1 /*- 2 * Copyright (c) 2014 Andrew Turner 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #ifdef __arm__ 28 #include <arm/asm.h> 29 #else /* !__arm__ */ 30 31 #ifndef _MACHINE_ASM_H_ 32 #define _MACHINE_ASM_H_ 33 34 #undef __FBSDID 35 #if !defined(lint) && !defined(STRIP_FBSDID) 36 #define __FBSDID(s) .ident s 37 #else 38 #define __FBSDID(s) /* nothing */ 39 #endif 40 41 #define _C_LABEL(x) x 42 43 #ifdef KDTRACE_HOOKS 44 #define DTRACE_NOP nop 45 #else 46 #define DTRACE_NOP 47 #endif 48 49 #define LENTRY(sym) \ 50 .text; .align 2; .type sym,#function; sym: \ 51 .cfi_startproc; BTI_C; DTRACE_NOP 52 #define ENTRY(sym) \ 53 .globl sym; LENTRY(sym) 54 #define EENTRY(sym) \ 55 .globl sym; .text; .align 2; .type sym,#function; sym: 56 #define LEND(sym) .ltorg; .cfi_endproc; .size sym, . - sym 57 #define END(sym) LEND(sym) 58 #define EEND(sym) 59 60 #define WEAK_REFERENCE(sym, alias) \ 61 .weak alias; \ 62 .set alias,sym 63 64 #define UINT64_C(x) (x) 65 66 #if defined(PIC) 67 #define PIC_SYM(x,y) x ## @ ## y 68 #else 69 #define PIC_SYM(x,y) x 70 #endif 71 72 /* Alias for link register x30 */ 73 #define lr x30 74 75 /* 76 * Sets the trap fault handler. The exception handler will return to the 77 * address in the handler register on a data abort or the xzr register to 78 * clear the handler. The tmp parameter should be a register able to hold 79 * the temporary data. 80 */ 81 #define SET_FAULT_HANDLER(handler, tmp) \ 82 ldr tmp, [x18, #PC_CURTHREAD]; /* Load curthread */ \ 83 ldr tmp, [tmp, #TD_PCB]; /* Load the pcb */ \ 84 str handler, [tmp, #PCB_ONFAULT] /* Set the handler */ 85 86 #define ENTER_USER_ACCESS(reg, tmp) \ 87 ldr tmp, =has_pan; /* Get the addr of has_pan */ \ 88 ldr reg, [tmp]; /* Read it */ \ 89 cbz reg, 997f; /* If no PAN skip */ \ 90 .inst 0xd500409f | (0 << 8); /* Clear PAN */ \ 91 997: 92 93 #define EXIT_USER_ACCESS(reg) \ 94 cbz reg, 998f; /* If no PAN skip */ \ 95 .inst 0xd500409f | (1 << 8); /* Set PAN */ \ 96 998: 97 98 #define EXIT_USER_ACCESS_CHECK(reg, tmp) \ 99 ldr tmp, =has_pan; /* Get the addr of has_pan */ \ 100 ldr reg, [tmp]; /* Read it */ \ 101 cbz reg, 999f; /* If no PAN skip */ \ 102 .inst 0xd500409f | (1 << 8); /* Set PAN */ \ 103 999: 104 105 /* 106 * Some AArch64 CPUs speculate past an eret instruction. As the user may 107 * control the registers at this point add a speculation barrier usable on 108 * all AArch64 CPUs after the eret instruction. 109 * TODO: ARMv8.5 adds a specific instruction for this, we could use that 110 * if we know we are running on something that supports it. 111 */ 112 #define ERET \ 113 eret; \ 114 dsb sy; \ 115 isb 116 117 /* 118 * When a CPU that implements FEAT_BTI uses a BR/BLR instruction (or the 119 * pointer authentication variants, e.g. BLRAA) and the target location 120 * has the GP attribute in its page table, then the target of the BR/BLR 121 * needs to be a valid BTI landing pad. 122 * 123 * BTI_C should be used at the start of a function and is used in the 124 * ENTRY macro. It can be replaced by PACIASP or PACIBSP, however these 125 * also need an appropriate authenticate instruction before returning. 126 * 127 * BTI_J should be used as the target instruction when branching with a 128 * BR instruction within a function. 129 * 130 * When using a BR to branch to a new function, e.g. a tail call, then 131 * the target register should be x16 or x17 so it is compatible with 132 * the BRI_C instruction. 