[PATCH v5 1/8] newlib: libc: define M-profile PACBTI-enablement macros
Christophe Lyon
christophe.lyon@arm.com
Mon Jan 9 09:33:27 GMT 2023
On 1/6/23 11:42, Christophe Lyon wrote:
> Hi Victor,
>
> Thanks for the patch series, a few comments/questions below.
>
> Christophe
>
>
> On 12/21/22 12:19, Victor L. Do Nascimento wrote:
>> Augment the arm_asm.h header file to simplify function prologues and
>> epilogues whilst adding support for PACBTI enablement via macros for
>> hand-written assembly functions. For PACBTI, both prologues/epilogues
>> as well as cfi-related directives are automatically amended
>> accordingly, depending on the compile-time mbranch-protection argument
>> values.
>>
>> It defines the following preprocessor macros:
>> * HAVE_PAC_LEAF: Indicates whether pac-signing has been requested for
>> leaf functions.
>> * PAC_LEAF_PUSH_IP: Whether leaf functions should push the pac code
>> to the stack irrespective of whether the ip register is clobbered in
>> the function or not.
>> * STACK_ALIGN_ENFORCE: Whether a dummy register should be added to
>> the push list as necessary in the prologue to ensure stack
>> alignment preservation at the start of assembly function. The
>> epilogue behavior is likewise affected by this flag, ensuring any
>> pushed dummy registers also get popped on function return.
> IIUC, these new macros are meant for general usage outside of newlib, do
> they need proper documentation? Or maybe an entry in the "News" section?
> I don't know. Otherwise, I think they should not appear in the user
> naming space.
I've just noticed this point was already discussed with Richard some
time ago, I somehow missed/forgot it:
https://sourceware.org/pipermail/newlib/2022/019831.html
So it looks fine if this header/macros are not meant to be used outside
of newlib.
Thanks,
Christophe
>
>
>> It also defines the following assembler macros:
>> * prologue: In addition to pushing any callee-saved registers onto
>> the stack, it generates any requested pacbti instructions.
>> Pushed registers are specified via the optional `first', `last',
>> `push_ip' and `push_lr' macro argument parameters.
> Maybe you should quote 'first' and 'last' differently from 'push_ip' and
> 'push_lr', since the example below shows that 'first' and 'last' are in
> fact register numbers (IIUC)
>
>> when a single register number is provided, it pushes that
> Typo: "When" (with a capital)
>
>> register. When two register numbers are provided, they specify a
>> rage to save. If push_ip and/or push_lr are non-zero, the
> Typo: "range"
>
>> respective registers are also saved. Stack alignment is requested
>> via the `align` argument, which defaults to the value of
>> STACK_ALIGN_ENFORCE, unless manually overridden.
>>
>> For example:
>>
>> prologue push_ip=1 -> push {ip}
>> prologue push_ip=1, align8=1 -> push {r2, ip}
>> prologue push_ip=1, push_lr=1 -> push {ip, lr}
>> prologue 1 -> push {r1}
>> prologue 1, align8=1 -> push {r0, r1}
>> prologue 1 push_ip=1 -> push {r1, ip}
>> prologue 1 4 -> push {r1-r4}
>> prologue 1 4 push_ip=1 -> push {r1-r4, ip}
> can you include an example with pacbti?
>
>
>> * epilogue: pops registers off the stack and emits pac key signing
>> instruction, if requested. The `first', `last', `push_ip',
>> `push_lr' and `align' function as per the prologue macro,
>> generating pop instead of push instructions.
>>
>> Stack alignment is enforced via the following helper macro
>> call-chain:
>>
>> {prologue|epilogue} ->_align8 -> _preprocess_reglist ->
>> _preprocess_reglist1 -> {_prologue|_epilogue}
>>
>> Finally, the necessary cfi directives for adding debug information
>> to prologue and epilogue are generated via the following macros:
>>
>> * cfisavelist - prologue macro helper function, generating
>> necessary .cfi_offset directives associated with push instruction.
