2 * Copyright (c) 2014 Andrew Turner
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 #ifndef _MACHINE_ASM_H_
32 #define _MACHINE_ASM_H_
35 #if !defined(lint) && !defined(STRIP_FBSDID)
36 #define __FBSDID(s) .ident s
38 #define __FBSDID(s) /* nothing */
44 #define DTRACE_NOP nop
50 .text; .align 2; .type sym,#function; sym: \
51 .cfi_startproc; BTI_C; DTRACE_NOP
53 .globl sym; LENTRY(sym)
55 .globl sym; .text; .align 2; .type sym,#function; sym:
56 #define LEND(sym) .ltorg; .cfi_endproc; .size sym, . - sym
57 #define END(sym) LEND(sym)
60 #define WEAK_REFERENCE(sym, alias) \
64 #define UINT64_C(x) (x)
67 #define PIC_SYM(x,y) x ## @ ## y
69 #define PIC_SYM(x,y) x
72 /* Alias for link register x30 */
76 * Sets the trap fault handler. The exception handler will return to the
77 * address in the handler register on a data abort or the xzr register to
78 * clear the handler. The tmp parameter should be a register able to hold
81 #define SET_FAULT_HANDLER(handler, tmp) \
82 ldr tmp, [x18, #PC_CURTHREAD]; /* Load curthread */ \
83 ldr tmp, [tmp, #TD_PCB]; /* Load the pcb */ \
84 str handler, [tmp, #PCB_ONFAULT] /* Set the handler */
86 #define ENTER_USER_ACCESS(reg, tmp) \
87 ldr tmp, =has_pan; /* Get the addr of has_pan */ \
88 ldr reg, [tmp]; /* Read it */ \
89 cbz reg, 997f; /* If no PAN skip */ \
90 .inst 0xd500409f | (0 << 8); /* Clear PAN */ \
93 #define EXIT_USER_ACCESS(reg) \
94 cbz reg, 998f; /* If no PAN skip */ \
95 .inst 0xd500409f | (1 << 8); /* Set PAN */ \
98 #define EXIT_USER_ACCESS_CHECK(reg, tmp) \
99 ldr tmp, =has_pan; /* Get the addr of has_pan */ \
100 ldr reg, [tmp]; /* Read it */ \
101 cbz reg, 999f; /* If no PAN skip */ \
102 .inst 0xd500409f | (1 << 8); /* Set PAN */ \
106 * Some AArch64 CPUs speculate past an eret instruction. As the user may
107 * control the registers at this point add a speculation barrier usable on
108 * all AArch64 CPUs after the eret instruction.
109 * TODO: ARMv8.5 adds a specific instruction for this, we could use that
110 * if we know we are running on something that supports it.
118 * When a CPU that implements FEAT_BTI uses a BR/BLR instruction (or the
119 * pointer authentication variants, e.g. BLRAA) and the target location
120 * has the GP attribute in its page table, then the target of the BR/BLR
121 * needs to be a valid BTI landing pad.
123 * BTI_C should be used at the start of a function and is used in the
124 * ENTRY macro. It can be replaced by PACIASP or PACIBSP, however these
125 * also need an appropriate authenticate instruction before returning.
127 * BTI_J should be used as the target instruction when branching with a
128 * BR instruction within a function.
130 * When using a BR to branch to a new function, e.g. a tail call, then
131 * the target register should be x16 or x17 so it is compatible with
132 * the BRI_C instruction.
134 * As these instructions are in the hint space they are a NOP when
135 * the CPU doesn't implement FEAT_BTI so are safe to use.
137 #ifdef __ARM_FEATURE_BTI_DEFAULT
138 #define BTI_C hint #34
139 #define BTI_J hint #36
146 * To help protect against ROP attacks we can use Pointer Authentication
147 * to sign the return address before pushing it to the stack.
149 * PAC_LR_SIGN can be used at the start of a function to sign the link
150 * register with the stack pointer as the modifier. As this is in the hint
151 * space it is safe to use on CPUs that don't implement pointer
152 * authentication. It can be used in place of the BTI_C instruction above as
153 * a valid BTI landing pad instruction.
155 * PAC_LR_AUTH is used to authenticate the link register using the stack
156 * pointer as the modifier. It should be used in any function that uses
157 * PAC_LR_SIGN. The stack pointer must be identical in each case.
159 #ifdef __ARM_FEATURE_PAC_DEFAULT
160 #define PAC_LR_SIGN hint #25 /* paciasp */
161 #define PAC_LR_AUTH hint #29 /* autiasp */
168 * GNU_PROPERTY_AARCH64_FEATURE_1_NOTE can be used to insert a note that
169 * the current assembly file is built with Pointer Authentication (PAC) or
170 * Branch Target Identification support (BTI). As the linker requires all
171 * object files in an executable or library to have the GNU property
172 * note to emit it in the created elf file we need to add a note to all
173 * assembly files that support BTI so the kernel and dynamic linker can
174 * mark memory used by the file as guarded.
176 * The GNU_PROPERTY_AARCH64_FEATURE_1_VAL macro encodes the combination
177 * of PAC and BTI that have been enabled. It can be used as follows:
178 * GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(GNU_PROPERTY_AARCH64_FEATURE_1_VAL);
180 * To use this you need to include <sys/elf_common.h> for
181 * GNU_PROPERTY_AARCH64_FEATURE_1_*
183 #if defined(__ARM_FEATURE_BTI_DEFAULT)
184 #if defined(__ARM_FEATURE_PAC_DEFAULT)
186 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \
187 (GNU_PROPERTY_AARCH64_FEATURE_1_BTI | GNU_PROPERTY_AARCH64_FEATURE_1_PAC)
190 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \
191 (GNU_PROPERTY_AARCH64_FEATURE_1_BTI)
193 #elif defined(__ARM_FEATURE_PAC_DEFAULT)
195 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \
196 (GNU_PROPERTY_AARCH64_FEATURE_1_PAC)
199 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL 0
202 #if defined(__ARM_FEATURE_BTI_DEFAULT) || defined(__ARM_FEATURE_PAC_DEFAULT)
203 #define GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(x) \
204 .section .note.gnu.property, "a"; \
206 .4byte 0x4; /* sizeof(vendor) */ \
207 .4byte 0x10; /* sizeof(note data) */ \
208 .4byte (NT_GNU_PROPERTY_TYPE_0); \
209 .asciz "GNU"; /* vendor */ \
211 .4byte (GNU_PROPERTY_AARCH64_FEATURE_1_AND); \
212 .4byte 0x4; /* sizeof(property) */ \
213 .4byte (x); /* property */ \
216 #define GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(x)
219 #endif /* _MACHINE_ASM_H_ */
221 #endif /* !__arm__ */