1 /*- 2 * Copyright (c) 2014 Andrew Turner 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #ifdef __arm__ 28 #include <arm/asm.h> 29 #else /* !__arm__ */ 30 31 #ifndef _MACHINE_ASM_H_ 32 #define _MACHINE_ASM_H_ 33 34 #undef __FBSDID 35 #if !defined(lint) && !defined(STRIP_FBSDID) 36 #define __FBSDID(s) .ident s 37 #else 38 #define __FBSDID(s) /* nothing */ 39 #endif 40 41 #define _C_LABEL(x) x 42 43 #ifdef KDTRACE_HOOKS 44 #define DTRACE_NOP nop 45 #else 46 #define DTRACE_NOP 47 #endif 48 49 #define LENTRY(sym) \ 50 .text; .align 2; .type sym,#function; sym: \ 51 .cfi_startproc; BTI_C; DTRACE_NOP 52 #define ENTRY(sym) \ 53 .globl sym; LENTRY(sym) 54 #define EENTRY(sym) \ 55 .globl sym; .text; .align 2; .type sym,#function; sym: 56 #define LEND(sym) .ltorg; .cfi_endproc; .size sym, . - sym 57 #define END(sym) LEND(sym) 58 #define EEND(sym) 59 60 #define WEAK_REFERENCE(sym, alias) \ 61 .weak alias; \ 62 .set alias,sym 63 64 #define UINT64_C(x) (x) 65 66 #if defined(PIC) 67 #define PIC_SYM(x,y) x ## @ ## y 68 #else 69 #define PIC_SYM(x,y) x 70 #endif 71 72 /* Alias for link register x30 */ 73 #define lr x30 74 75 /* 76 * Check whether a given cpu feature is present, in the case it is not we jump 77 * to the given label. The tmp register should be a register able to hold the 78 * temporary data. 79 */ 80 #define CHECK_CPU_FEAT(tmp, feat_reg, feat, min_val, label) \ 81 mrs tmp, ##feat_reg##_el1; \ 82 ubfx tmp, tmp, ##feat_reg##_##feat##_SHIFT, ##feat_reg##_##feat##_WIDTH; \ 83 cmp tmp, #(##feat_reg##_##feat##_##min_val## >> ##feat_reg##_##feat##_SHIFT); \ 84 b.lt label 85 86 /* 87 * Sets the trap fault handler. The exception handler will return to the 88 * address in the handler register on a data abort or the xzr register to 89 * clear the handler. The tmp parameter should be a register able to hold 90 * the temporary data. 91 */ 92 #define SET_FAULT_HANDLER(handler, tmp) \ 93 ldr tmp, [x18, #PC_CURTHREAD]; /* Load curthread */ \ 94 ldr tmp, [tmp, #TD_PCB]; /* Load the pcb */ \ 95 str handler, [tmp, #PCB_ONFAULT] /* Set the handler */ 96 97 #define ENTER_USER_ACCESS(reg, tmp) \ 98 ldr tmp, =has_pan; /* Get the addr of has_pan */ \ 99 ldr reg, [tmp]; /* Read it */ \ 100 cbz reg, 997f; /* If no PAN skip */ \ 101 .arch_extension pan; \ 102 msr pan, #0; /* Disable PAN checks */ \ 103 .arch_extension nopan; \ 104 997: 105 106 #define EXIT_USER_ACCESS(reg) \ 107 cbz reg, 998f; /* If no PAN skip */ \ 108 .arch_extension pan; \ 109 msr pan, #1; /* Enable PAN checks */ \ 110 .arch_extension nopan; \ 111 998: 112 113 #define EXIT_USER_ACCESS_CHECK(reg, tmp) \ 114 ldr tmp, =has_pan; /* Get the addr of has_pan */ \ 115 ldr reg, [tmp]; /* Read it */ \ 116 cbz reg, 999f; /* If no PAN skip */ \ 117 .arch_extension pan; \ 118 msr pan, #1; /* Enable PAN checks */ \ 119 .arch_extension nopan; \ 120 999: 121 122 /* 123 * Some AArch64 CPUs speculate past an eret instruction. As the user may 124 * control the registers at this point add a speculation barrier usable on 125 * all AArch64 CPUs after the eret instruction. 126 * TODO: ARMv8.5 adds a specific instruction for this, we could use that 127 * if we know we are running on something that supports it. 128 */ 129 #define ERET \ 130 eret; \ 131 dsb sy; \ 132 isb 133 134 /* 135 * When a CPU that implements FEAT_BTI uses a BR/BLR instruction (or the 136 * pointer authentication variants, e.g. BLRAA) and the target location 137 * has the GP attribute in its page table, then the target of the BR/BLR 138 * needs to be a valid BTI landing pad. 139 * 140 * BTI_C should be used at the start of a function and is used in the 141 * ENTRY macro. It can be replaced by PACIASP or PACIBSP, however these 142 * also need an appropriate authenticate instruction before returning. 