* [PATCH v2] gdb/arm: Fix M-profile EXC_RETURN exception_domain_is_secure logic
@ 2022-10-22 8:07 Tomas Vanek
2022-10-22 8:07 ` Tomas Vanek
2022-10-22 8:11 ` Torbjorn SVENSSON
0 siblings, 2 replies; 5+ messages in thread
From: Tomas Vanek @ 2022-10-22 8:07 UTC (permalink / raw)
To: gdb-patches
Arm v8-M Architecture Reference Manual,
D1.2.95 EXC_RETURN, Exception Return Payload
describes ES bit:
"ES, bit [0]
Exception Secure. The security domain the exception was taken to.
The possible values of this bit are:
0 Non-secure.
1 Secure"
arm-tdep.c:3443, arm_m_exception_cache () function tests this bit:
exception_domain_is_secure = (bit (lr, 0) == 0);
The test is negated!
Later on line 3553, the condition evaluates if an additional state
context is stacked:
/* With the Security extension, the hardware saves R4..R11 too. */
if (tdep->have_sec_ext && secure_stack_used
&& (!default_callee_register_stacking || exception_domain_is_secure))
RM, B3.19 Exception entry, context stacking
reads:
RPLHM "In a PE with the Security Extension, on taking an exception,
the PE hardware:
...
2. If exception entry requires a transition from Secure state to
Non-secure state, the PE hardware extends the stack frame and also
saves additional state context."
So we should test for !exception_domain_is_secure instead of non-negated
value!
These two bugs compensate each other so unstacking works correctly.
But another test of exception_domain_is_secure (negated due to the
first bug) prevents arm_unwind_secure_frames to work as expected:
/* Unwinding from non-secure to secure can trip security
measures. In order to avoid the debugger being
intrusive, rely on the user to configure the requested
mode. */
if (secure_stack_used && !exception_domain_is_secure
&& !arm_unwind_secure_frames)
Test with GNU gdb (GDB) 13.0.50.20221016-git.
Stopped in a non-secure handler:
(gdb) set arm unwind-secure-frames 0
(gdb) bt
#0 HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:490
#1 0x0804081c in SysTick_Handler ()
at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsstm32l5xx_it.c:134
#2 <signal handler called>
#3 HAL_GPIO_ReadPin (GPIOx=0x52020800, GPIO_Pin=8192)
at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Drivers/STM32L5xx_HAL_Driver/Src/stm32l5xx_hal_gpio.c:386
#4 0x0c000338 in SECURE_Mode () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:86
#5 0x080403f2 in main () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:278
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
The frames #3 and #4 are secure. backtrace should stop before #3.
Stopped in a secure handler:
(gdb) bt
#0 HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:425
#1 0x0c000b6a in SysTick_Handler ()
at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/stm32l5xx_it.c:234
warning: Non-secure to secure stack unwinding disabled.
#2 <signal handler called>
The exception from secure to secure erroneously stops unwinding. It should
continue as far as the security unlimited backtrace:
(gdb) set arm unwind-secure-frames 1
(gdb) si <-- used to rebuild frame cache after change of unwind-secure-frames
0x0c0008e6 425 if (SecureTimingDelay != 0U)
(gdb) bt
#0 0x0c0008e6 in HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:425
#1 0x0c000b6a in SysTick_Handler ()
at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/stm32l5xx_it.c:234
#2 <signal handler called>
#3 0x0c000328 in SECURE_Mode () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:88
#4 0x080403f2 in main () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:278
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Set exception_domain_is_secure to the value expected by its name.
Fix exception_domain_is_secure usage in the additional state context
stacking condition.
