master
1/*-
2 * Copyright (c) 2014 Andrew Turner
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#ifdef __arm__
28#include <arm/asm.h>
29#else /* !__arm__ */
30
31#ifndef _MACHINE_ASM_H_
32#define _MACHINE_ASM_H_
33
34#undef __FBSDID
35#if !defined(lint) && !defined(STRIP_FBSDID)
36#define __FBSDID(s) .ident s
37#else
38#define __FBSDID(s) /* nothing */
39#endif
40
41#define _C_LABEL(x) x
42
43#ifdef KDTRACE_HOOKS
44#define DTRACE_NOP nop
45#else
46#define DTRACE_NOP
47#endif
48
49#define LENTRY(sym) \
50 .text; .align 2; .type sym,#function; sym: \
51 .cfi_startproc; BTI_C; DTRACE_NOP
52#define ENTRY(sym) \
53 .globl sym; LENTRY(sym)
54#define EENTRY(sym) \
55 .globl sym; .text; .align 2; .type sym,#function; sym:
56#define LEND(sym) .ltorg; .cfi_endproc; .size sym, . - sym
57#define END(sym) LEND(sym)
58#define EEND(sym)
59
60#define WEAK_REFERENCE(sym, alias) \
61 .weak alias; \
62 .set alias,sym
63
64#define UINT64_C(x) (x)
65
66#if defined(PIC)
67#define PIC_SYM(x,y) x ## @ ## y
68#else
69#define PIC_SYM(x,y) x
70#endif
71
72/* Alias for link register x30 */
73#define lr x30
74
75/*
76 * Sets the trap fault handler. The exception handler will return to the
77 * address in the handler register on a data abort or the xzr register to
78 * clear the handler. The tmp parameter should be a register able to hold
79 * the temporary data.
80 */
81#define SET_FAULT_HANDLER(handler, tmp) \
82 ldr tmp, [x18, #PC_CURTHREAD]; /* Load curthread */ \
83 ldr tmp, [tmp, #TD_PCB]; /* Load the pcb */ \
84 str handler, [tmp, #PCB_ONFAULT] /* Set the handler */
85
86#define ENTER_USER_ACCESS(reg, tmp) \
87 ldr tmp, =has_pan; /* Get the addr of has_pan */ \
88 ldr reg, [tmp]; /* Read it */ \
89 cbz reg, 997f; /* If no PAN skip */ \
90 .inst 0xd500409f | (0 << 8); /* Clear PAN */ \
91 997:
92
93#define EXIT_USER_ACCESS(reg) \
94 cbz reg, 998f; /* If no PAN skip */ \
95 .inst 0xd500409f | (1 << 8); /* Set PAN */ \
96 998:
97
98#define EXIT_USER_ACCESS_CHECK(reg, tmp) \
99 ldr tmp, =has_pan; /* Get the addr of has_pan */ \
100 ldr reg, [tmp]; /* Read it */ \
101 cbz reg, 999f; /* If no PAN skip */ \
102 .inst 0xd500409f | (1 << 8); /* Set PAN */ \
103 999:
104
105/*
106 * Some AArch64 CPUs speculate past an eret instruction. As the user may
107 * control the registers at this point add a speculation barrier usable on
108 * all AArch64 CPUs after the eret instruction.
109 * TODO: ARMv8.5 adds a specific instruction for this, we could use that
110 * if we know we are running on something that supports it.
111 */
112#define ERET \
113 eret; \
114 dsb sy; \
115 isb
116
117/*
118 * When a CPU that implements FEAT_BTI uses a BR/BLR instruction (or the
119 * pointer authentication variants, e.g. BLRAA) and the target location
120 * has the GP attribute in its page table, then the target of the BR/BLR
121 * needs to be a valid BTI landing pad.
122 *
123 * BTI_C should be used at the start of a function and is used in the
124 * ENTRY macro. It can be replaced by PACIASP or PACIBSP, however these
125 * also need an appropriate authenticate instruction before returning.
126 *
127 * BTI_J should be used as the target instruction when branching with a
128 * BR instruction within a function.
129 *
130 * When using a BR to branch to a new function, e.g. a tail call, then
131 * the target register should be x16 or x17 so it is compatible with
132 * the BRI_C instruction.
