Posting this to an internal list because v8.5 is still NDA.
There are a lot of holes to be filled wrt the user-level ABI. In the meantime, I have a cpu property to turn on GP for all pages. Which means that to test it, I provide a complete statically linked program, so that nothing uses indirect branches except that the ones I use myself.
r~
Richard Henderson (11): target/arm: Introduce isar_feature_aa64_bti target/arm: Add PSTATE.BTYPE target/arm: Add BT and BTYPE to tb->flags target/arm: Record the GP bit for a page in MemTxAttrs target/arm: Default handling of BTYPE during translation target/arm: Reset btype for direct branches and syscalls target/arm: Set btype for indirect branches target/arm: Add guarded_pages cpu property for user-only target/arm: Enable BTI for -cpu max linux-user/aarch64: Reset btype for signal handlers tests/tcg/aarch64: Add bti smoke test
include/exec/memattrs.h | 2 + target/arm/cpu.h | 22 +++- target/arm/internals.h | 6 + target/arm/translate.h | 9 ++ linux-user/aarch64/signal.c | 4 + target/arm/cpu64.c | 24 ++++ target/arm/helper.c | 28 +++-- target/arm/translate-a64.c | 196 +++++++++++++++++++++++++++++- tests/tcg/aarch64/bti-1.c | 61 ++++++++++ tests/tcg/aarch64/bti-crt.inc.c | 51 ++++++++ tests/tcg/aarch64/Makefile.target | 7 +- 11 files changed, 399 insertions(+), 11 deletions(-) create mode 100644 tests/tcg/aarch64/bti-1.c create mode 100644 tests/tcg/aarch64/bti-crt.inc.c
Also create field definitions for id_aa64pfr1 from ARMv8.5.
Signed-off-by: Richard Henderson richard.henderson@linaro.org --- target/arm/cpu.h | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h index a4d0174c05..02db6c5f5a 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -1628,6 +1628,9 @@ FIELD(ID_AA64PFR0, GIC, 24, 4) FIELD(ID_AA64PFR0, RAS, 28, 4) FIELD(ID_AA64PFR0, SVE, 32, 4)
+FIELD(ID_AA64PFR1, BT, 0, 4) +FIELD(ID_AA64PFR1, SBSS, 4, 4) + FIELD(ID_AA64MMFR0, PARANGE, 0, 4) FIELD(ID_AA64MMFR0, ASIDBITS, 4, 4) FIELD(ID_AA64MMFR0, BIGEND, 8, 4) @@ -3267,6 +3270,11 @@ static inline bool isar_feature_aa64_lor(const ARMISARegisters *id) return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, LO) != 0; }
+static inline bool isar_feature_aa64_bti(const ARMISARegisters *id) +{ + return FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, BT) != 0; +} + /* * Forward to the above feature tests given an ARMCPU pointer. */
Place this in its own field within ENV, as that will make it easier to reset from within TCG generated code.
With the change to pstate_read/write, exception entry and return are automatically handled.
Signed-off-by: Richard Henderson richard.henderson@linaro.org --- target/arm/cpu.h | 8 ++++++-- target/arm/translate-a64.c | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h index 02db6c5f5a..6211e21046 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -234,6 +234,7 @@ typedef struct CPUARMState { * semantics as for AArch32, as described in the comments on each field) * nRW (also known as M[4]) is kept, inverted, in env->aarch64 * DAIF (exception masks) are kept in env->daif + * BTYPE is kept in env->btype * all other bits are stored in their correct places in env->pstate */ uint32_t pstate; @@ -263,6 +264,7 @@ typedef struct CPUARMState { uint32_t GE; /* cpsr[19:16] */ uint32_t thumb; /* cpsr[5]. 0 = arm mode, 1 = thumb mode. */ uint32_t condexec_bits; /* IT bits. cpsr[15:10,26:25]. */ + uint32_t btype; /* BTI branch type. spsr[11:10]. */ uint64_t daif; /* exception masks, in the bits they are in PSTATE */
