63eb7ff47d
This patch implements PAC return address signing for armv8-m. This patch roughly
accomplishes the following things:
- PAC and AUT instructions are generated.
- They're part of the stack frame setup, so that shrink-wrapping can move them
inwards to cover only part of a function
- The auth code generated by PAC is saved across subroutine calls so that AUT
can find it again to check
- PAC is emitted before stacking registers (so that the SP it signs is the one
on function entry).
- The new pseudo-register ra_auth_code is mentioned in the DWARF frame data
- With CMSE also in use: PAC is emitted before stacking FPCXTNS, and AUT
validates the corresponding value of SP
- Emit correct unwind information when PAC is replaced by PACBTI
- Handle tail calls correctly
Some notes:
We make the assembler accept the `.save {ra_auth_code}` directive that is
emitted by the compiler when it saves a register that contains a
return address authentication code.
For EHABI we need to have the `FrameSetup` flag on the instruction and
handle the `t2PACBTI` opcode (identically to `t2PAC`), so we can emit
`.save {ra_auth_code}`, instead of `.save {r12}`.
For PACBTI-M, the instruction which computes return address PAC should use SP
value before adjustment for the argument registers save are (used for variadic
functions and when a parameter is is split between stack and register), but at
the same it should be after the instruction that saves FPCXT when compiling a
CMSE entry function.
This patch moves the varargs SP adjustment after the FPCXT save (they are never
enabled at the same time), so in a following patch handling of the `PAC`
instruction can be placed between them.
Epilogue emission code adjusted in a similar manner.
PACBTI-M code generation should not emit any instructions for architectures
v6-m, v8-m.base, and for A- and R-class cores. Diagnostic message for such cases
is handled separately by a future ticket.
note on tail calls:
If the called function has four arguments that occupy registers `r0`-`r3`, the
only option for holding the function pointer itself is `r12`, but this register
is used to keep the PAC during function/prologue epilogue and clobbers the
function pointer.
When we do the tail call we need the five registers (`r0`-`r3` and `r12`) to
keep six values - the four function arguments, the function pointer and the PAC,
which is obviously impossible.
One option would be to authenticate the return address before all callee-saved
registers are restored, so we have a scratch register to temporarily keep the
value of `r12`. The issue with this approach is that it violates a fundamental
invariant that PAC is computed using CFA as a modifier. It would also mean using
separate instructions to pop `lr` and the rest of the callee-saved registers,
which would offset the advantages of doing a tail call.
Instead, this patch disables indirect tail calls when the called function take
four or more arguments and the return address sign and authentication is enabled
for the caller function, conservatively assuming the caller function would spill
LR.
This patch is part of a series that adds support for the PACBTI-M extension of
the Armv8.1-M architecture, as detailed here:
https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/armv8-1-m-pointer-authentication-and-branch-target-identification-extension
The PACBTI-M specification can be found in the Armv8-M Architecture Reference
Manual:
https://developer.arm.com/documentation/ddi0553/latest
The following people contributed to this patch:
- Momchil Velikov
- Ties Stuij
Reviewed By: danielkiss
Differential Revision: https://reviews.llvm.org/D112429
139 lines
5.1 KiB
C++
139 lines
5.1 KiB
C++
//===-- ARMBranchTargets.cpp -- Harden code using v8.1-M BTI extension -----==//
|
|
//
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
//
|
|
// This pass inserts BTI instructions at the start of every function and basic
|
|
// block which could be indirectly called. The hardware will (when enabled)
|
|
// trap when an indirect branch or call instruction targets an instruction
|
|
// which is not a valid BTI instruction. This is intended to guard against
|
|
// control-flow hijacking attacks.