133 *
134 * As these instructions are in the hint space they are a NOP when
135 * the CPU doesn't implement FEAT_BTI so are safe to use.
136 */
137#ifdef __ARM_FEATURE_BTI_DEFAULT
138#define BTI_C hint #34
139#define BTI_J hint #36
140#else
141#define BTI_C
142#define BTI_J
143#endif
144
145/*
146 * To help protect against ROP attacks we can use Pointer Authentication
147 * to sign the return address before pushing it to the stack.
148 *
149 * PAC_LR_SIGN can be used at the start of a function to sign the link
150 * register with the stack pointer as the modifier. As this is in the hint
151 * space it is safe to use on CPUs that don't implement pointer
152 * authentication. It can be used in place of the BTI_C instruction above as
153 * a valid BTI landing pad instruction.
154 *
155 * PAC_LR_AUTH is used to authenticate the link register using the stack
156 * pointer as the modifier. It should be used in any function that uses
157 * PAC_LR_SIGN. The stack pointer must be identical in each case.
158 */
159#ifdef __ARM_FEATURE_PAC_DEFAULT
160#define PAC_LR_SIGN hint #25 /* paciasp */
161#define PAC_LR_AUTH hint #29 /* autiasp */
162#else
163#define PAC_LR_SIGN
164#define PAC_LR_AUTH
165#endif
166
167/*
168 * GNU_PROPERTY_AARCH64_FEATURE_1_NOTE can be used to insert a note that
169 * the current assembly file is built with Pointer Authentication (PAC) or
170 * Branch Target Identification support (BTI). As the linker requires all
171 * object files in an executable or library to have the GNU property
172 * note to emit it in the created elf file we need to add a note to all
173 * assembly files that support BTI so the kernel and dynamic linker can
174 * mark memory used by the file as guarded.
175 *
176 * The GNU_PROPERTY_AARCH64_FEATURE_1_VAL macro encodes the combination
177 * of PAC and BTI that have been enabled. It can be used as follows:
178 * GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(GNU_PROPERTY_AARCH64_FEATURE_1_VAL);
179 *
180 * To use this you need to include <sys/elf_common.h> for
181 * GNU_PROPERTY_AARCH64_FEATURE_1_*
182 */
183#if defined(__ARM_FEATURE_BTI_DEFAULT)
184#if defined(__ARM_FEATURE_PAC_DEFAULT)
185/* BTI, PAC */
186#define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \
187 (GNU_PROPERTY_AARCH64_FEATURE_1_BTI | GNU_PROPERTY_AARCH64_FEATURE_1_PAC)
188#else
189/* BTI, no PAC */
190#define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \
191 (GNU_PROPERTY_AARCH64_FEATURE_1_BTI)
192#endif
193#elif defined(__ARM_FEATURE_PAC_DEFAULT)
194/* No BTI, PAC */
195#define GNU_PROPERTY_AARCH64_FEATURE_1_VAL \
196 (GNU_PROPERTY_AARCH64_FEATURE_1_PAC)
197#else
198/* No BTI, no PAC */
199#define GNU_PROPERTY_AARCH64_FEATURE_1_VAL 0
200#endif
201
202#if defined(__ARM_FEATURE_BTI_DEFAULT) || defined(__ARM_FEATURE_PAC_DEFAULT)
203#define GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(x) \
204 .section .note.gnu.property, "a"; \
205 .balign 8; \
206 .4byte 0x4; /* sizeof(vendor) */ \
207 .4byte 0x10; /* sizeof(note data) */ \
208 .4byte (NT_GNU_PROPERTY_TYPE_0); \
209 .asciz "GNU"; /* vendor */ \
210 /* note data: */ \
211 .4byte (GNU_PROPERTY_AARCH64_FEATURE_1_AND); \
212 .4byte 0x4; /* sizeof(property) */ \
213 .4byte (x); /* property */ \
214 .4byte 0
215#else
216#define GNU_PROPERTY_AARCH64_FEATURE_1_NOTE(x)
217#endif
218
219#endif /* _MACHINE_ASM_H_ */
220
221#endif /* !__arm__ */