143 * 144 * BTI_J should be used as the target instruction when branching with a 145 * BR instruction within a function. 146 * 147 * When using a BR to branch to a new function, e.g. a tail call, then 148 * the target register should be x16 or x17 so it is compatible with 149 * the BRI_C instruction. 150 * 151 * As these instructions are in the hint space they are a NOP when 152 * the CPU doesn't implement FEAT_BTI so are safe to use. 153 */ 154 #ifdef __ARM_FEATURE_BTI_DEFAULT 155 #define BTI_C hint #34 156 #define BTI_J hint #36 157 #else 158 #define BTI_C 159 #define BTI_J 160 #endif 161 162 /* 163 * To help protect against ROP attacks we can use Pointer Authentication 164 * to sign the return address before pushing it to the stack. 165 * 166 * PAC_LR_SIGN can be used at the start of a function to sign the link 167 * register with the stack pointer as the modifier. As this is in the hint 168 * space it is safe to use on CPUs that don't implement pointer 169 * authentication. It can be used in place of the BTI_C instruction above as 170 * a valid BTI landing pad instruction. 171 * 172 * PAC_LR_AUTH is used to authenticate the link register using the stack 173 * pointer as the modifier. It should be used in any function that uses 174 * PAC_LR_SIGN. The stack pointer must be identical in each case. 175 */ 176 #ifdef __ARM_FEATURE_PAC_DEFAULT 177 #define PAC_LR_SIGN hint #25 /* paciasp */ 178 #define PAC_LR_AUTH hint #29 /* autiasp */ 179 #else 180 #define PAC_LR_SIGN 181 #define PAC_LR_AUTH 182 #endif 183 184 /* 185 * GNU_PROPERTY_AARCH64_FEATURE_1_NOTE can be used to insert a note that 186 * the current assembly file is built with Pointer Authentication (PAC) or 187 * Branch Target Identification support (BTI). As the linker requires all 188 * object files in an executable or library to have the GNU property 189 * note to emit it in the created elf file we need to add a note to all 190 * assembly files that support BTI so the kernel and dynamic linker can 191 * mark memory used by the file as guarded. 192 * 193 * The GNU_PROPERTY_AARCH64_FEATURE_1_VAL macro encodes the combination 194 * of PAC and BTI that have been enabled. It can be used as follows: 195 * GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(GNU_PROPERTY_AARCH64_FEATURE_1_VAL); 196 * 197 * To use this you need to include <sys/elf_common.h> for 198 * GNU_PROPERTY_AARCH64_FEATURE_1_* 199 */ 200 #if defined(__ARM_FEATURE_BTI_DEFAULT) 201 #if defined(__ARM_FEATURE_PAC_DEFAULT) 202 /* BTI, PAC */ 203 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \ 204 (GNU_PROPERTY_AARCH64_FEATURE_1_BTI | GNU_PROPERTY_AARCH64_FEATURE_1_PAC) 205 #else 206 /* BTI, no PAC */ 207 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \ 208 (GNU_PROPERTY_AARCH64_FEATURE_1_BTI) 209 #endif 210 #elif defined(__ARM_FEATURE_PAC_DEFAULT) 211 /* No BTI, PAC */ 212 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \ 213 (GNU_PROPERTY_AARCH64_FEATURE_1_PAC) 214 #else 215 /* No BTI, no PAC */ 216 #define GNU_PROPERTY_AARCH64_FEATURE_1_VAL 0 217 #endif 218 219 #if defined(__ARM_FEATURE_BTI_DEFAULT) || defined(__ARM_FEATURE_PAC_DEFAULT) 220 #define GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(x) \ 221 .section .note.gnu.property, "a"; \ 222 .balign 8; \ 223 .4byte 0x4; /* sizeof(vendor) */ \ 224 .4byte 0x10; /* sizeof(note data) */ \ 225 .4byte (NT_GNU_PROPERTY_TYPE_0); \ 226 .asciz "GNU"; /* vendor */ \ 227 /* note data: */ \ 228 .4byte (GNU_PROPERTY_AARCH64_FEATURE_1_AND); \ 229 .4byte 0x4; /* sizeof(property) */ \ 230 .4byte (x); /* property */ \ 231 .4byte 0 232 #else 233 #define GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(x) 234 #endif 235 236 #endif /* _MACHINE_ASM_H_ */ 237 238 #endif /* !__arm__ */ 239