Commit d2786527 authored by Will Deacon's avatar Will Deacon
Browse files

Merge branch 'for-next/bti' into for-next/core 

Support for Branch Target Identification (BTI) in user and kernel
(Mark Brown and others)
* for-next/bti: (39 commits)
  arm64: vdso: Fix CFI directives in sigreturn trampoline
  arm64: vdso: Don't prefix sigreturn trampoline with a BTI C instruction
  arm64: bti: Fix support for userspace only BTI
  arm64: kconfig: Update and comment GCC version check for kernel BTI
  arm64: vdso: Map the vDSO text with guarded pages when built for BTI
  arm64: vdso: Force the vDSO to be linked as BTI when built for BTI
  arm64: vdso: Annotate for BTI
  arm64: asm: Provide a mechanism for generating ELF note for BTI
  arm64: bti: Provide Kconfig for kernel mode BTI
  arm64: mm: Mark executable text as guarded pages
  arm64: bpf: Annotate JITed code for BTI
  arm64: Set GP bit in kernel page tables to enable BTI for the kernel
  arm64: asm: Override SYM_FUNC_START when building the kernel with BTI
  arm64: bti: Support building kernel C code using BTI
  arm64: Document why we enable PAC support for leaf functions
  arm64: insn: Report PAC and BTI instructions as skippable
  arm64: insn: Don't assume unrecognized HINTs are skippable
  arm64: insn: Provide a better name for aarch64_insn_is_nop()
  arm64: insn: Add constants for new HINT instruction decode
  arm64: Disable old style assembly annotations
  ...
parents 342403bc a4eb355a

Documentation/arm64/cpu-feature-registers.rst

+2 −0
Original line number Diff line number Diff line
@@ -176,6 +176,8 @@ infrastructure: 
     +------------------------------+---------+---------+

     | SSBS                         | [7-4]   |    y    |

     +------------------------------+---------+---------+

     | BT                           | [3-0]   |    y    |

     +------------------------------+---------+---------+





  4) MIDR_EL1 - Main ID Register

Documentation/arm64/elf_hwcaps.rst

+5 −0
Original line number Diff line number Diff line
@@ -236,6 +236,11 @@ HWCAP2_RNG 


    Functionality implied by ID_AA64ISAR0_EL1.RNDR == 0b0001.



HWCAP2_BTI



    Functionality implied by ID_AA64PFR0_EL1.BT == 0b0001.





4. Unused AT_HWCAP bits

-----------------------

Documentation/filesystems/proc.rst

+1 −0
Original line number Diff line number Diff line
@@ -543,6 +543,7 @@ encoded manner. The codes are the following: 
    hg    huge page advise flag

    nh    no huge page advise flag

    mg    mergable advise flag

    bt  - arm64 BTI guarded page

    ==    =======================================



Note that there is no guarantee that every flag and associated mnemonic will

arch/arm64/Kconfig

+46 −0
Original line number Diff line number Diff line
@@ -9,6 +9,7 @@ config ARM64 
	select ACPI_MCFG if (ACPI && PCI)

	select ACPI_SPCR_TABLE if ACPI

	select ACPI_PPTT if ACPI

	select ARCH_BINFMT_ELF_STATE

	select ARCH_HAS_DEBUG_VIRTUAL

	select ARCH_HAS_DEVMEM_IS_ALLOWED

	select ARCH_HAS_DMA_PREP_COHERENT
@@ -32,6 +33,7 @@ config ARM64 
	select ARCH_HAS_SYSCALL_WRAPPER

	select ARCH_HAS_TEARDOWN_DMA_OPS if IOMMU_SUPPORT

	select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST

	select ARCH_HAVE_ELF_PROT

	select ARCH_HAVE_NMI_SAFE_CMPXCHG

	select ARCH_INLINE_READ_LOCK if !PREEMPTION

	select ARCH_INLINE_READ_LOCK_BH if !PREEMPTION
@@ -61,8 +63,10 @@ config ARM64 
	select ARCH_INLINE_SPIN_UNLOCK_IRQRESTORE if !PREEMPTION

	select ARCH_KEEP_MEMBLOCK

	select ARCH_USE_CMPXCHG_LOCKREF

	select ARCH_USE_GNU_PROPERTY

	select ARCH_USE_QUEUED_RWLOCKS

	select ARCH_USE_QUEUED_SPINLOCKS

	select ARCH_USE_SYM_ANNOTATIONS

	select ARCH_SUPPORTS_MEMORY_FAILURE

	select ARCH_SUPPORTS_ATOMIC_RMW

	select ARCH_SUPPORTS_INT128 if CC_HAS_INT128 && (GCC_VERSION >= 50000 || CC_IS_CLANG)
@@ -1584,6 +1588,48 @@ endmenu 


menu "ARMv8.5 architectural features"



config ARM64_BTI

	bool "Branch Target Identification support"

	default y

	help

	  Branch Target Identification (part of the ARMv8.5 Extensions)

	  provides a mechanism to limit the set of locations to which computed

	  branch instructions such as BR or BLR can jump.



	  To make use of BTI on CPUs that support it, say Y.



	  BTI is intended to provide complementary protection to other control

	  flow integrity protection mechanisms, such as the Pointer

	  authentication mechanism provided as part of the ARMv8.3 Extensions.

	  For this reason, it does not make sense to enable this option without

	  also enabling support for pointer authentication.  Thus, when

	  enabling this option you should also select ARM64_PTR_AUTH=y.



	  Userspace binaries must also be specifically compiled to make use of

	  this mechanism.  If you say N here or the hardware does not support

	  BTI, such binaries can still run, but you get no additional

	  enforcement of branch destinations.



config ARM64_BTI_KERNEL

	bool "Use Branch Target Identification for kernel"

	default y

	depends on ARM64_BTI

	depends on ARM64_PTR_AUTH

	depends on CC_HAS_BRANCH_PROT_PAC_RET_BTI

	# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94697

	depends on !CC_IS_GCC || GCC_VERSION >= 100100

	depends on !(CC_IS_CLANG && GCOV_KERNEL)

	depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS)

	help

	  Build the kernel with Branch Target Identification annotations

	  and enable enforcement of this for kernel code. When this option

	  is enabled and the system supports BTI all kernel code including

	  modular code must have BTI enabled.



config CC_HAS_BRANCH_PROT_PAC_RET_BTI

	# GCC 9 or later, clang 8 or later

	def_bool $(cc-option,-mbranch-protection=pac-ret+leaf+bti)



config ARM64_E0PD

	bool "Enable support for E0PD"

	default y

arch/arm64/Makefile

+7 −0
Original line number Diff line number Diff line
@@ -70,7 +70,14 @@ branch-prot-flags-y += $(call cc-option,-mbranch-protection=none) 


ifeq ($(CONFIG_ARM64_PTR_AUTH),y)

branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all

# We enable additional protection for leaf functions as there is some

# narrow potential for ROP protection benefits and no substantial

# performance impact has been observed.

ifeq ($(CONFIG_ARM64_BTI_KERNEL),y)

branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI) := -mbranch-protection=pac-ret+leaf+bti

else

branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf

endif

# -march=armv8.3-a enables the non-nops instructions for PAC, to avoid the

# compiler to generate them and consequently to break the single image contract

# we pass it only to the assembler. This option is utilized only in case of non

CRA Git | Maintained and supported by SUSTech CRA and CCSE