 14:29:25 +0000 Received: from EUR01-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id ef2e143167f8.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 10 Dec 2021 14:29:25 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oIuQB35175+ZDuwviSrgTsBmcj0hT49YTs7eaK9356LmFQ+RaHAZFTOhUm8Z2/71YFMUA12TJNFtJD8CBmK6mZBWCJn0x08/HGuRdsfjm4ORsm+MPhMl1eKHnsAkAr8NDIVb/gm1YyLIbM4NFkNC7/dm4IDwHKB9+A80na/XeXdIQbHnaK51xSIUQ3hGKl9bWWJZ7jSVY4XuDyAOk9svKe014S8t9P/BNGi11lVoq08+xwKoxzm9rtck8TQQD/G+NUrAFqRf/thAaO9qDQfy2A5S+O8rHSeHSujHq7aDLkaUyiyOxRvAHyiRZAW1W8TFsvZC96vcjzT7NKT7pLAXtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jpVseWayoIgknb9ELBBEMnanOsbXvpZC+hE6fIK51ZA=; b=R3Fl1L8uv6i+fc1AKxLU16XZ9iBuUYZJ/r9CnsVhu75AkAaq/Ph3dRzWi5N/OWSbkkUKta7Bx+xJ1bkFFmmWuKWhY4/0QFt/2ptHYKW07+/gij45ijCX3cjN7cIz4wp4cj++F49qzZsoVnNtRqC5gjHqP4eWIyJSsL6It8zEha78u7lt7Kh3ufWnxwEA5LGgg4U976JT5bExmlTPTeurcNm2kk5R5oJ5m2lSa6gpJH3VS2jUd/NUQegkKv93czBYAiRIvZfBapik3/MtkUrMdUNgNA0cB4LocxqTYF1M8gfbxbuFhXkEUaA1CZwgBUkhYbvROEWzUOw9qZLlfCbacg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 40.67.248.234) smtp.rcpttodomain=gcc.gnu.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=none (message not signed); arc=none Received: from DB6PR0601CA0003.eurprd06.prod.outlook.com (2603:10a6:4:7b::13) by DB6PR0802MB2136.eurprd08.prod.outlook.com (2603:10a6:4:81::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.11; Fri, 10 Dec 2021 14:29:14 +0000 Received: from DB5EUR03FT015.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:7b:cafe::96) by DB6PR0601CA0003.outlook.office365.com (2603:10a6:4:7b::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.17 via Frontend Transport; Fri, 10 Dec 2021 14:29:14 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 40.67.248.234 as permitted sender) receiver=protection.outlook.com; client-ip=40.67.248.234; helo=nebula.arm.com; Received: from nebula.arm.com (40.67.248.234) by DB5EUR03FT015.mail.protection.outlook.com (10.152.20.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.4778.12 via Frontend Transport; Fri, 10 Dec 2021 14:29:14 +0000 Received: from AZ-NEU-EX01.Emea.Arm.com (10.251.26.4) by AZ-NEU-EX04.Arm.com (10.251.24.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.20; Fri, 10 Dec 2021 14:29:14 +0000 Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX01.Emea.Arm.com (10.251.26.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.20; Fri, 10 Dec 2021 14:29:13 +0000 Received: from e124257 (10.34.101.64) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20 via Frontend Transport; Fri, 10 Dec 2021 14:29:13 +0000 From: Andrea Corallo To: Richard Earnshaw CC: Richard Earnshaw via Gcc-patches , "Tejas Belagod" , Richard Earnshaw Subject: Re: [Patch 6/8 V2] Arm: Add pointer authentication for stack-unwinding runtime. References: <85f6fc81-2e00-789d-174d-546a1e79dcba@foss.arm.com> <510336ce-5280-bb7d-70c2-49f2dcd7db62@foss.arm.com> Date: Fri, 10 Dec 2021 15:29:13 +0100 In-Reply-To: <510336ce-5280-bb7d-70c2-49f2dcd7db62@foss.arm.com> (Richard Earnshaw's message of "Fri, 10 Dec 2021 12:15:23 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.90 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-Correlation-Id: 7368b405-74c7-4899-8f3d-08d9bbe97f37 X-MS-TrafficTypeDiagnostic: DB6PR0802MB2136:EE_|DB5EUR03FT034:EE_|AM6PR08MB4676:EE_ X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Oob-TLC-OOBClassifiers: OLM:8882;OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: VV9BtiWSZBdzJAW+vs6ynMjXuwbTZHXWYlxaTCUEEXD5FVdqqhsw0jnp8vnkHWq7E38F8LjlTJ0KvDRoaSRCwUsbnKg+R9+pWuesyy2Vth1F+Cu+akR6CajX+Wkv2A5A7y0o0fztBIXxfOrdWFU1B3N6rdh8kTl3l7f5bwyQGrB3eVO3A6E1+tU/mmwCZdx99XcCJUdyY5Sxg+0pC8KXqh1r1KdEQlnqvzwiSfX2RhCw0HAlW+SJHJiD2/eIlU3H+19taLLqbieItKb+JQheAm0ugsN2lfJ+SvMCszJWdInHRT/W2pBAVYQnAES4pFbUid+uVTxrdzlfMDuPOhBxVMHmwDisuEWAOXrg42Sj2Tneebvwtl8vZnpdeLwTQBCQvmylfOYX6QPEgI4kbf/Abyn1XSGZr/141wNRCecUYkLbiV7fIF8A3JPmAnOwoCB6ZRU4EAhkn85WwUhZePc9eVao1rcaZwVI7x3Kj+yuKxZNAK/E/HySaJbybUf4acmNYr6bs9swv5LwpIXlAeBBOd4CZ2Ty/Y19bwn4/X8CC6XMsb8z5yuVPXTbZr+yvz6q5cosUNs1isyRCBCIkh9oo2R4uOQMSxtaHM2qB92jnHc0xEC9kCuG3Q1XoeLoRpBXlG0zQbLSmHG77R0DJaMfcAHZ7KLEEMFjLFYidAboGLrXvaFXi1b04lXt3EN6xRBcm8gZZ9Jz2gFnNz4x9Ogdt4PlnaEbJe/+kO2EaPGzRNpACUc3VcheI6sx8VG7qvzEI42D6BIP1Yp5xFxAQ+IZs1Gx6XsaM35shYmngzlT4kI= X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:nebula.arm.com; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(4636009)(36840700001)(46966006)(40470700001)(54906003)(316002)(508600001)(426003)(36860700001)(186003)(26005)(336012)(4326008)(40460700001)(5660300002)(83380400001)(86362001)(6862004)(82310400004)(47076005)(2906002)(8676002)(70206006)(70586007)(4001150100001)(53546011)(356005)(2616005)(36756003)(8936002)(44832011)(81166007)(36900700001); DIR:OUT; SFP:1101; X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0802MB2136 X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT034.eop-EUR03.prod.protection.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: d2d2f3bb-d9a2-4b8c-c1ee-08d9bbe970f5 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: vqNAKRUfqYrF3DJ2hgzUiXepWk19BQhVmeILY786F/ybEuoBWQKBVNd81IEmJAYzVQbzXbsxKXYK9dry0I4rD7b9EV9fENb4fzN7PTpzc0tLhsytM7wksP3hu/c7H5GovezlO77yEsgzxlu4j9p+xYB9Jg+MPsbx7Xnq6l/e6r2zXubFhViEn13OurgkAcMIcclutdv7EEJRzauZtFyHRA5AYWgF6LB0G1n3rSE5CdxTd0ChyuF6VXO/D40ItBu9hiq2nJ+7k/FY005ArG/rWygSqf1RBNcLAKtC6j8fsM34Skcyp82rVyQDqZQKM12jIEfEDt+M/RGiZ+dSD5dTq3nW5eqMeRUvKNvz4nO+cvCzWkmHFOJQM413LitrCni3X6cg9IB7h6JkzpCBK9O+SgWhkm483myunkR/7u/64QlnBjFOKstoZg5fpqdpxVHj3VyFKWi4/1gWHYdl3gYSRwJziaksvqbc+0LjjI0rtfD24Rd9jkDCMe5kcph2OhKwuyTkhfbC+O//OLY8ssqUj1eJEG6cByvtItTe9vmhkRrulmvUlyEIe/U2tbsevCa+zPpOju8RCf8VoJTAgVlo3uKYbBMBLMUHLuPVlKcquXmDsmIw+ozfQVbDj614/m1wCGwqt1TOj46ZgLfGq8TqEasfvLo5ReEgygKExePpcasfLXvPAbDjPbcFyILMQ6s7WKtuhQbgqu4lnsmbr7qtuBmMHv7KKiDeo3hraoJ9yAXSXOdufYu465AVOrYFz9aEh0YYCsYi+Yr1HvfAtDu9UA== X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(36840700001)(46966006)(40470700001)(4001150100001)(86362001)(36860700001)(5660300002)(8676002)(316002)(47076005)(40460700001)(81166007)(2906002)(8936002)(426003)(508600001)(6862004)(336012)(26005)(2616005)(54906003)(36756003)(186003)(70586007)(53546011)(70206006)(82310400004)(83380400001)(4326008)(44832011); DIR:OUT; SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Dec 2021 14:29:38.5601 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7368b405-74c7-4899-8f3d-08d9bbe97f37 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT034.