>> Therefore, the net effect of calling `prologue 1 2 push_ip=1' is
>> to generate the following:
>>
>> push {r1-r2, ip}
>> .cfi_adjust_cfa_offset 12
>> .cfi_offset 143, -4
>> .cfi_offset 2, -8
>> .cfi_offset 1, -12
>>
>> * cfirestorelist - epilogue macro helper function, emitting
>> .cfi_restore instructions prior to resetting the cfa offset. As
>> such, calling `epilogue 1 2 push_ip=1' will produce:
>>
>> pop {r1-r2, ip}
>> .cfi_register 143, 12
>> .cfi_restore 2
>> .cfi_restore 1
>> .cfi_def_cfa_offset 0
>> ---
>> newlib/libc/machine/arm/arm_asm.h | 441 ++++++++++++++++++++++++++++++
>> 1 file changed, 441 insertions(+)
>>
>> diff --git a/newlib/libc/machine/arm/arm_asm.h
>> b/newlib/libc/machine/arm/arm_asm.h
>> index 2708057de..94fa77b4d 100644
>> --- a/newlib/libc/machine/arm/arm_asm.h
>> +++ b/newlib/libc/machine/arm/arm_asm.h
>> @@ -60,4 +60,445 @@
>> # define _ISA_THUMB_1
>> #endif
>> +/* Check whether leaf function PAC signing has been requested in the
>> + -mbranch-protect compile-time option. */
>> +#define LEAF_PROTECT_BIT 2
> Shouldn't this start with '__' or be #undefed at the end of this file to
> avoid polluting user naming space? (I noticed it's not used outside this
> file in this patch series)
>
>> +
>> +#ifdef __ARM_FEATURE_PAC_DEFAULT
>> +# define HAVE_PAC_LEAF \
>> + ((__ARM_FEATURE_PAC_DEFAULT & (1 << LEAF_PROTECT_BIT)) && 1)
>> +#else
>> +# define HAVE_PAC_LEAF 0
>> +#endif
>> +
>> +/* Provide default parameters for PAC-code handling in
>> leaf-functions. */
>> +#if HAVE_PAC_LEAF
>> +# ifndef PAC_LEAF_PUSH_IP
>> +# define PAC_LEAF_PUSH_IP 1
>> +# endif
>> +#else /* !HAVE_PAC_LEAF */
>> +# undef PAC_LEAF_PUSH_IP
>> +# define PAC_LEAF_PUSH_IP 0
>> +#endif /* HAVE_PAC_LEAF */
>> +
>> +#define STACK_ALIGN_ENFORCE 0
>> +
>> +#ifdef __ASSEMBLER__
>> +
>> +/******************************************************************************
>> +* Implementation of the prologue and epilogue assembler macros and their
>> +* associated helper functions.
>> +*
>> +* These functions add support for the following:
>> +*
>> +* - M-profile branch target identification (BTI) landing-pads when
>> compiled
>> +* with `-mbranch-protection=bti'.
>> +* - PAC-signing and verification instructions, depending on hardware
>> support
>> +* and whether the PAC-signing of leaf functions has been requested
>> via the
>> +* `-mbranch-protection=pac-ret+leaf' compiler argument.
>> +* - 8-byte stack alignment preservation at function entry, defaulting
>> to the
>> +* value of STACK_ALIGN_ENFORCE.
>> +*
>> +* Notes:
>> +* - Prologue stack alignment is implemented by detecting a push with
>> an odd
>> +* number of registers and prepending a dummy register to the list.
>> +* - If alignment is attempted on a list containing r0, compilation
>> will result
>> +* in an error.
>> +* - If alignment is attempted in a list containing r1, r0 will be
>> prepended to
>> +* the register list and r0 will be restored prior to function
>> return. for
>> +* functions with non-void return types, this will result in the
>> corruption of
>> +* the result register.
>> +* - Stack alignment is enforced via the following helper macro
>> call-chain:
>> +*
>> +* {prologue|epilogue} ->_align8 -> _preprocess_reglist ->
>> +* _preprocess_reglist1 -> {_prologue|_epilogue}
>> +*
>> +* - Debug CFI directives are automatically added to prologues and
>> epilogues,
>> +* assisted by `cfisavelist' and `cfirestorelist', respectively.
