arch/arm64: Add Branch Target Identification

[michpappas]

Prerequisite checklist

• Read the contribution guidelines regarding submitting new changes to the project;
• Tested your changes against relevant architectures and platforms;
• Ran the checkpatch.pl on your commit series before opening this PR;
• Updated relevant documentation.

Base target

• Architecture(s): [e.g. arm64]
• Platform(s): [common]
• Application(s): [N/A]

Additional configuration

This PR introduces a new Kconfig option, CONFIG_ARM64_FEAT_BTI. For details, see below.

Description of changes

FEAT_BTI is a hardware protection against JOP-like attacks.
To do that, it introduces:

• The BTI instruction.
• The GP field in Stage 1 PTEs.
• The PSTATE.BTYPE field.

BTI instructions, aka landing pads, are placed by the compiler at branch targets. On runtime, branches that do not land on a BTI instruction trigger an Branch Target Exception.

The GP field indicates whether a page is guarded with BTI. This is allows backwards compatibilty, by disabling BTI on pages that contain non-BTI guarded code. Notice that BTI instructions on unguarded pages execute as NOP.

PSTATE.BTYPE encodes the type of an indirect jump, ie the branch instruction, the registers used to carry parameters, and whether the target page is guarded or or not. When an indirect branch is taken, the processor checks whether PSATE.BTYPE matches the type of the branch target, and on negative match it generates an Branch Target Exception. The purpose of this is to further limit the scope of possible gadgets among BTI protected branches. Notice that there are exceptions to this. For details see D5.4.4 in [2].

Architecture Support

Armv8.5-a introduces FEAT_BTI as a mandatory feature. This feature is only available in AArch64.

GCC Support

GCC-9 introduces support for Armv8.5-A. BTI is supported through the -mbranch-protection parameter.

The parameters passed to -mbranch-protection are interpreted as:

• none: Disables all branch protections.
• pac-ret: Enables PAuth for function returns on non-leaf functions. The +leaf modifier enables protection for leaf functions.
• bti: Enables BTI.
• standard: Enables all branch protections.

GCC-9 comes with an issue where under certain conditions incorrect BTI instructions are generated. Due of that issue, for BTI support in Unikraft we mandate GCC => 10.

Backwards Compatibility

BTI is implemented as hint instructions. Processors based on older architecture revisions will execute these as NOP.

Changes introduced in this PR

This PR adds BTI support on arm64-based platforms through a new Kconfig option CONFIG_ARM64_FEAT_BTI. Enabling this option instructs GCC to instrument branch targets with landing pads. The default PTE attributes of executable pages and blocks are updated to set the GP attribute when BTI is enabled.

Platform Requirements

As GCC only generates BTI instructions for C code, platforms need to make sure that assembly functions that are called through indirect branching are updated with landing pads before BTI support is enabled.

References

1. Learn the architecture: Providing protection for complex software
2. The Arm Architecture Reference Manual Armv8, for Armv8-A architecture profile

[michpappas]

This PR depends on #369

[rene]

These instructions should be conditional to CONFIG_ARM64_FEAT_BTI. Otherwise will break the build for older compilers (i.e. gcc < 9).

[michpappas]

Good point. Actually this commit can be removed if PSCI calls are migrated to use the SMCCC API. @razvanvirtan, the BTI PR is scheduled for this release. Are you planning to include the PSCI change on this release too? If not I can push a update on this PR with @rene's suggestion.

[razvanvirtan]

@michpappas I have created the PSCI change PR: #428
From what I see, this PR (the BTI one) is planed for the next release (0.9), so I think the PSCI one can be included in that release too.

[michpappas]

@razvanvirtan awesome, thanks a lot 🚀 I'll look at it this weekend. @razvand could we schedule this one for 0.9 too?

[rene]

Please, fix copyright information.

[michpappas]

Actually this is intentional, because these headers are empty, so I think it doesn't make sense to grant the copyright to myself. The idea was that the copyright should be updated by whoever adds content. This is also what I do in the next commit where I add come content to arch/arm/arm64/include/uk/asm/compile.h and grant the copyright to myself.

[rene]

Please, fix copyright information.

[rene]

Please, fix copyright information.

[michpappas]

Updated PR with a fix for checkpatch

[michpappas]

Changes in this update:

• Replaced commit with changes in PSCI calls with dependency to plat/kvm/arm: Replace psci functions with generic SMCCC calls #428
• Add PAuth / BTI instructions to SMCCC conduits to fix a but (see commit description)

[michpappas]

@razvand, @razvanvirtan, @rene, @vladandrew this PR now depends on #428. I have also added this commit in this series to facilitate testing. Will rebase once #428 is merged.

[StefanJum]

Looks good to me!
Should be rebased now that #428 is merged.

Reviewed-by: Stefan Jumarea stefanjumarea02@gmail.com

[michpappas]

Rebased to staging.

[unikraft-bot]

✅ Checkpatch passed

Beep boop! I ran Unikraft's checkpatch.pl support script on your pull request and it all looks good!

SHA	commit	checkpatch
7fed583	arch/arm64: plat/common: Add Branch Target Identification	✅
ff98962	plat/kvm/arm: Simplify _libkvmplat_start()	✅
3e5e3ee	plat/common/arm: Add PAuth / BTI instructions to SMCCC conduits	✅

[rene]

@michpappas , looks good to me.

Reviewed-by: Renê de Souza Pinto rene@renesp.com.br

[vladandrew]

Great addition to Unikraft!

Approved-by: Vlad Badoiu vlad_andrei.badoiu@upb.ro