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4676 X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS, TXREP, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2021 14:29:44 -0000 Richard Earnshaw writes: > On 09/12/2021 17:36, Andrea Corallo via Gcc-patches wrote: >> Richard Earnshaw via Gcc-patches writes: >> >>> On 28/10/2021 12:43, Tejas Belagod via Gcc-patches wrote: >>>> >>>>> -----Original Message----- >>>>> From: Gcc-patches >>>> bounces+belagod=gcc.gnu.org@gcc.gnu.org> On Behalf Of Tejas Belagod via >>>>> Gcc-patches >>>>> Sent: Friday, October 8, 2021 1:18 PM >>>>> To: gcc-patches@gcc.gnu.org >>>>> Subject: [Patch 5/7, Arm. GCC] Add pointer authentication for stack- >>>>> unwinding runtime. >>>>> >>>>> Hi, >>>>> >>>>> This patch adds authentication for when the stack is unwound when an >>>>> exception is taken. All the changes here are done to the runtime code in >>>>> libgcc's unwinder code for Arm target. All the changes are guarded under >>>>> defined (__ARM_FEATURE_PAC_DEFAULT) and activates only if the +pacbti >>>>> feature is switched on for the architecture. This means that switching on the >>>>> target feature via -march or -mcpu is sufficient and -mbranch-protection >>>>> need not be enabled. This ensures that the unwinder is authenticated only if >>>>> the PACBTI instructions are available in the non-NOP space as it uses AUTG. >>>>> Just generating PAC/AUT instructions using -mbranch-protection will not >>>>> enable authentication on the unwinder. >>>>> >>>>> Tested on arm-none-eabi. OK for trunk? >>>>> >>>>> 2021-10-04 Tejas Belagod >>>>> >>>>> gcc/ChangeLog: >>>>> >>>>> * ginclude/unwind-arm-common.h (_Unwind_VRS_RegClass): >>>>> Introduce >>>>> new pseudo register class _UVRSC_PAC. >>>>> * libgcc/config/arm/pr-support.c (__gnu_unwind_execute): Decode >>>>> exception opcode (0xb4) for saving RA_AUTH_CODE and >>>>> authenticate >>>>> with AUTG if found. >>>>> * libgcc/config/arm/unwind-arm.c (struct pseudo_regs): New. >>>>> (phase1_vrs): Introduce new field to store pseudo-reg state. >>>>> (phase2_vrs): Likewise. >>>>> (_Unwind_VRS_Get): Load pseudo register state from virtual reg set. >>>>> (_Unwind_VRS_Set): Store pseudo register state to virtual reg set. >>>>> (_Unwind_VRS_Pop): Load pseudo register value from stack into >>>>> VRS. >>>> Rebased and respin based on reviews for previous patches. >>>> This patch adds authentication for when the stack is unwound when >>>> an exception is taken. All the changes here are done to the runtime >>>> code in libgcc's unwinder code for Arm target. All the changes are >>>> guarded under defined (__ARM_FEATURE_PAUTH) and activates only >>>> if the +pacbti feature is switched on for the architecture. This means >>>> that switching on the target feature via -march or -mcpu is sufficient >>>> and -mbranch-protection need not be enabled. This ensures that the >>>> unwinder is authenticated only if the PACBTI instructions are available >>>> in the non-NOP space as it uses AUTG. Just generating PAC/AUT instructions >>>> using -mbranch-protection will not enable authentication on the unwinder. >>>> 2021-10-25 Tejas Belagod >>>> gcc/ChangeLog: >>>> * ginclude/unwind-arm-common.h (_Unwind_VRS_RegClass): >>>> Introduce >>>> new pseudo register class _UVRSC_PAC. >>>> * libgcc/config/arm/pr-support.c (__gnu_unwind_execute): Decode >>>> exception opcode (0xb4) for