uint64_t elr_el[4]; /* AArch64 exception link regs */ @@ -1153,6 +1155,7 @@ void pmccntr_sync(CPUARMState *env); #define PSTATE_I (1U << 7) #define PSTATE_A (1U << 8) #define PSTATE_D (1U << 9) +#define PSTATE_BTYPE (3U << 10) #define PSTATE_IL (1U << 20) #define PSTATE_SS (1U << 21) #define PSTATE_V (1U << 28) @@ -1161,7 +1164,7 @@ void pmccntr_sync(CPUARMState *env); #define PSTATE_N (1U << 31) #define PSTATE_NZCV (PSTATE_N | PSTATE_Z | PSTATE_C | PSTATE_V) #define PSTATE_DAIF (PSTATE_D | PSTATE_A | PSTATE_I | PSTATE_F) -#define CACHED_PSTATE_BITS (PSTATE_NZCV | PSTATE_DAIF) +#define CACHED_PSTATE_BITS (PSTATE_NZCV | PSTATE_DAIF | PSTATE_BTYPE) /* Mode values for AArch64 */ #define PSTATE_MODE_EL3h 13 #define PSTATE_MODE_EL3t 12 @@ -1193,7 +1196,7 @@ static inline uint32_t pstate_read(CPUARMState *env) ZF = (env->ZF == 0); return (env->NF & 0x80000000) | (ZF << 30) | (env->CF << 29) | ((env->VF & 0x80000000) >> 3) - | env->pstate | env->daif; + | env->pstate | env->daif | (env->btype << 10); }
static inline void pstate_write(CPUARMState *env, uint32_t val) @@ -1203,6 +1206,7 @@ static inline void pstate_write(CPUARMState *env, uint32_t val) env->CF = (val >> 29) & 1; env->VF = (val << 3) & 0x80000000; env->daif = val & PSTATE_DAIF; + env->btype = (val >> 10) & 3; env->pstate = val & ~CACHED_PSTATE_BITS; }
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c index af8ad1be8b..8a6c597362 100644 --- a/target/arm/translate-a64.c +++ b/target/arm/translate-a64.c @@ -163,6 +163,9 @@ void aarch64_cpu_dump_state(CPUState *cs, FILE *f, el, psr & PSTATE_SP ? 'h' : 't');
+ if (cpu_isar_feature(aa64_bti, cpu)) { + cpu_fprintf(f, " BTYPE=%d", (psr & PSTATE_BTYPE) >> 10); + } if (!(flags & CPU_DUMP_FPU)) { cpu_fprintf(f, "\n"); return;
Signed-off-by: Richard Henderson richard.henderson@linaro.org --- target/arm/cpu.h | 2 ++ target/arm/translate.h | 4 ++++ target/arm/helper.c | 22 +++++++++++++++------- target/arm/translate-a64.c | 2 ++ 4 files changed, 23 insertions(+), 7 deletions(-)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h index 6211e21046..f2d8bf357c 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -2989,6 +2989,8 @@ FIELD(TBFLAG_A64, TBI1, 1, 1) FIELD(TBFLAG_A64, SVEEXC_EL, 2, 2) FIELD(TBFLAG_A64, ZCR_LEN, 4, 4) FIELD(TBFLAG_A64, PAUTH_ACTIVE, 8, 1) +FIELD(TBFLAG_A64, BT, 9, 1) +FIELD(TBFLAG_A64, BTYPE, 10, 2)
static inline bool bswap_code(bool sctlr_b) { diff --git a/target/arm/translate.h b/target/arm/translate.h index d8a8bb4e9c..aa59888393 100644 --- a/target/arm/translate.h +++ b/target/arm/translate.h @@ -70,6 +70,10 @@ typedef struct DisasContext { bool ss_same_el; /* True if v8.3-PAuth is active. */ bool pauth_active; + /* True with v8.5-BTI and SCTLR_ELx.BT* set. */ + bool bt; + /* A copy of PSTATE.BTYPE, which will be 0 without v8.5-BTI. */ + uint8_t btype; /* Bottom two bits of XScale c15_cpar coprocessor access control reg */ int c15_cpar; /* TCG op of the current insn_start. */ diff --git a/target/arm/helper.c b/target/arm/helper.c index 4bf2db2cc4..e23d31edee 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -13073,6 +13073,7 @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
if (is_a64(env)) { ARMCPU *cpu = arm_env_get_cpu(env); + uint64_t sctlr;
*pc = env->pc; flags = FIELD_DP32(flags, TBFLAG_ANY, AARCH64_STATE, 1); @@ -13109,6 +13110,12 @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc, flags = FIELD_DP32(flags, TBFLAG_A64, ZCR_LEN, zcr_len); }