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
#include "ARM.h"
|
|
#include "ARMInstrInfo.h"
|
|
#include "ARMMachineFunctionInfo.h"
|
|
#include "llvm/CodeGen/MachineFunctionPass.h"
|
|
#include "llvm/CodeGen/MachineInstrBuilder.h"
|
|
#include "llvm/CodeGen/MachineJumpTableInfo.h"
|
|
#include "llvm/CodeGen/MachineModuleInfo.h"
|
|
#include "llvm/Support/Debug.h"
|
|
|
|
using namespace llvm;
|
|
|
|
#define DEBUG_TYPE "arm-branch-targets"
|
|
#define ARM_BRANCH_TARGETS_NAME "ARM Branch Targets"
|
|
|
|
namespace {
|
|
class ARMBranchTargets : public MachineFunctionPass {
|
|
public:
|
|
static char ID;
|
|
ARMBranchTargets() : MachineFunctionPass(ID) {}
|
|
void getAnalysisUsage(AnalysisUsage &AU) const override;
|
|
bool runOnMachineFunction(MachineFunction &MF) override;
|
|
StringRef getPassName() const override { return ARM_BRANCH_TARGETS_NAME; }
|
|
|
|
private:
|
|
void addBTI(const ARMInstrInfo &TII, MachineBasicBlock &MBB, bool IsFirstBB);
|
|
};
|
|
} // end anonymous namespace
|
|
|
|
char ARMBranchTargets::ID = 0;
|
|
|
|
INITIALIZE_PASS(ARMBranchTargets, "arm-branch-targets", ARM_BRANCH_TARGETS_NAME,
|
|
false, false)
|
|
|
|
void ARMBranchTargets::getAnalysisUsage(AnalysisUsage &AU) const {
|
|
AU.setPreservesCFG();
|
|
MachineFunctionPass::getAnalysisUsage(AU);
|
|
}
|
|
|
|
FunctionPass *llvm::createARMBranchTargetsPass() {
|
|
return new ARMBranchTargets();
|
|
}
|
|
|
|
bool ARMBranchTargets::runOnMachineFunction(MachineFunction &MF) {
|
|
if (!MF.getInfo<ARMFunctionInfo>()->branchTargetEnforcement())
|
|
return false;
|
|
|
|
LLVM_DEBUG(dbgs() << "********** ARM Branch Targets **********\n"
|
|
<< "********** Function: " << MF.getName() << '\n');
|
|
const ARMInstrInfo &TII =
|
|
*static_cast<const ARMInstrInfo *>(MF.getSubtarget().getInstrInfo());
|
|
|
|
// LLVM does not consider basic blocks which are the targets of jump tables
|
|
// to be address-taken (the address can't escape anywhere else), but they are
|
|
// used for indirect branches, so need BTI instructions.
|
|
SmallPtrSet<const MachineBasicBlock *, 8> JumpTableTargets;
|
|
if (const MachineJumpTableInfo *JTI = MF.getJumpTableInfo())
|
|
for (const MachineJumpTableEntry &JTE : JTI->getJumpTables())
|
|
for (const MachineBasicBlock *MBB : JTE.MBBs)
|
|
JumpTableTargets.insert(MBB);
|
|
|
|
bool MadeChange = false;
|
|
for (MachineBasicBlock &MBB : MF) {
|
|
bool NeedBTI = false;
|
|
bool IsFirstBB = &MBB == &MF.front();
|
|
|
|
// Every function can potentially be called indirectly (even if it has
|
|
// static linkage, due to linker-generated veneers).
|
|
if (IsFirstBB)
|
|
NeedBTI = true;
|
|
|
|
// If the block itself is address-taken, or is an exception landing pad, it
|
|
// could be indirectly branched to.
|
|
if (MBB.hasAddressTaken() || MBB.isEHPad() || JumpTableTargets.count(&MBB))
|
|
NeedBTI = true;
|
|
|
|
if (NeedBTI) {
|
|
addBTI(TII, MBB, IsFirstBB);
|
|
MadeChange = true;
|
|
}
|
|
}
|
|
|
|
return MadeChange;
|
|
}
|
|
|
|
/// Insert a BTI/PACBTI instruction into a given basic block \c MBB. If
|
|
/// \c IsFirstBB is true (meaning that this is the first BB in a function) try
|
|
/// to find a PAC instruction and replace it with PACBTI. Otherwise just insert
|
|
/// a BTI instruction.
|
|
/// The point of insertion is in the beginning of the BB, immediately after meta
|
|
/// instructions (such labels in exception handling landing pads).
|
|
void ARMBranchTargets::addBTI(const ARMInstrInfo &TII, MachineBasicBlock &MBB,
|
|
bool IsFirstBB) {
|
|
// Which instruction to insert: BTI or PACBTI
|
|
unsigned OpCode = ARM::t2BTI;
|
|
unsigned MIFlags = 0;
|
|
|
|
// Skip meta instructions, including EH labels
|
|
auto MBBI = llvm::find_if_not(MBB.instrs(), [](const MachineInstr &MI) {
|
|
return MI.isMetaInstruction();
|
|
});
|
|
|
|
// If this is the first BB in a function, check if it starts with a PAC
|
|
// instruction and in that case remove the PAC instruction.
|
|
if (IsFirstBB) {
|
|
if (MBBI != MBB.instr_end() && MBBI->getOpcode() == ARM::t2PAC) {
|
|
LLVM_DEBUG(dbgs() << "Removing a 'PAC' instr from BB '" << MBB.getName()
|
|
<< "' to replace with PACBTI\n");
|
|
OpCode = ARM::t2PACBTI;
|
|
MIFlags = MachineInstr::FrameSetup;
|
|
auto NextMBBI = std::next(MBBI);
|
|
MBBI->eraseFromParent();
|
|
MBBI = NextMBBI;
|
|
}
|
|
}
|
|
|
|
LLVM_DEBUG(dbgs() << "Inserting a '"
|
|
<< (OpCode == ARM::t2BTI ? "BTI" : "PACBTI")
|
|
<< "' instr into BB '" << MBB.getName() << "'\n");
|
|
// Finally, insert a new instruction (either PAC or PACBTI)
|
|
BuildMI(MBB, MBBI, MBB.findDebugLoc(MBBI), TII.get(OpCode))
|
|
.setMIFlags(MIFlags);
|
|
}
|