Commit 717b938e authored by Mark Brown's avatar Mark Brown Committed by Will Deacon
Browse files

arm64: Document why we enable PAC support for leaf functions 



Document the fact that we enable pointer authentication protection for
leaf functions since there is some narrow potential for ROP protection
benefits and little overhead has been observed.

Signed-off-by: default avatarMark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20200506195138.22086-2-broonie@kernel.org


Signed-off-by: default avatarWill Deacon <will@kernel.org>
parent e5159827

arch/arm64/Makefile

+3 −0
Original line number Diff line number Diff line
@@ -71,6 +71,9 @@ branch-prot-flags-y += $(call cc-option,-mbranch-protection=none) 


ifeq ($(CONFIG_ARM64_PTR_AUTH),y)

branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all

# We enable additional protection for leaf functions as there is some

# narrow potential for ROP protection benefits and no substantial

# performance impact has been observed.

branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf

# -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the

# compiler to generate them and consequently to break the single image contract

CRA Git | Maintained and supported by SUSTech CRA and CCSE