+ if (current_el == 0) { + /* FIXME: ARMv8.1-VHE S2 translation regime. */ + sctlr = env->cp15.sctlr_el[1]; + } else { + sctlr = env->cp15.sctlr_el[current_el]; + } if (cpu_isar_feature(aa64_pauth, cpu)) { /* * In order to save space in flags, we record only whether @@ -13116,17 +13123,18 @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc, * a nop, or "active" when some action must be performed. * The decision of which action to take is left to a helper. */ - uint64_t sctlr; - if (current_el == 0) { - /* FIXME: ARMv8.1-VHE S2 translation regime. */ - sctlr = env->cp15.sctlr_el[1]; - } else { - sctlr = env->cp15.sctlr_el[current_el]; - } if (sctlr & (SCTLR_EnIA | SCTLR_EnIB | SCTLR_EnDA | SCTLR_EnDB)) { flags = FIELD_DP32(flags, TBFLAG_A64, PAUTH_ACTIVE, 1); } } + + if (cpu_isar_feature(aa64_bti, cpu)) { + /* Note that SCTLR_EL[23].BT == SCTLR_BT1. */ + if (sctlr & (current_el == 0 ? SCTLR_BT0 : SCTLR_BT1)) { + flags = FIELD_DP32(flags, TBFLAG_A64, BT, 1); + } + flags = FIELD_DP32(flags, TBFLAG_A64, BTYPE, env->btype); + } } else { *pc = env->regs[15]; flags = FIELD_DP32(flags, TBFLAG_A32, THUMB, env->thumb); diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c index 8a6c597362..dbe2ed7565 100644 --- a/target/arm/translate-a64.c +++ b/target/arm/translate-a64.c @@ -13802,6 +13802,8 @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase, dc->sve_excp_el = FIELD_EX32(tb_flags, TBFLAG_A64, SVEEXC_EL); dc->sve_len = (FIELD_EX32(tb_flags, TBFLAG_A64, ZCR_LEN) + 1) * 16; dc->pauth_active = FIELD_EX32(tb_flags, TBFLAG_A64, PAUTH_ACTIVE); + dc->bt = FIELD_EX32(tb_flags, TBFLAG_A64, BT); + dc->btype = FIELD_EX32(tb_flags, TBFLAG_A64, BTYPE); dc->vec_len = 0; dc->vec_stride = 0; dc->cp_regs = arm_cpu->cp_regs;
This isn't really a transaction attribute, but that's the most convenient place to hold a random bit of information within the softmmu tlb.
Signed-off-by: Richard Henderson richard.henderson@linaro.org --- include/exec/memattrs.h | 2 ++ target/arm/helper.c | 6 ++++++ 2 files changed, 8 insertions(+)
diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h index d4a1642098..39d61188e1 100644 --- a/include/exec/memattrs.h +++ b/include/exec/memattrs.h @@ -35,6 +35,8 @@ typedef struct MemTxAttrs { unsigned int secure:1; /* Memory access is usermode (unprivileged) */ unsigned int user:1; + /* Page is marked as "guarded" */ + unsigned int guarded:1; /* Requester ID (for MSI for example) */ unsigned int requester_id:16; } MemTxAttrs; diff --git a/target/arm/helper.c b/target/arm/helper.c index e23d31edee..849356db4c 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -9924,6 +9924,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, bool ttbr1_valid; uint64_t descaddrmask; bool aarch64 = arm_el_is_aa64(env, el); + bool guarded = false;
/* TODO: * This code does not handle the different format TCR for VTCR_EL2. @@ -10095,6 +10096,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, } /* Merge in attributes from table descriptors */ attrs |= nstable << 3; /* NS */ + guarded |= extract64(descriptor, 50, 1); /* GP */ if (param.hpd) { /* HPD disables all the table attributes except NSTable. */ break; @@ -10140,6 +10142,10 @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, */ txattrs->secure = false; } + /* When in aarch64 mode, and BTI is enabled, remember GP in the IOTLB. */ + if (aarch64 && guarded && cpu_isar_feature(aa64_bti, cpu)) { + txattrs->guarded = true; + }
if (cacheattrs != NULL) { if (mmu_idx == ARMMMUIdx_S2NS) {
The branch target exception for guarded pages has high priority, and only 8 instructions are valid for that case. Perform this check before doing any other decode.