v2: Corrected backtrace logs in commit message
Signed-off-by: Tomas Vanek <vanekt@fbl.cz>
---
gdb/arm-tdep.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gdb/arm-tdep.c b/gdb/arm-tdep.c
index 55295e1..20b6f3f 100644
--- a/gdb/arm-tdep.c
+++ b/gdb/arm-tdep.c
@@ -3496,7 +3496,7 @@ struct frame_unwind arm_stub_unwind = {
{
secure_stack_used = (bit (lr, 6) != 0);
default_callee_register_stacking = (bit (lr, 5) != 0);
- exception_domain_is_secure = (bit (lr, 0) == 0);
+ exception_domain_is_secure = (bit (lr, 0) != 0);
/* Unwinding from non-secure to secure can trip security
measures. In order to avoid the debugger being
@@ -3606,7 +3606,7 @@ struct frame_unwind arm_stub_unwind = {
/* With the Security extension, the hardware saves R4..R11 too. */
if (tdep->have_sec_ext && secure_stack_used
- && (!default_callee_register_stacking || exception_domain_is_secure))
+ && (!default_callee_register_stacking || !exception_domain_is_secure))
{
/* Read R4..R11 from the integer callee registers. */
cache->saved_regs[4].set_addr (unwound_sp + 0x08);
--
1.9.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2] gdb/arm: Fix M-profile EXC_RETURN exception_domain_is_secure logic
2022-10-22 8:07 [PATCH v2] gdb/arm: Fix M-profile EXC_RETURN exception_domain_is_secure logic Tomas Vanek
@ 2022-10-22 8:07 ` Tomas Vanek
2022-10-22 8:11 ` Torbjorn SVENSSON
1 sibling, 0 replies; 5+ messages in thread
From: Tomas Vanek @ 2022-10-22 8:07 UTC (permalink / raw)
To: gdb-patches; +Cc: Tomas Vanek
Arm v8-M Architecture Reference Manual,
D1.2.95 EXC_RETURN, Exception Return Payload
describes ES bit:
"ES, bit [0]
Exception Secure. The security domain the exception was taken to.
The possible values of this bit are:
0 Non-secure.
1 Secure"
arm-tdep.c:3443, arm_m_exception_cache () function tests this bit:
exception_domain_is_secure = (bit (lr, 0) == 0);
The test is negated!
Later on line 3553, the condition evaluates if an additional state
context is stacked:
/* With the Security extension, the hardware saves R4..R11 too. */
if (tdep->have_sec_ext && secure_stack_used
&& (!default_callee_register_stacking || exception_domain_is_secure))
RM, B3.19 Exception entry, context stacking
reads:
RPLHM "In a PE with the Security Extension, on taking an exception,
the PE hardware:
...
2. If exception entry requires a transition from Secure state to
Non-secure state, the PE hardware extends the stack frame and also
saves additional state context."
So we should test for !exception_domain_is_secure instead of non-negated
value!
These two bugs compensate each other so unstacking works correctly.
But another test of exception_domain_is_secure (negated due to the
first bug) prevents arm_unwind_secure_frames to work as expected:
/* Unwinding from non-secure to secure can trip security
measures. In order to avoid the debugger being
intrusive, rely on the user to configure the requested
mode. */
if (secure_stack_used && !exception_domain_is_secure
&& !arm_unwind_secure_frames)
Test with GNU gdb (GDB) 13.0.50.20221016-git.
Stopped in a non-secure handler:
(gdb) set arm unwind-secure-frames 0
(gdb) bt
#0 HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:490
#1 0x0804081c in SysTick_Handler ()
at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsstm32l5xx_it.c:134
#2 <signal handler called>
#3 HAL_GPIO_ReadPin (GPIOx=0x52020800, GPIO_Pin=8192)
at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Drivers/STM32L5xx_HAL_Driver/Src/stm32l5xx_hal_gpio.c:386
#4 0x0c000338 in SECURE_Mode () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:86
#5 0x080403f2 in main () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:278
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
The frames #3 and #4 are secure. backtrace should stop before #3.
Stopped in a secure handler:
(gdb) bt
#0 HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:425
#1 0x0c000b6a in SysTick_Handler ()
at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/stm32l5xx_it.c:234
warning: Non-secure to secure stack unwinding disabled.
#2 <signal handler called>
The exception from secure to secure erroneously stops unwinding. It should
continue as far as the security unlimited backtrace:
(gdb) set arm unwind-secure-frames 1
(gdb) si <-- used to rebuild frame cache after change of unwind-secure-frames
0x0c0008e6 425 if (SecureTimingDelay != 0U)
(gdb) bt
#0 0x0c0008e6 in HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:425
#1 0x0c000b6a in SysTick_Handler ()
at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/stm32l5xx_it.c:234
#2 <signal handler called>
#3 0x0c000328 in SECURE_Mode () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:88
#4 0x080403f2 in main () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:278
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Set exception_domain_is_secure to the value expected by its name.