>> +*
>> +* Arguments:
>> +* prologue
>> +* --------
>> +* - first - If `last' specified, this serves as start of
>> general-purpose
>> +* register (GPR) range to push onto stack, otherwise represents
>> +* single GPR to push onto stack. If omitted, no GPRs pushed
>> +* onto stack at prologue.
>> +* - last - If given, specifies inclusive upper-bound of GPR range.
>> +* - push_ip - Determines whether IP register is to be pushed to
>> stack at
>> +* prologue. When pac-signing is requested, this holds the
>> +* the pac-key. Either 1 or 0 to push or not push,
>> respectively.
>> +* Default behavior: Set to value of PAC_LEAF_PUSH_IP macro.
>> +* - push_lr - Determines whether to push lr to the stack on
>> function entry.
>> +* Either 1 or 0 to push or not push, respectively.
>> +* - align8 - Whether to enforce alignment. Either 1 or 0, with 1
>> requesting
>> +* alignment.
>> +*
>> +* epilogue
>> +* --------
>> +* The epilogue should be called passing the same arguments as those
>> passed to
>> +* the prologue to ensure the stack is not corrupted on function
>> return.
>> +*
>> +* Usage examples:
>> +*
>> +* prologue push_ip=1 -> push {ip}
>> +* epilogue push_ip=1, align8=1 -> pop {r2, ip}
>> +* prologue push_ip=1, push_lr=1 -> push {ip, lr}
>> +* epilogue 1 -> pop {r1}
>> +* prologue 1, align8=1 -> push {r0, r1}
>> +* epilogue 1, push_ip=1 -> pop {r1, ip}
>> +* prologue 1, 4 -> push {r1-r4}
>> +* epilogue 1, 4 push_ip=1 -> pop {r1-r4, ip}
>> +*
>> +******************************************************************************/
>> +
>> +/* Emit .cfi_restore directives for a consecutive sequence of
>> registers. */
>> + .macro cfirestorelist first, last
>> + .cfi_restore \last
>> + .if \last-\first
>> + cfirestorelist \first, \last-1
>> + .endif
>> + .endm
>> +
>> +/* Emit .cfi_offset directives for a consecutive sequence of
>> registers. */
>> + .macro cfisavelist first, last, index=1
>> + .cfi_offset \last, -4*(\index)
>> + .if \last-\first
>> + cfisavelist \first, \last-1, \index+1
>> + .endif
>> + .endm
>> +
>> +.macro _prologue first=-1, last=-1, push_ip=PAC_LEAF_PUSH_IP, push_lr=0
>> + .if \push_ip & 1 != \push_ip
>> + .error "push_ip may be either 0 or 1"
>> + .endif
>> + .if \push_lr & 1 != \push_lr
>> + .error "push_lr may be either 0 or 1"
>> + .endif
>> + .if \first != -1
>> + .if \last == -1
>> + /* Upper-bound not provided: Set upper = lower. */
>> + _prologue \first, \first, \push_ip, \push_lr
>> + .exitm
>> + .endif
>> + .endif
>> +#if HAVE_PAC_LEAF
>> +#if __ARM_FEATURE_BTI_DEFAULT
>> + pacbti ip, lr, sp
>> +#else
>> + pac ip, lr, sp
>> +#endif /* __ARM_FEATURE_BTI_DEFAULT */
>> + .cfi_register 143, 12
>> +#else
>> +#if __ARM_FEATURE_BTI_DEFAULT
>> + bti
>> +#endif /* __ARM_FEATURE_BTI_DEFAULT */
>> +#endif /* HAVE_PAC_LEAF */
>> + .if \first != -1
>> + .if \last != \first
>> + .if \last >= 13
>> + .error "SP cannot be in the save list"
>> + .endif
> I think you should also check that IP (r12) is not in the range,
> otherwise I think nothing prevents from doing
> prologue 12, push_ip=1 which will result in emitting push {r12, ip}
> (I suppose gas would complain?)