Clear BTYPE after all insns that neither set BTYPE nor exit via exception (DISAS_NORETURN).
Not yet handled are insns that exit via DISAS_NORETURN for some other reason, like direct branches.
Signed-off-by: Richard Henderson richard.henderson@linaro.org --- target/arm/internals.h | 6 ++ target/arm/translate.h | 9 ++- target/arm/translate-a64.c | 139 +++++++++++++++++++++++++++++++++++++ 3 files changed, 152 insertions(+), 2 deletions(-)
diff --git a/target/arm/internals.h b/target/arm/internals.h index 4fbef58126..249703c22d 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -261,6 +261,7 @@ enum arm_exception_class { EC_FPIDTRAP = 0x08, EC_PACTRAP = 0x09, EC_CP14RRTTRAP = 0x0c, + EC_BTITRAP = 0x0d, EC_ILLEGALSTATE = 0x0e, EC_AA32_SVC = 0x11, EC_AA32_HVC = 0x12, @@ -432,6 +433,11 @@ static inline uint32_t syn_pactrap(void) return EC_PACTRAP << ARM_EL_EC_SHIFT; }
+static inline uint32_t syn_btitrap(int btype) +{ + return (EC_BTITRAP << ARM_EL_EC_SHIFT) | btype; +} + static inline uint32_t syn_insn_abort(int same_el, int ea, int s1ptw, int fsc) { return (EC_INSNABORT << ARM_EL_EC_SHIFT) | (same_el << ARM_EL_EC_SHIFT) diff --git a/target/arm/translate.h b/target/arm/translate.h index aa59888393..23fc01aa53 100644 --- a/target/arm/translate.h +++ b/target/arm/translate.h @@ -72,8 +72,13 @@ typedef struct DisasContext { bool pauth_active; /* True with v8.5-BTI and SCTLR_ELx.BT* set. */ bool bt; - /* A copy of PSTATE.BTYPE, which will be 0 without v8.5-BTI. */ - uint8_t btype; + /* + * >= 0, a copy of PSTATE.BTYPE, which will be 0 without v8.5-BTI. + * < 0, set by the current instruction. + */ + int8_t btype; + /* True if this page is guarded. */ + bool guarded_page; /* Bottom two bits of XScale c15_cpar coprocessor access control reg */ int c15_cpar; /* TCG op of the current insn_start. */ diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c index dbe2ed7565..bbb6751df3 100644 --- a/target/arm/translate-a64.c +++ b/target/arm/translate-a64.c @@ -128,6 +128,16 @@ static inline int get_a64_user_mem_index(DisasContext *s) return arm_to_core_mmu_idx(useridx); }
+static void reset_btype(DisasContext *s) +{ + if (s->btype != 0) { + TCGv_i32 zero = tcg_const_i32(0); + tcg_gen_st_i32(zero, cpu_env, offsetof(CPUARMState, btype)); + tcg_temp_free_i32(zero); + s->btype = 0; + } +} + void aarch64_cpu_dump_state(CPUState *cs, FILE *f, fprintf_function cpu_fprintf, int flags) { @@ -13717,6 +13727,90 @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn) } }
+/** + * is_guarded_page: + * @env: The cpu environment + * @s: The DisasContext + * + * Return true if the page is guarded. + */ +static bool is_guarded_page(CPUARMState *env, DisasContext *s) +{ +#ifdef CONFIG_USER_ONLY + return false; /* FIXME */ +#else + uint64_t addr = s->base.pc_first; + int mmu_idx = arm_to_core_mmu_idx(s->mmu_idx); + unsigned int index = tlb_index(env, mmu_idx, addr); + CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr); + + /* + * We test this immediately after reading an insn, which means + * that any normal page must be in the TLB. The only exception + * would be for executing from flash or device memory, which + * does not retain the TLB entry. + * + * FIXME: Assume false for those, for now. We could use + * arm_cpu_get_phys_page_attrs_debug to re-read the page + * table entry even for that case. + */ + return (tlb_hit(entry->addr_code, addr) && + env->iotlb[mmu_idx][index].attrs.guarded); +#endif +} + +/** + * btype_destination_ok: + * @insn: The instruction at the branch destination + * @bt: SCTLR_ELx.BT + * @btype: PSTATE.BTYPE, and is non-zero + * + * On a guarded page, there are a limited number of insns + * that may be present at the branch target: + * - branch target identifiers, + * - paciasp, pacibsp, + * - BRK insn + * - HLT insn + * Anything else causes a Branch Target Exception. + * + * Return true if the branch is compatible, false to raise BTITRAP. + */ +static bool btype_destination_ok(uint32_t insn, bool bt, int btype) +{ + if ((insn & 0xfffff01fu) == 0xd503201fu) { + /* HINT space */ + switch (extract32(insn, 5, 7)) { + case 031: /* PACIASP */ + case 033: /* PACIBSP */ + /* + * If SCTLR_ELx.BT, then PACI*SP are not compatible + * with btype == 3. Otherwise all btype are ok. + */ + return !bt || btype != 3; + case 040: /* BTI */ + /* Not compatible with any btype. */ + return false; + case 042: /* BTI c */ + /* Not compatible with btype == 3 */ + return btype != 3; + case 044: /* BTI j */ + /* Not compatible with btype == 2 */ + return btype != 2; + case 046: /* BTI jc */ + /* Compatible with any btype. */ + return true; + } + } else { + switch (insn & 0xffe0001fu) { + case 0xd4200000u: /* BRK */ + case 0xd4400000u: /* HLT */ + /* Give priority to the breakpoint exception. */ + return true; + } + } + return false; +} + /* C3.1 A64 instruction index by encoding */ static void disas_a64_insn(CPUARMState *env, DisasContext *s) { @@ -13728,6 +13822,43 @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
s->fp_access_checked = false;
+ if (dc_isar_feature(aa64_bti, s)) { + if (s->base.num_insns == 1) { + /* + * At the first insn of the TB, compute s->guarded_page. + * We delayed computing this until successfully reading + * the first insn of the TB, above. This (mostly) ensures + * that the softmmu tlb entry has been populated, and the + * page table GP bit is available. + * + * Note that we need to compute this even if btype == 0, + * because this value is used for BR instructions later + * where ENV is not available. + */ + s->guarded_page = is_guarded_page(env, s); + + /* First insn can have btype set to non-zero. */ + tcg_debug_assert(s->btype >= 0); + + /* + * Note that the Branch Target Exception has fairly high + * priority -- below debugging exceptions but above most + * everything else. This allows us to handle this now + * instead of waiting until the insn is otherwise decoded. + */ + if (s->btype != 0 + && s->guarded_page + && !btype_destination_ok(insn, s->bt, s->btype)) { + gen_exception_insn(s, 4, EXCP_UDEF, syn_btitrap(s->btype), + default_exception_el(s)); + return; + } + } else { + /* Not the first insn: btype must be 0. */ + tcg_debug_assert(s->btype == 0); + } + } + switch (extract32(insn, 25, 4)) { case 0x0: case 0x1: case 0x3: /* UNALLOCATED */ unallocated_encoding(s); @@ -13764,6 +13895,14 @@ static void disas_a64_insn(CPUARMState *env, DisasContext *s)
/* if we allocated any temporaries, free them here */ free_tmp_a64(s); + + /* + * After execution of most insns, btype is reset to 0. + * Note that we set btype == -1 when the insn sets btype. + */ + if (s->btype > 0 && s->base.is_jmp != DISAS_NORETURN) { + reset_btype(s); + } }
static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
This is all of the non-exception cases of DISAS_NORETURN.
For the rest of the synchronous exceptions, the state of SPSR_ELx.BTYPE is CONSTRAINED UNPREDICTABLE. However, it makes more sense to me to have syscalls reset BTYPE.