Fix exception_domain_is_secure usage in the additional state context
stacking condition.
v2: Corrected backtrace logs in commit message
Signed-off-by: Tomas Vanek <vanekt@fbl.cz>
---
gdb/arm-tdep.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gdb/arm-tdep.c b/gdb/arm-tdep.c
index 55295e1..20b6f3f 100644
--- a/gdb/arm-tdep.c
+++ b/gdb/arm-tdep.c
@@ -3496,7 +3496,7 @@ struct frame_unwind arm_stub_unwind = {
{
secure_stack_used = (bit (lr, 6) != 0);
default_callee_register_stacking = (bit (lr, 5) != 0);
- exception_domain_is_secure = (bit (lr, 0) == 0);
+ exception_domain_is_secure = (bit (lr, 0) != 0);
/* Unwinding from non-secure to secure can trip security
measures. In order to avoid the debugger being
@@ -3606,7 +3606,7 @@ struct frame_unwind arm_stub_unwind = {
/* With the Security extension, the hardware saves R4..R11 too. */
if (tdep->have_sec_ext && secure_stack_used
- && (!default_callee_register_stacking || exception_domain_is_secure))
+ && (!default_callee_register_stacking || !exception_domain_is_secure))
{
/* Read R4..R11 from the integer callee registers. */
cache->saved_regs[4].set_addr (unwound_sp + 0x08);
--
1.9.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] gdb/arm: Fix M-profile EXC_RETURN exception_domain_is_secure logic
2022-10-22 8:07 [PATCH v2] gdb/arm: Fix M-profile EXC_RETURN exception_domain_is_secure logic Tomas Vanek
2022-10-22 8:07 ` Tomas Vanek
@ 2022-10-22 8:11 ` Torbjorn SVENSSON
2022-10-25 13:28 ` Luis Machado
1 sibling, 1 reply; 5+ messages in thread
From: Torbjorn SVENSSON @ 2022-10-22 8:11 UTC (permalink / raw)
To: Tomas Vanek, gdb-patches
Hi Tomas,
On 2022-10-22 10:07, Tomas Vanek wrote:
> Arm v8-M Architecture Reference Manual,
> D1.2.95 EXC_RETURN, Exception Return Payload
> describes ES bit:
>
> "ES, bit [0]
> Exception Secure. The security domain the exception was taken to.
> The possible values of this bit are:
> 0 Non-secure.
> 1 Secure"
>
> arm-tdep.c:3443, arm_m_exception_cache () function tests this bit:
>
> exception_domain_is_secure = (bit (lr, 0) == 0);
>
> The test is negated!
Good catch! I'm not sure how I thought when I wrote this, but thanks for
correcting it.
>
> Later on line 3553, the condition evaluates if an additional state
> context is stacked:
>
> /* With the Security extension, the hardware saves R4..R11 too. */
> if (tdep->have_sec_ext && secure_stack_used
> && (!default_callee_register_stacking || exception_domain_is_secure))
>
> RM, B3.19 Exception entry, context stacking
> reads:
> RPLHM "In a PE with the Security Extension, on taking an exception,
> the PE hardware:
> ...
> 2. If exception entry requires a transition from Secure state to
> Non-secure state, the PE hardware extends the stack frame and also
> saves additional state context."
>
> So we should test for !exception_domain_is_secure instead of non-negated
> value!
> These two bugs compensate each other so unstacking works correctly.
>
> But another test of exception_domain_is_secure (negated due to the
> first bug) prevents arm_unwind_secure_frames to work as expected:
>
> /* Unwinding from non-secure to secure can trip security
> measures. In order to avoid the debugger being
> intrusive, rely on the user to configure the requested
> mode. */
> if (secure_stack_used && !exception_domain_is_secure
> && !arm_unwind_secure_frames)
>
> Test with GNU gdb (GDB) 13.0.50.20221016-git.
> Stopped in a non-secure handler:
>
> (gdb) set arm unwind-secure-frames 0
> (gdb) bt
> #0 HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:490
> #1 0x0804081c in SysTick_Handler ()
> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsstm32l5xx_it.c:134
> #2 <signal handler called>
> #3 HAL_GPIO_ReadPin (GPIOx=0x52020800, GPIO_Pin=8192)
> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Drivers/STM32L5xx_HAL_Driver/Src/stm32l5xx_hal_gpio.c:386
> #4 0x0c000338 in SECURE_Mode () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:86
> #5 0x080403f2 in main () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:278
> Backtrace stopped: previous frame inner to this frame (corrupt stack?)