133 * 134 * As these instructions are in the hint space they are a NOP when 135 * the CPU doesn't implement FEAT_BTI so are safe to use. 136 */ 137 #ifdef __ARM_FEATURE_BTI_DEFAULT 138 #define BTI_C hint #34 139 #define BTI_J hint #36 140 #else 141 #define BTI_C 142 #define BTI_J 143 #endif 144 145 /* 146 * To help protect against ROP attacks we can use Pointer Authentication 147 * to sign the return address before pushing it to the stack. 148 * 149 * PAC_LR_SIGN can be used at the start of a function to sign the link 150 * register with the stack pointer as the modifier. As this is in the hint 151 * space it is safe to use on CPUs that don't implement pointer 152 * authentication. It can be used in place of the BTI_C instruction above as 153 * a valid BTI landing pad instruction. 154 * 155 * PAC_LR_AUTH is used to authenticate the link register using the stack 156 * pointer as the modifier. It should be used in any function that uses 157 * PAC_LR_SIGN. The stack pointer must be identical in each case. 158 */ 159 #ifdef __ARM_FEATURE_PAC_DEFAULT 160 #define PAC_LR_SIGN hint #25 /* paciasp */ 161 #define PAC_LR_AUTH hint #29 /* autiasp */ 162 #else 163 #define PAC_LR_SIGN 164 #define PAC_LR_AUTH 165 #endif 166 167 /* 168 * GNU_PROPERTY_AARCH64_FEATURE_1_NOTE can be used to insert a note that 169 * the current assembly file is built with Pointer Authentication (PAC) or 170 * Branch Target Identification support (BTI). As the linker requires all 171 * object files in an executable or library to have the GNU property 172 * note to emit it in the created elf file we need to add a note to all 173 * assembly files that support BTI so the kernel and dynamic linker can 174 * mark memory used by the file as guarded. 175 * 176 * The GNU_PROPERTY_AARCH64_FEATURE_1_VAL macro encodes the combination 177 * of PAC and BTI that have been enabled. It can be used as follows: 178 * GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(GNU_PROPERTY_AARCH64_FEATURE_1_VAL); 179 * 180 * To use this you need to include <sys/elf_common.h> for 181 * GNU_PROPERTY_AARCH64_FEATURE_1_* 182 */ 183 #if defined(__ARM_FEATURE_BTI_DEFAULT) 184 #if defined(__ARM_FEATURE_PAC_DEFAULT) 185 /* BTI, PAC */ 186 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \ 187 (GNU_PROPERTY_AARCH64_FEATURE_1_BTI | GNU_PROPERTY_AARCH64_FEATURE_1_PAC) 188 #else 189 /* BTI, no PAC */ 190 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \ 191 (GNU_PROPERTY_AARCH64_FEATURE_1_BTI) 192 #endif 193 #elif defined(__ARM_FEATURE_PAC_DEFAULT) 194 /* No BTI, PAC */ 195 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \ 196 (GNU_PROPERTY_AARCH64_FEATURE_1_PAC) 197 #else 198 /* No BTI, no PAC */ 199 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL 0 200 #endif 201 202 #if defined(__ARM_FEATURE_BTI_DEFAULT) || defined(__ARM_FEATURE_PAC_DEFAULT) 203 #define GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(x) \ 204 .section .note.gnu.property, "a"; \ 205 .balign 8; \ 206 .4byte 0x4; /* sizeof(vendor) */ \ 207 .4byte 0x10; /* sizeof(note data) */ \ 208 .4byte (NT_GNU_PROPERTY_TYPE_0); \ 209 .asciz "GNU"; /* vendor */ \ 210 /* note data: */ \ 211 .4byte (GNU_PROPERTY_AARCH64_FEATURE_1_AND); \ 212 .4byte 0x4; /* sizeof(property) */ \ 213 .4byte (x); /* property */ \ 214 .4byte 0 215 #else 216 #define GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(x) 217 #endif 218 219 #endif /* _MACHINE_ASM_H_ */ 220 221 #endif /* !__arm__ */ 222