Signed-off-by: Richard Henderson richard.henderson@linaro.org --- target/arm/translate-a64.c | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c index bbb6751df3..9820a9b745 100644 --- a/target/arm/translate-a64.c +++ b/target/arm/translate-a64.c @@ -1361,6 +1361,7 @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn) }
/* B Branch / BL Branch with link */ + reset_btype(s); gen_goto_tb(s, 0, addr); }
@@ -1385,6 +1386,7 @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn) tcg_cmp = read_cpu_reg(s, rt, sf); label_match = gen_new_label();
+ reset_btype(s); tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ, tcg_cmp, 0, label_match);
@@ -1414,6 +1416,8 @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn) tcg_cmp = tcg_temp_new_i64(); tcg_gen_andi_i64(tcg_cmp, cpu_reg(s, rt), (1ULL << bit_pos)); label_match = gen_new_label(); + + reset_btype(s); tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ, tcg_cmp, 0, label_match); tcg_temp_free_i64(tcg_cmp); @@ -1440,6 +1444,7 @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn) addr = s->pc + sextract32(insn, 5, 19) * 4 - 4; cond = extract32(insn, 0, 4);
+ reset_btype(s); if (cond < 0x0e) { /* genuinely conditional branches */ TCGLabel *label_match = gen_new_label(); @@ -1604,6 +1609,7 @@ static void handle_sync(DisasContext *s, uint32_t insn, * a self-modified code correctly and also to take * any pending interrupts immediately. */ + reset_btype(s); gen_goto_tb(s, 0, s->pc); return; default: @@ -1884,6 +1890,7 @@ static void disas_exc(DisasContext *s, uint32_t insn) switch (op2_ll) { case 1: /* SVC */ gen_ss_advance(s); + reset_btype(s); gen_exception_insn(s, 0, EXCP_SWI, syn_aa64_svc(imm16), default_exception_el(s)); break; @@ -1898,6 +1905,7 @@ static void disas_exc(DisasContext *s, uint32_t insn) gen_a64_set_pc_im(s->pc - 4); gen_helper_pre_hvc(cpu_env); gen_ss_advance(s); + reset_btype(s); gen_exception_insn(s, 0, EXCP_HVC, syn_aa64_hvc(imm16), 2); break; case 3: /* SMC */ @@ -1910,6 +1918,7 @@ static void disas_exc(DisasContext *s, uint32_t insn) gen_helper_pre_smc(cpu_env, tmp); tcg_temp_free_i32(tmp); gen_ss_advance(s); + reset_btype(s); gen_exception_insn(s, 0, EXCP_SMC, syn_aa64_smc(imm16), 3); break; default:
Signed-off-by: Richard Henderson richard.henderson@linaro.org --- target/arm/translate-a64.c | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c index 9820a9b745..fcce1f3a9e 100644 --- a/target/arm/translate-a64.c +++ b/target/arm/translate-a64.c @@ -138,6 +138,19 @@ static void reset_btype(DisasContext *s) } }
+static void set_btype(DisasContext *s, int val) +{ + TCGv_i32 tcg_val; + + /* BTYPE is a 2-bit field, and 0 should be done with reset_btype. */ + tcg_debug_assert(val >= 1 && val <= 3); + + tcg_val = tcg_const_i32(val); + tcg_gen_st_i32(tcg_val, cpu_env, offsetof(CPUARMState, btype)); + tcg_temp_free_i32(tcg_val); + s->btype = -1; +} + void aarch64_cpu_dump_state(CPUState *cs, FILE *f, fprintf_function cpu_fprintf, int flags) { @@ -1984,6 +1997,7 @@ static void disas_exc(DisasContext *s, uint32_t insn) static void disas_uncond_b_reg(DisasContext *s, uint32_t insn) { unsigned int opc, op2, op3, rn, op4; + unsigned btype_mod = 2; TCGv_i64 dst; TCGv_i64 modifier;
@@ -2001,6 +2015,7 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn) case 0: /* BR */ case 1: /* BLR */ case 2: /* RET */ + btype_mod = opc; switch (op3) { case 0: /* BR, BLR, RET */ @@ -2044,7 +2059,6 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn) default: goto do_unallocated; } - gen_a64_set_pc(s, dst); /* BLR also needs to load return address */ if (opc == 1) { @@ -2060,6 +2074,7 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn) if (op3 != 2 || op3 != 3) { goto do_unallocated; } + btype_mod = opc & 1; if (s->pauth_active) { dst = new_tmp_a64(s); modifier = cpu_reg_sp(s, op4); @@ -2143,6 +2158,26 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn) return; }
+ switch (btype_mod) { + case 0: /* BR */ + if (dc_isar_feature(aa64_bti, s)) { + /* BR to {x16,x17} or !guard -> 1, else 3. */ + set_btype(s, rn == 16 || rn == 17 || !s->guarded_page ? 1 : 3); + } + break; + + case 1: /* BLR */ + if (dc_isar_feature(aa64_bti, s)) { + /* BLR sets BTYPE to 2, regardless of source guarded page. */ + set_btype(s, 2); + } + break; + + default: /* RET or none of the above. */ + /* BTYPE will be set to 0 by normal end-of-insn processing. */ + break; + } + s->base.is_jmp = DISAS_JUMP; }
While waiting for a proper userland ABI, allow static test cases to be written assuming that GP is set for all pages.