>
> The frames #3 and #4 are secure. backtrace should stop before #3.
>
> Stopped in a secure handler:
>
> (gdb) bt
> #0 HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:425
> #1 0x0c000b6a in SysTick_Handler ()
> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/stm32l5xx_it.c:234
> warning: Non-secure to secure stack unwinding disabled.
> #2 <signal handler called>
>
> The exception from secure to secure erroneously stops unwinding. It should
> continue as far as the security unlimited backtrace:
>
> (gdb) set arm unwind-secure-frames 1
> (gdb) si <-- used to rebuild frame cache after change of unwind-secure-frames
Is there any way to make gdb rebuild the frame cache directly when doing
the "set arm unwind-secure-frames"? Feels dirty to do a instruction step
just to get the right trace...
Regardless of the answer to the above question, it's not something to
address in this patch.
> 0x0c0008e6 425 if (SecureTimingDelay != 0U)
> (gdb) bt
> #0 0x0c0008e6 in HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:425
> #1 0x0c000b6a in SysTick_Handler ()
> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/stm32l5xx_it.c:234
> #2 <signal handler called>
> #3 0x0c000328 in SECURE_Mode () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:88
> #4 0x080403f2 in main () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:278
>
> Backtrace stopped: previous frame inner to this frame (corrupt stack?)
>
> Set exception_domain_is_secure to the value expected by its name.
> Fix exception_domain_is_secure usage in the additional state context
> stacking condition.
>
> v2: Corrected backtrace logs in commit message
>
> Signed-off-by: Tomas Vanek <vanekt@fbl.cz>
> ---
> gdb/arm-tdep.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gdb/arm-tdep.c b/gdb/arm-tdep.c
> index 55295e1..20b6f3f 100644
> --- a/gdb/arm-tdep.c
> +++ b/gdb/arm-tdep.c
> @@ -3496,7 +3496,7 @@ struct frame_unwind arm_stub_unwind = {
> {
> secure_stack_used = (bit (lr, 6) != 0);
> default_callee_register_stacking = (bit (lr, 5) != 0);
> - exception_domain_is_secure = (bit (lr, 0) == 0);
> + exception_domain_is_secure = (bit (lr, 0) != 0);
>
> /* Unwinding from non-secure to secure can trip security
> measures. In order to avoid the debugger being
> @@ -3606,7 +3606,7 @@ struct frame_unwind arm_stub_unwind = {
>
> /* With the Security extension, the hardware saves R4..R11 too. */
> if (tdep->have_sec_ext && secure_stack_used
> - && (!default_callee_register_stacking || exception_domain_is_secure))
> + && (!default_callee_register_stacking || !exception_domain_is_secure))
> {
> /* Read R4..R11 from the integer callee registers. */
> cache->saved_regs[4].set_addr (unwound_sp + 0x08);
Kind regards,
Torbjörn
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] gdb/arm: Fix M-profile EXC_RETURN exception_domain_is_secure logic
2022-10-22 8:11 ` Torbjorn SVENSSON
@ 2022-10-25 13:28 ` Luis Machado
2022-10-26 12:04 ` Luis Machado
0 siblings, 1 reply; 5+ messages in thread
From: Luis Machado @ 2022-10-25 13:28 UTC (permalink / raw)
To: Torbjorn SVENSSON, Tomas Vanek, gdb-patches
Hi Tomas,
On 10/22/22 09:11, Torbjorn SVENSSON via Gdb-patches wrote:
> Hi Tomas,
>
> On 2022-10-22 10:07, Tomas Vanek wrote:
>> Arm v8-M Architecture Reference Manual,
>> D1.2.95 EXC_RETURN, Exception Return Payload
>> describes ES bit:
>>
>> "ES, bit [0]
>> Exception Secure. The security domain the exception was taken to.
>> The possible values of this bit are:
>> 0 Non-secure.
>> 1 Secure"
>>
>> arm-tdep.c:3443, arm_m_exception_cache () function tests this bit:
>>
>> exception_domain_is_secure = (bit (lr, 0) == 0);
>>
>> The test is negated!
>
> Good catch! I'm not sure how I thought when I wrote this, but thanks for correcting it.