> .... scratch that, I saw later that this sanity checking is performed in
> _preprocess_reglist1 :-)
>
>
>> + .if \push_ip
>> + .if \push_lr
>> + /* Case 1: push register range, ip and lr registers. */
>> + push {r\first-r\last, ip, lr}
>> + .cfi_adjust_cfa_offset ((\last-\first)+3)*4
>> + .cfi_offset 14, -4
>> + .cfi_offset 143, -8
>> + cfisavelist \first, \last, 3
>> + .else // !\push_lr
>> + /* Case 2: push register range and ip register. */
>> + push {r\first-r\last, ip}
>> + .cfi_adjust_cfa_offset ((\last-\first)+2)*4
>> + .cfi_offset 143, -4
>> + cfisavelist \first, \last, 2
>> + .endif
>> + .else // !\push_ip
>> + .if \push_lr
>> + /* Case 3: push register range and lr register. */
>> + push {r\first-r\last, lr}
>> + .cfi_adjust_cfa_offset ((\last-\first)+2)*4
>> + .cfi_offset 14, -4
>> + cfisavelist \first, \last, 2
>> + .else // !\push_lr
>> + /* Case 4: push register range. */
>> + push {r\first-r\last}
>> + .cfi_adjust_cfa_offset ((\last-\first)+1)*4
>> + cfisavelist \first, \last, 1
>> + .endif
>> + .endif
>> + .else // \last == \first
>> + .if \push_ip
>> + .if \push_lr
>> + /* Case 5: push single GP register plus ip and lr registers. */
>> + push {r\first, ip, lr}
>> + .cfi_adjust_cfa_offset 12
>> + .cfi_offset 14, -4
>> + .cfi_offset 143, -8
>> + cfisavelist \first, \first, 3
>> + .else // !\push_lr
>> + /* Case 6: push single GP register plus ip register. */
>> + push {r\first, ip}
>> + .cfi_adjust_cfa_offset 8
>> + .cfi_offset 143, -4
>> + cfisavelist \first, \first, 2
>> + .endif
>> + .else // !\push_ip
>> + .if \push_lr
>> + /* Case 7: push single GP register plus lr register. */
>> + push {r\first, lr}
>> + .cfi_adjust_cfa_offset 8
>> + .cfi_offset 14, -4
>> + cfisavelist \first, \first, 2
>> + .else // !\push_lr
>> + /* Case 8: push single GP register. */
>> + push {r\first}
>> + .cfi_adjust_cfa_offset 4
>> + cfisavelist \first, \first, 1
>> + .endif
>> + .endif
>> + .endif
>> + .else // \first == -1
>> + .if \push_ip
>> + .if \push_lr
>> + /* Case 9: push ip and lr registers. */
>> + push {ip, lr}
>> + .cfi_adjust_cfa_offset 8
>> + .cfi_offset 14, -4
>> + .cfi_offset 143, -8
>> + .else // !\push_lr
>> + /* Case 10: push ip register. */
>> + push {ip}
>> + .cfi_adjust_cfa_offset 4
>> + .cfi_offset 143, -4
>> + .endif
>> + .else // !\push_ip
>> + .if \push_lr
>> + /* Case 11: push lr register. */
>> + push {lr}
>> + .cfi_adjust_cfa_offset 4
>> + .cfi_offset 14, -4
>> + .endif
>> + .endif
>> + .endif
>> +.endm
>> +
>> +.macro _epilogue first=-1, last=-1, push_ip=PAC_LEAF_PUSH_IP, push_lr=0
>> + .if \push_ip & 1 != \push_ip
>> + .error "push_ip may be either 0 or 1"
>> + .endif
>> + .if \push_lr & 1 != \push_lr
>> + .error "push_lr may be either 0 or 1"
>> + .endif
>> + .if \first != -1
>> + .if \last == -1
>> + /* Upper-bound not provided: Set upper = lower. */
>> + _epilogue \first, \first, \push_ip, \push_lr
>> + .exitm
>> + .endif
>> + .if \last != \first
>> + .if \last >= 13
>> + .error "SP cannot be in the save list"
>> + .endif
>> + .if \push_ip
>> + .if \push_lr
>> + /* Case 1: pop register range, ip and lr registers. */
>> + pop {r\first-r\last, ip, lr}
>> + .cfi_restore 14