Signed-off-by: Richard Henderson richard.henderson@linaro.org --- target/arm/cpu.h | 4 ++++ target/arm/cpu64.c | 20 ++++++++++++++++++++ target/arm/translate-a64.c | 8 +++++++- 3 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h index f2d8bf357c..e7bb26187b 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -882,6 +882,10 @@ struct ARMCPU { */ bool cfgend;
+#ifdef CONFIG_USER_ONLY + bool guarded_pages; +#endif + QLIST_HEAD(, ARMELChangeHook) pre_el_change_hooks; QLIST_HEAD(, ARMELChangeHook) el_change_hooks;
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c index 84f70b2a24..93c60a18b1 100644 --- a/target/arm/cpu64.c +++ b/target/arm/cpu64.c @@ -285,6 +285,20 @@ static void cpu_max_set_sve_vq(Object *obj, Visitor *v, const char *name, error_propagate(errp, err); }
+#ifdef CONFIG_USER_ONLY +static bool aarch64_cpu_get_guarded_pages(Object *obj, Error **errp) +{ + ARMCPU *cpu = ARM_CPU(obj); + return cpu->guarded_pages; +} + +static void aarch64_cpu_set_guarded_pages(Object *obj, bool val, Error **errp) +{ + ARMCPU *cpu = ARM_CPU(obj); + cpu->guarded_pages = val; +} +#endif + /* -cpu max: if KVM is enabled, like -cpu host (best possible with this host); * otherwise, a CPU with as many features enabled as our emulation supports. * The version of '-cpu max' for qemu-system-arm is defined in cpu.c; @@ -360,6 +374,12 @@ static void aarch64_max_initfn(Object *obj) */ cpu->ctr = 0x80038003; /* 32 byte I and D cacheline size, VIPT icache */ cpu->dcz_blocksize = 7; /* 512 bytes */ + + object_property_add_bool(obj, "guarded_pages", + aarch64_cpu_get_guarded_pages, + aarch64_cpu_set_guarded_pages, NULL); + object_property_set_description(obj, "guarded_pages", + "Set on/off GuardPage bit for all pages", NULL); #endif
cpu->sve_max_vq = ARM_MAX_VQ; diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c index fcce1f3a9e..c34c8a8b52 100644 --- a/target/arm/translate-a64.c +++ b/target/arm/translate-a64.c @@ -13781,7 +13781,13 @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn) static bool is_guarded_page(CPUARMState *env, DisasContext *s) { #ifdef CONFIG_USER_ONLY - return false; /* FIXME */ + /* + * FIXME: What is the userland ABI for this? + * For the moment this is controlled by an attribute: + * -cpu max,guarded_pages=on. + */ + ARMCPU *cpu = arm_env_get_cpu(env); + return cpu->guarded_pages; #else uint64_t addr = s->base.pc_first; int mmu_idx = arm_to_core_mmu_idx(s->mmu_idx);
Signed-off-by: Richard Henderson richard.henderson@linaro.org --- target/arm/cpu64.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c index 93c60a18b1..d185edcb17 100644 --- a/target/arm/cpu64.c +++ b/target/arm/cpu64.c @@ -342,6 +342,10 @@ static void aarch64_max_initfn(Object *obj) t = FIELD_DP64(t, ID_AA64PFR0, ADVSIMD, 1); cpu->isar.id_aa64pfr0 = t;
+ t = cpu->isar.id_aa64pfr1; + t = FIELD_DP64(t, ID_AA64PFR1, BT, 1); + cpu->isar.id_aa64pfr1 = t; + t = cpu->isar.id_aa64mmfr1; t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1); /* HPD */ t = FIELD_DP64(t, ID_AA64MMFR1, LO, 1);
It does not make sense for a SIGSEGV handler to enter with the btype set as for the indirect branch that caused the SIGSEGV.
Nor does it make sense to return from a handler with BTYPE set. This could be argued to be the handler's job, setting BTYPE within ucontext->uc_mcontext.pstate, but handling this here while the ABI is undiscussed.