>
>>
>> Later on line 3553, the condition evaluates if an additional state
>> context is stacked:
>>
>> /* With the Security extension, the hardware saves R4..R11 too. */
>> if (tdep->have_sec_ext && secure_stack_used
>> && (!default_callee_register_stacking || exception_domain_is_secure))
>>
>> RM, B3.19 Exception entry, context stacking
>> reads:
>> RPLHM "In a PE with the Security Extension, on taking an exception,
>> the PE hardware:
>> ...
>> 2. If exception entry requires a transition from Secure state to
>> Non-secure state, the PE hardware extends the stack frame and also
>> saves additional state context."
>>
>> So we should test for !exception_domain_is_secure instead of non-negated
>> value!
>> These two bugs compensate each other so unstacking works correctly.
>>
>> But another test of exception_domain_is_secure (negated due to the
>> first bug) prevents arm_unwind_secure_frames to work as expected:
>>
>> /* Unwinding from non-secure to secure can trip security
>> measures. In order to avoid the debugger being
>> intrusive, rely on the user to configure the requested
>> mode. */
>> if (secure_stack_used && !exception_domain_is_secure
>> && !arm_unwind_secure_frames)
>>
>> Test with GNU gdb (GDB) 13.0.50.20221016-git.
>> Stopped in a non-secure handler:
>>
>> (gdb) set arm unwind-secure-frames 0
>> (gdb) bt
>> #0 HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:490
>> #1 0x0804081c in SysTick_Handler ()
>> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsstm32l5xx_it.c:134
>> #2 <signal handler called>
>> #3 HAL_GPIO_ReadPin (GPIOx=0x52020800, GPIO_Pin=8192)
>> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Drivers/STM32L5xx_HAL_Driver/Src/stm32l5xx_hal_gpio.c:386
>> #4 0x0c000338 in SECURE_Mode () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:86
>> #5 0x080403f2 in main () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:278
>> Backtrace stopped: previous frame inner to this frame (corrupt stack?)
>>
>> The frames #3 and #4 are secure. backtrace should stop before #3.
>>
>> Stopped in a secure handler:
>>
>> (gdb) bt
>> #0 HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:425
>> #1 0x0c000b6a in SysTick_Handler ()
>> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/stm32l5xx_it.c:234
>> warning: Non-secure to secure stack unwinding disabled.
>> #2 <signal handler called>
>>
>> The exception from secure to secure erroneously stops unwinding. It should
>> continue as far as the security unlimited backtrace:
>>
>> (gdb) set arm unwind-secure-frames 1
>> (gdb) si <-- used to rebuild frame cache after change of unwind-secure-frames
>
> Is there any way to make gdb rebuild the frame cache directly when doing the "set arm unwind-secure-frames"? Feels dirty to do a instruction step just to get the right trace...
> Regardless of the answer to the above question, it's not something to address in this patch.
>
I'm not sure we want to be this intrusive, but there is the "maint flush register-cache" command that flushes the register cache and forces GDB to fetch
everything on a new backtrace command.
maintenance flush register-cache -- Force gdb to flush its register and frame cache.
We could tie changes to unwind-secure-frames to flushing the cache, but my initial thought is that it is a bit too invasive.
>> 0x0c0008e6 425 if (SecureTimingDelay != 0U)
>> (gdb) bt
>> #0 0x0c0008e6 in HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:425
>> #1 0x0c000b6a in SysTick_Handler ()
>> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/stm32l5xx_it.c:234
>> #2 <signal handler called>
>> #3 0x0c000328 in SECURE_Mode () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:88
>> #4 0x080403f2 in main () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:278
>>
>> Backtrace stopped: previous frame inner to this frame (corrupt stack?)
>>
>> Set exception_domain_is_secure to the value expected by its name.
>> Fix exception_domain_is_secure usage in the additional state context
>> stacking condition.