>> + .cfi_register 143, 12
>> + cfirestorelist \first, \last
>> + .else // !\push_lr
>> + /* Case 2: pop register range and ip register. */
>> + pop {r\first-r\last, ip}
>> + .cfi_register 143, 12
>> + cfirestorelist \first, \last
>> + .endif
>> + .else // !\push_ip
>> + .if \push_lr
>> + /* Case 3: pop register range and lr register. */
>> + pop {r\first-r\last, lr}
>> + .cfi_restore 14
>> + cfirestorelist \first, \last
>> + .else // !\push_lr
>> + /* Case 4: pop register range. */
>> + pop {r\first-r\last}
>> + cfirestorelist \first, \last
>> + .endif
>> + .endif
>> + .else // \last == \first
>> + .if \push_ip
>> + .if \push_lr
>> + /* Case 5: pop single GP register plus ip and lr registers. */
>> + pop {r\first, ip, lr}
>> + .cfi_restore 14
>> + .cfi_register 143, 12
>> + cfirestorelist \first, \first
>> + .else // !\push_lr
>> + /* Case 6: pop single GP register plus ip register. */
>> + pop {r\first, ip}
>> + .cfi_register 143, 12
>> + cfirestorelist \first, \first
>> + .endif
>> + .else // !\push_ip
>> + .if \push_lr
>> + /* Case 7: pop single GP register plus lr register. */
>> + pop {r\first, lr}
>> + .cfi_restore 14
>> + cfirestorelist \first, \first
>> + .else // !\push_lr
>> + /* Case 8: pop single GP register. */
>> + pop {r\first}
>> + cfirestorelist \first, \first
>> + .endif
>> + .endif
>> + .endif
>> + .else // \first == -1
>> + .if \push_ip
>> + .if \push_lr
>> + /* Case 9: pop ip and lr registers. */
>> + pop {ip, lr}
>> + .cfi_restore 14
>> + .cfi_register 143, 12
>> + .else // !\push_lr
>> + /* Case 10: pop ip register. */
>> + pop {ip}
>> + .cfi_register 143, 12
>> + .endif
>> + .else // !\push_ip
>> + .if \push_lr
>> + /* Case 11: pop lr register. */
>> + pop {lr}
>> + .cfi_restore 14
>> + .endif
>> + .endif
>> + .endif
>> +#if HAVE_PAC_LEAF
>> + aut ip, lr, sp
>> +#endif /* HAVE_PAC_LEAF */
>> + bx lr
>> +.endm
>> +
>> +# clean up expressions in 'last'
>> +.macro _preprocess_reglist1 first:req, last:req, push_ip:req,
>> push_lr:req, reglist_op:req
>> + .if \last == 0
>> + \reglist_op \first, 0, \push_ip, \push_lr
>> + .elseif \last == 1
>> + \reglist_op \first, 1, \push_ip, \push_lr
>> + .elseif \last == 2
>> + \reglist_op \first, 2, \push_ip, \push_lr
>> + .elseif \last == 3
>> + \reglist_op \first, 3, \push_ip, \push_lr
>> + .elseif \last == 4
>> + \reglist_op \first, 4, \push_ip, \push_lr
>> + .elseif \last == 5
>> + \reglist_op \first, 5, \push_ip, \push_lr
>> + .elseif \last == 6
>> + \reglist_op \first, 6, \push_ip, \push_lr
>> + .elseif \last == 7
>> + \reglist_op \first, 7, \push_ip, \push_lr
>> + .elseif \last == 8
>> + \reglist_op \first, 8, \push_ip, \push_lr
>> + .elseif \last == 9
>> + \reglist_op \first, 9, \push_ip, \push_lr
>> + .elseif \last == 10
>> + \reglist_op \first, 10, \push_ip, \push_lr
>> + .elseif \last == 11
>> + \reglist_op \first, 11, \push_ip, \push_lr
>> + .else
>> + .error "last (\last) out of range"
>> + .endif
>> +.endm
>> +
>> +# clean up expressions in 'first'
>> +.macro _preprocess_reglist first:req, last, push_ip=0, push_lr=0,
>> reglist_op:req
>> + .ifb \last
>> + _preprocess_reglist \first \first \push_ip \push_lr
>> + .else