saving RA_AUTH_CODE and authenticate >>>> with AUTG if found. >>>> * libgcc/config/arm/unwind-arm.c (struct pseudo_regs): New. >>>> (phase1_vrs): Introduce new field to store pseudo-reg state. >>>> (phase2_vrs): Likewise. >>>> (_Unwind_VRS_Get): Load pseudo register state from virtual reg set. >>>> (_Unwind_VRS_Set): Store pseudo register state to virtual reg set. >>>> (_Unwind_VRS_Pop): Load pseudo register value from stack into VRS. >>>> Tested the following configurations, OK for trunk? >>>> -mthumb/-march=armv8.1-m.main+pacbti/-mfloat-abi=soft >>>> -marm/-march=armv7-a/-mfpu=vfpv3-d16/-mfloat-abi=softfp >>>> mcmodel=small and tiny >>>> aarch64-none-linux-gnu native test and bootstrap >>>> Thanks, >>>> Tejas. >>>> >> >>> I'd like to try to get rid of most of the ifdefs from this patch; at >>> least, it shouldn't be using the ACLE PAUTH feature. The unwinder >>> should be able to cope with any unwind sequence thrown at it. >>> >>> Things are a little more complicated for pointer authentication, >>> though, because some operations in the main code constructing the >>> frame may be using architectural NOP instructions, while the unwinder >>> cannot do the validation using only the architectural NOPs. >>> >>> So we need a fall-back: if the unwinder is built without the PAUTH >>> feature it needs to unwind the pauth frames without the additional >>> validation (but it still needs to be able to handle them). >>> >>> So the only remaining question is whether the additional support >>> should only be enabled for M-profile targets, or whether we should >>> just put this code into all builds of the unwinder. I'm not sure I >>> have a complete answer to that. My inclination is to put it in >>> unconditionally - we haven't had conditionals for any other optional >>> architecture feature before. If something similar is added for >>> A/R-profiles, then either we will share the code exactly, or we'll end >>> up with a different unwind code to use as a suitable discriminator. >>> >>> R. >> Hi Richard, >> thanks for reviewing. >> The attached patch implements what I think we want. That unwinders >> is >> always able to unwind the stack but will perform authentication only if >> built with PACBTI support. >> WDYT? >> Thanks >> Andrea >> > > > @@ -114,6 +115,22 @@ __gnu_unwind_execute (_Unwind_Context * context, > __gnu_unwind_state * uws) > op = next_unwind_byte (uws); > if (op == CODE_FINISH) > { > + /* When we reach end, we have to authenticate R12 we just > popped earlier. */ > + if (set_pac) > + { > +#if defined(TARGET_HAVE_PACBTI) > + _uw sp; > + _uw lr; > + _uw pac; > + _Unwind_VRS_Get (context, _UVRSC_CORE, R_SP, _UVRSD_UINT32, &sp); > + _Unwind_VRS_Get (context, _UVRSC_CORE, R_LR, _UVRSD_UINT32, &lr); > + _Unwind_VRS_Get (context, _UVRSC_PAC, R_IP, > + _UVRSD_UINT32, &pac); > + __asm__ __volatile__ > + ("autg %0, %1, %2" : : "r"(pac), "r"(lr), "r"(sp) ; > +#endif > + } > + > > You would be better moving the ifdef outside of the 'if (set_pac)' > clause, which becomes empty otherwise. Also, I think a comment here > is warranted that, while the check provides additional security > against a corrupted unwind chain, it isn't essential for correct > unwinding of an uncorrupted chain. > > Otherwise, this is ok. Will do thanks. Andrea