>>
>> v2: Corrected backtrace logs in commit message
>>
>> Signed-off-by: Tomas Vanek <vanekt@fbl.cz>
>> ---
>> gdb/arm-tdep.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/gdb/arm-tdep.c b/gdb/arm-tdep.c
>> index 55295e1..20b6f3f 100644
>> --- a/gdb/arm-tdep.c
>> +++ b/gdb/arm-tdep.c
>> @@ -3496,7 +3496,7 @@ struct frame_unwind arm_stub_unwind = {
>> {
>> secure_stack_used = (bit (lr, 6) != 0);
>> default_callee_register_stacking = (bit (lr, 5) != 0);
>> - exception_domain_is_secure = (bit (lr, 0) == 0);
>> + exception_domain_is_secure = (bit (lr, 0) != 0);
>> /* Unwinding from non-secure to secure can trip security
>> measures. In order to avoid the debugger being
>> @@ -3606,7 +3606,7 @@ struct frame_unwind arm_stub_unwind = {
>> /* With the Security extension, the hardware saves R4..R11 too. */
>> if (tdep->have_sec_ext && secure_stack_used
>> - && (!default_callee_register_stacking || exception_domain_is_secure))
>> + && (!default_callee_register_stacking || !exception_domain_is_secure))
>> {
>> /* Read R4..R11 from the integer callee registers. */
>> cache->saved_regs[4].set_addr (unwound_sp + 0x08);
>
> Kind regards,
> Torbjörn
Thanks for the patch. This LGTM. I suppose you need us to push on your behalf?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] gdb/arm: Fix M-profile EXC_RETURN exception_domain_is_secure logic
2022-10-25 13:28 ` Luis Machado
@ 2022-10-26 12:04 ` Luis Machado
0 siblings, 0 replies; 5+ messages in thread
From: Luis Machado @ 2022-10-26 12:04 UTC (permalink / raw)
To: Torbjorn SVENSSON, Tomas Vanek, gdb-patches
On 10/25/22 14:28, Luis Machado via Gdb-patches wrote:
> Hi Tomas,
>
> On 10/22/22 09:11, Torbjorn SVENSSON via Gdb-patches wrote:
>> Hi Tomas,
>>
>> On 2022-10-22 10:07, Tomas Vanek wrote:
>>> Arm v8-M Architecture Reference Manual,
>>> D1.2.95 EXC_RETURN, Exception Return Payload
>>> describes ES bit:
>>>
>>> "ES, bit [0]
>>> Exception Secure. The security domain the exception was taken to.
>>> The possible values of this bit are:
>>> 0 Non-secure.
>>> 1 Secure"
>>>
>>> arm-tdep.c:3443, arm_m_exception_cache () function tests this bit:
>>>
>>> exception_domain_is_secure = (bit (lr, 0) == 0);
>>>
>>> The test is negated!
>>
>> Good catch! I'm not sure how I thought when I wrote this, but thanks for correcting it.
>>
>>>
>>> Later on line 3553, the condition evaluates if an additional state
>>> context is stacked:
>>>
>>> /* With the Security extension, the hardware saves R4..R11 too. */
>>> if (tdep->have_sec_ext && secure_stack_used
>>> && (!default_callee_register_stacking || exception_domain_is_secure))
>>>
>>> RM, B3.19 Exception entry, context stacking
>>> reads:
>>> RPLHM "In a PE with the Security Extension, on taking an exception,
>>> the PE hardware:
>>> ...
>>> 2. If exception entry requires a transition from Secure state to
>>> Non-secure state, the PE hardware extends the stack frame and also
>>> saves additional state context."
>>>
>>> So we should test for !exception_domain_is_secure instead of non-negated
>>> value!
>>> These two bugs compensate each other so unstacking works correctly.
>>>
>>> But another test of exception_domain_is_secure (negated due to the
>>> first bug) prevents arm_unwind_secure_frames to work as expected:
>>>
>>> /* Unwinding from non-secure to secure can trip security
>>> measures. In order to avoid the debugger being
>>> intrusive, rely on the user to configure the requested
>>> mode. */
>>> if (secure_stack_used && !exception_domain_is_secure
>>> && !arm_unwind_secure_frames)
>>>
>>> Test with GNU gdb (GDB) 13.0.50.20221016-git.
>>> Stopped in a non-secure handler:
>>>
>>> (gdb) set arm unwind-secure-frames 0
>>> (gdb) bt
>>> #0 HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:490
>>> #1 0x0804081c in SysTick_Handler ()
>>> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsstm32l5xx_it.c:134
>>> #2 <signal handler called>
>>> #3 HAL_GPIO_ReadPin (GPIOx=0x52020800, GPIO_Pin=8192)
>>> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Drivers/STM32L5xx_HAL_Driver/Src/stm32l5xx_hal_gpio.c:386
>>> #4 0x0c000338 in SECURE_Mode () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:86
>>> #5 0x080403f2 in main () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:278
>>> Backtrace stopped: previous frame inner to this frame (corrupt stack?)