>> + .if \first > \last
>> + .error "last (\last) must be at least as great as first (\first)"
>> + .endif
>> + .if \first == 0
>> + _preprocess_reglist1 0, \last, \push_ip, \push_lr, \reglist_op
>> + .elseif \first == 1
>> + _preprocess_reglist1 1, \last, \push_ip, \push_lr, \reglist_op
>> + .elseif \first == 2
>> + _preprocess_reglist1 2, \last, \push_ip, \push_lr, \reglist_op
>> + .elseif \first == 3
>> + _preprocess_reglist1 3, \last, \push_ip, \push_lr, \reglist_op
>> + .elseif \first == 4
>> + _preprocess_reglist1 4, \last, \push_ip, \push_lr, \reglist_op
>> + .elseif \first == 5
>> + _preprocess_reglist1 5, \last, \push_ip, \push_lr, \reglist_op
>> + .elseif \first == 6
>> + _preprocess_reglist1 6, \last, \push_ip, \push_lr, \reglist_op
>> + .elseif \first == 7
>> + _preprocess_reglist1 7, \last, \push_ip, \push_lr, \reglist_op
>> + .elseif \first == 8
>> + _preprocess_reglist1 8, \last, \push_ip, \push_lr, \reglist_op
>> + .elseif \first == 9
>> + _preprocess_reglist1 9, \last, \push_ip, \push_lr, \reglist_op
>> + .elseif \first == 10
>> + _preprocess_reglist1 10, \last, \push_ip, \push_lr, \reglist_op
>> + .elseif \first == 11
>> + _preprocess_reglist1 11, \last, \push_ip, \push_lr, \reglist_op
>> + .else
>> + .error "first (\first) out of range"
>> + .endif
>> + .endif
>> +.endm
>> +
>> +.macro _align8 first, last, push_ip=0, push_lr=0, reglist_op=_prologue
>> + .ifb \first
>> + .ifnb \last
>> + .error "can't have last (\last) without specifying first"
>> + .else // \last not blank
>> + .if ((\push_ip + \push_lr) % 2) == 0
>> + \reglist_op first=-1, last=-1, push_ip=\push_ip, push_lr=\push_lr
>> + .exitm
>> + .else // ((\push_ip + \push_lr) % 2) odd
>> + _align8 2, 2, \push_ip, \push_lr, \reglist_op
>> + .exitm
>> + .endif // ((\push_ip + \push_lr) % 2) == 0
>> + .endif // .ifnb \last
>> + .endif // .ifb \first
>> +
>> + .ifb \last
>> + _align8 \first, \first, \push_ip, \push_lr, \reglist_op
>> + .else
>> + .if \push_ip & 1 <> \push_ip
>> + .error "push_ip may be 0 or 1"
>> + .endif
>> + .if \push_lr & 1 <> \push_lr
>> + .error "push_lr may be 0 or 1"
>> + .endif
>> + .ifeq (\last - \first + \push_ip + \push_lr) % 2
>> + .if \first == 0
>> + .error "Alignment required and first register is r0"
>> + .exitm
>> + .endif
>> + _preprocess_reglist \first-1, \last, \push_ip, \push_lr,
>> \reglist_op
>> + .else
>> + _preprocess_reglist \first \last, \push_ip, \push_lr, \reglist_op
>> + .endif
>> + .endif
>> +.endm
>> +
>> +.macro prologue first, last, push_ip=PAC_LEAF_PUSH_IP, push_lr=0,
>> align8=STACK_ALIGN_ENFORCE
>> + .if \align8
>> + _align8 \first, \last, \push_ip, \push_lr, _prologue
>> + .else
>> + _prologue first=\first, last=\last, push_ip=\push_ip,
>> push_lr=\push_lr
>> + .endif
>> +.endm
>> +
>> +.macro epilogue first, last, push_ip=PAC_LEAF_PUSH_IP, push_lr=0,
>> align8=STACK_ALIGN_ENFORCE
>> + .if \align8
>> + _align8 \first, \last, \push_ip, \push_lr, reglist_op=_epilogue
>> + .else
>> + _epilogue first=\first, last=\last, push_ip=\push_ip,
>> push_lr=\push_lr
>> + .endif
>> +.endm
>> +
>> +#endif /* __ASSEMBLER__ */
>> +
>> #endif /* ARM_ASM__H */
More information about the Newlib
mailing list