Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[sysvabi64] Document requirements for tools wrt BTI #282

Merged
merged 5 commits into from
Nov 18, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 63 additions & 3 deletions sysvabi64/sysvabi64.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1646,9 +1646,8 @@ The following bits are defined for GNU_PROPERTY_AARCH64_FEATURE_1_AND:
+-----------------------------------------+------------+

``GNU_PROPERTY_AARCH64_FEATURE_1_BTI`` This indicates that all executable
sections are compatible with Branch Target Identification mechanism. An
executable or shared object with this bit set is required to generate
`Custom PLTs`_ with BTI instruction.
sections are compatible with Branch Target Identification mechanism. See
`Tool requirements for generating BTI instructions`_.

``GNU_PROPERTY_AARCH64_FEATURE_1_PAC`` This indicates that all
executable sections have been protected with Return Address Signing.
Expand All @@ -1671,6 +1670,67 @@ include:
* Any functions used by the program that manipulate the stack such as
``setjmp`` and ``longjmp``, must be aware of GCS.

Tool Requirements for generating BTI instructions
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

For an executable or shared library to set
``GNU_PROPERTY_AARCH64_FEATURE_1_BTI`` every indirect branch to a
location in a guarded page must target a BTI instruction that is
compatible with the PSTATE.BTYPE value. Indirect branches can come
from:

* Relocatable object producers, such as a compiler or assembler.

* Static linkers when generating PLT sequences or veneers.

* Other executables and shared libraries via call from a PLT or a
function pointer.

It is desirable to minimize the number of BTI instructions to limit
the number of indirect branch destinations in the program. The
following tool requirements determine which tool has the
responsibility of inserting the BTI instruction, permitting a tool to
elide the BTI instruction when it can prove that there are no indirect
calls to that location.

* A relocatable object producer is required to add a BTI instruction
to the destination of an indirect branch originating in the same
relocatable object.

* A relocatable object producer is required to add a BTI instruction
to a location when the address of the location is live, and it
escapes to an entity that is permitted to generate an indirect
branch that is opaque to the relocatable object producer. This
includes the locations of all symbols that can be exported into the
dynamic symbol table by a static linker.

* A static linker is required to generate `Custom PLTs`_ with BTI
instructions.

* A static linker that uses indirect branches in veneers is required
to generate a BTI compatible landing pad if the target of the
indirect branch is defined within the same link unit and does not
have a compatible BTI instruction at the destination of the
veneer. A BTI compatible landing pad consists of a BTI instruction
followed by a direct branch. For example:

.. code-block:: asm

// Linker generated veneer using indirect branch
adrp x16, fn
add x16, :lo12: fn
br x16
...
// Linker generated BTI landing pad
bti c
b fn
...
// Destination of veneer without a BTI instruction.
fn:
// a non BTI instruction.

* A static linker is not required to insert BTI compatible landing
pads for symbols with section index ``SHN_ABS``.

Program Loading
---------------
Expand Down