>>>
>>> The frames #3 and #4 are secure. backtrace should stop before #3.
>>>
>>> Stopped in a secure handler:
>>>
>>> (gdb) bt
>>> #0 HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:425
>>> #1 0x0c000b6a in SysTick_Handler ()
>>> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/stm32l5xx_it.c:234
>>> warning: Non-secure to secure stack unwinding disabled.
>>> #2 <signal handler called>
>>>
>>> The exception from secure to secure erroneously stops unwinding. It should
>>> continue as far as the security unlimited backtrace:
>>>
>>> (gdb) set arm unwind-secure-frames 1
>>> (gdb) si <-- used to rebuild frame cache after change of unwind-secure-frames
>>
>> Is there any way to make gdb rebuild the frame cache directly when doing the "set arm unwind-secure-frames"? Feels dirty to do a instruction step just to get the right trace...
>> Regardless of the answer to the above question, it's not something to address in this patch.
>>
>
> I'm not sure we want to be this intrusive, but there is the "maint flush register-cache" command that flushes the register cache and forces GDB to fetch
> everything on a new backtrace command.
>
> maintenance flush register-cache -- Force gdb to flush its register and frame cache.
>
> We could tie changes to unwind-secure-frames to flushing the cache, but my initial thought is that it is a bit too invasive.
>
>>> 0x0c0008e6 425 if (SecureTimingDelay != 0U)
>>> (gdb) bt
>>> #0 0x0c0008e6 in HAL_SYSTICK_Callback () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:425
>>> #1 0x0c000b6a in SysTick_Handler ()
>>> at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/stm32l5xx_it.c:234
>>> #2 <signal handler called>
>>> #3 0x0c000328 in SECURE_Mode () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/Secure/Src/main.c:88
>>> #4 0x080403f2 in main () at C:/dvl/stm32l5trustzone/GPIO_IOToggle_TrustZone/NonSecure/Src/nsmain.c:278
>>>
>>> Backtrace stopped: previous frame inner to this frame (corrupt stack?)
>>>
>>> Set exception_domain_is_secure to the value expected by its name.
>>> Fix exception_domain_is_secure usage in the additional state context
>>> stacking condition.
>>>
>>> v2: Corrected backtrace logs in commit message
>>>
>>> Signed-off-by: Tomas Vanek <vanekt@fbl.cz>
>>> ---
>>> gdb/arm-tdep.c | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/gdb/arm-tdep.c b/gdb/arm-tdep.c
>>> index 55295e1..20b6f3f 100644
>>> --- a/gdb/arm-tdep.c
>>> +++ b/gdb/arm-tdep.c
>>> @@ -3496,7 +3496,7 @@ struct frame_unwind arm_stub_unwind = {
>>> {
>>> secure_stack_used = (bit (lr, 6) != 0);
>>> default_callee_register_stacking = (bit (lr, 5) != 0);
>>> - exception_domain_is_secure = (bit (lr, 0) == 0);
>>> + exception_domain_is_secure = (bit (lr, 0) != 0);
>>> /* Unwinding from non-secure to secure can trip security
>>> measures. In order to avoid the debugger being
>>> @@ -3606,7 +3606,7 @@ struct frame_unwind arm_stub_unwind = {
>>> /* With the Security extension, the hardware saves R4..R11 too. */
>>> if (tdep->have_sec_ext && secure_stack_used
>>> - && (!default_callee_register_stacking || exception_domain_is_secure))
>>> + && (!default_callee_register_stacking || !exception_domain_is_secure))
>>> {
>>> /* Read R4..R11 from the integer callee registers. */
>>> cache->saved_regs[4].set_addr (unwound_sp + 0x08);
>>
>> Kind regards,
>> Torbjörn
>
> Thanks for the patch. This LGTM. I suppose you need us to push on your behalf?
Pushed.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-10-26 12:04 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-22 8:07 [PATCH v2] gdb/arm: Fix M-profile EXC_RETURN exception_domain_is_secure logic Tomas Vanek
2022-10-22 8:07 ` Tomas Vanek
2022-10-22 8:11 ` Torbjorn SVENSSON
2022-10-25 13:28 ` Luis Machado
2022-10-26 12:04 ` Luis Machado
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).