commit 90f2e88160268db59c9c095845873497c3107afb
author Alexei Fedorov <Alexei.Fedorov@arm.com> Fri May 24 12:17:09 2019 +0100
committer Alexei Fedorov <Alexei.Fedorov@arm.com> Fri May 24 14:44:45 2019 +0100
tree dc3edbb0a38dcc6b033c088dbaa156cfec653baa
parent cb93dfa5cfa6c680494acdbe0e4808b0a8f970aa

Add support for Branch Target Identification

This patch adds the functionality needed for platforms to provide
Branch Target Identification (BTI) extension, introduced to AArch64
in Armv8.5-A by adding BTI instruction used to mark valid targets
for indirect branches. The patch sets new GP bit [50] to the stage 1
Translation Table Block and Page entries to denote guarded EL3 code
pages which will cause processor to trap instructions in protected
pages trying to perform an indirect branch to any instruction other
than BTI.
BTI feature is selected by BRANCH_PROTECTION option which supersedes
the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
and is disabled by default. Enabling BTI requires compiler support
and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
The assembly macros and helpers are modified to accommodate the BTI
instruction.
This is an experimental feature.
Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
is now made as an internal flag and BRANCH_PROTECTION flag should be
used instead to enable Pointer Authentication.
Note. USE_LIBROM=1 option is currently not supported.

Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Makefile

diff --git a/Makefile b/Makefile
index 976f514..1078ef5 100644
--- a/Makefile
+++ b/Makefile
@@ -117,6 +117,29 @@
         FWU_FIP_DEPS += fwu_certificates
 endif
 
+# Process BRANCH_PROTECTION value and set
+# Pointer Authentication and Branch Target Identification flags
+ifeq (${BRANCH_PROTECTION},0)
+	# Default value turns off all types of branch protection
+	BP_OPTION := none
+else ifneq (${ARCH},aarch64)
+        $(error BRANCH_PROTECTION requires AArch64)
+else ifeq (${BRANCH_PROTECTION},1)
+	# Enables all types of branch protection features
+	BP_OPTION := standard
+	ENABLE_BTI := 1
+	ENABLE_PAUTH := 1
+else ifeq (${BRANCH_PROTECTION},2)
+	# Return address signing to its standard level
+	BP_OPTION := pac-ret
+	ENABLE_PAUTH := 1
+else ifeq (${BRANCH_PROTECTION},3)
+	# Extend the signing to include leaf functions
+	BP_OPTION := pac-ret+leaf
+	ENABLE_PAUTH := 1
+else
+        $(error Unknown BRANCH_PROTECTION value ${BRANCH_PROTECTION})
+endif
 
 ################################################################################
 # Toolchain
@@ -189,6 +212,10 @@
 TF_CFLAGS_aarch32	+=	-mno-unaligned-access
 TF_CFLAGS_aarch64	+=	-mgeneral-regs-only -mstrict-align
 
+ifneq (${BP_OPTION},none)
+TF_CFLAGS_aarch64	+=	-mbranch-protection=${BP_OPTION}
+endif
+
 ASFLAGS_aarch32		=	$(march32-directive)
 ASFLAGS_aarch64		=	$(march64-directive)
 
@@ -451,26 +478,30 @@
 endif
 
 # If pointer authentication is used in the firmware, make sure that all the
-# registers associated to it are also saved and restored. Not doing it would
-# leak the value of the key used by EL3 to EL1 and S-EL1.
+# registers associated to it are also saved and restored.
+# Not doing it would leak the value of the keys used by EL3 to EL1 and S-EL1.
 ifeq ($(ENABLE_PAUTH),1)
-    ifneq ($(ARCH),aarch64)
-        $(error ENABLE_PAUTH=1 requires AArch64)
-    else ifeq ($(CTX_INCLUDE_PAUTH_REGS),0)
-        $(error ENABLE_PAUTH=1 requires CTX_INCLUDE_PAUTH_REGS=1)
-    else
-        $(info ENABLE_PAUTH and CTX_INCLUDE_PAUTH_REGS are experimental features)
+    ifeq ($(CTX_INCLUDE_PAUTH_REGS),0)
+        $(error Pointer Authentication requires CTX_INCLUDE_PAUTH_REGS=1)
     endif
-else
-    ifeq ($(CTX_INCLUDE_PAUTH_REGS),1)
-        ifneq ($(ARCH),aarch64)
-            $(error CTX_INCLUDE_PAUTH_REGS=1 requires AArch64)
-        else
-            $(info CTX_INCLUDE_PAUTH_REGS is an experimental feature)
-        endif
+endif
+
+ifeq ($(CTX_INCLUDE_PAUTH_REGS),1)
+    ifneq (${ARCH},aarch64)
+        $(error CTX_INCLUDE_PAUTH_REGS requires AArch64)
+    else
+        $(info CTX_INCLUDE_PAUTH_REGS is an experimental feature)
     endif
 endif
 
+ifeq ($(ENABLE_PAUTH),1)
+    $(info Pointer Authentication is an experimental feature)
+endif
+
+ifeq ($(ENABLE_BTI),1)
+    $(info Branch Protection is an experimental feature)
+endif
+
 ################################################################################
 # Process platform overrideable behaviour
 ################################################################################
@@ -599,7 +630,6 @@
 $(eval $(call assert_boolean,ENABLE_AMU))
 $(eval $(call assert_boolean,ENABLE_ASSERTIONS))
 $(eval $(call assert_boolean,ENABLE_MPAM_FOR_LOWER_ELS))
-$(eval $(call assert_boolean,ENABLE_PAUTH))
 $(eval $(call assert_boolean,ENABLE_PIE))
 $(eval $(call assert_boolean,ENABLE_PMF))
 $(eval $(call assert_boolean,ENABLE_PSCI_STAT))
@@ -635,6 +665,7 @@
 
 $(eval $(call assert_numeric,ARM_ARCH_MAJOR))
 $(eval $(call assert_numeric,ARM_ARCH_MINOR))
+$(eval $(call assert_numeric,BRANCH_PROTECTION))
 
 ################################################################################
 # Add definitions to the cpp preprocessor based on the current build options.
@@ -651,6 +682,7 @@
 $(eval $(call add_define,EL3_EXCEPTION_HANDLING))
 $(eval $(call add_define,ENABLE_AMU))
 $(eval $(call add_define,ENABLE_ASSERTIONS))
+$(eval $(call add_define,ENABLE_BTI))
 $(eval $(call add_define,ENABLE_MPAM_FOR_LOWER_ELS))
 $(eval $(call add_define,ENABLE_PAUTH))
 $(eval $(call add_define,ENABLE_PIE))