Signed-off-by: Richard Henderson richard.henderson@linaro.org --- linux-user/aarch64/signal.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c index f84a9cf28a..1fb229e696 100644 --- a/linux-user/aarch64/signal.c +++ b/linux-user/aarch64/signal.c @@ -218,6 +218,8 @@ static void target_restore_general_frame(CPUARMState *env, __get_user(env->pc, &sf->uc.tuc_mcontext.pc); __get_user(pstate, &sf->uc.tuc_mcontext.pstate); pstate_write(env, pstate); + /* Reset btype that might have been there going into the frame. */ + env->btype = 0; }
static void target_restore_fpsimd_record(CPUARMState *env, @@ -510,6 +512,8 @@ static void target_setup_frame(int usig, struct target_sigaction *ka, env->xregs[29] = frame_addr + fr_ofs; env->pc = ka->_sa_handler; env->xregs[30] = return_addr; + /* Reset btype going into the signal handler. */ + env->btype = 0; if (info) { tswap_siginfo(&frame->info, info); env->xregs[1] = frame_addr + offsetof(struct target_rt_sigframe, info);
Signed-off-by: Richard Henderson richard.henderson@linaro.org --- tests/tcg/aarch64/bti-1.c | 61 +++++++++++++++++++++++++++++++ tests/tcg/aarch64/bti-crt.inc.c | 51 ++++++++++++++++++++++++++ tests/tcg/aarch64/Makefile.target | 7 +++- 3 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 tests/tcg/aarch64/bti-1.c create mode 100644 tests/tcg/aarch64/bti-crt.inc.c
diff --git a/tests/tcg/aarch64/bti-1.c b/tests/tcg/aarch64/bti-1.c new file mode 100644 index 0000000000..fa8a521a47 --- /dev/null +++ b/tests/tcg/aarch64/bti-1.c @@ -0,0 +1,61 @@ +/* + * Branch target identification, basic notskip cases. + */ + +#include "bti-crt.inc.c" + +static void skip2_sigill(int sig, siginfo_t *info, ucontext_t *uc) +{ + uc->uc_mcontext.pc += 8; +} + +#define NOP "nop" +#define BTI_N "hint #32" +#define BTI_C "hint #34" +#define BTI_J "hint #36" +#define BTI_JC "hint #38" + +#define BTYPE_1(DEST) \ + asm("mov %0,#1; adr x16, 1f; br x16; 1: " DEST "; mov %0,#0" \ + : "=r"(skipped) : : "x16") + +#define BTYPE_2(DEST) \ + asm("mov %0,#1; adr x16, 1f; blr x16; 1: " DEST "; mov %0,#0" \ + : "=r"(skipped) : : "x16", "x30") + +#define BTYPE_3(DEST) \ + asm("mov %0,#1; adr x15, 1f; br x15; 1: " DEST "; mov %0,#0" \ + : "=r"(skipped) : : "x15") + +#define TEST(WHICH, DEST, EXPECT) \ + do { WHICH(DEST); fail += skipped ^ EXPECT; } while (0) + + +int main() +{ + int fail = 0; + int skipped; + + /* Signal-like with SA_SIGINFO. */ + signal_info(SIGILL, skip2_sigill); + + TEST(BTYPE_1, NOP, 1); + TEST(BTYPE_1, BTI_N, 1); + TEST(BTYPE_1, BTI_C, 0); + TEST(BTYPE_1, BTI_J, 0); + TEST(BTYPE_1, BTI_JC, 0); + + TEST(BTYPE_2, NOP, 1); + TEST(BTYPE_2, BTI_N, 1); + TEST(BTYPE_2, BTI_C, 0); + TEST(BTYPE_2, BTI_J, 1); + TEST(BTYPE_2, BTI_JC, 0); + + TEST(BTYPE_3, NOP, 1); + TEST(BTYPE_3, BTI_N, 1); + TEST(BTYPE_3, BTI_C, 1); + TEST(BTYPE_3, BTI_J, 0); + TEST(BTYPE_3, BTI_JC, 0); + + return fail; +} diff --git a/tests/tcg/aarch64/bti-crt.inc.c b/tests/tcg/aarch64/bti-crt.inc.c new file mode 100644 index 0000000000..ef7831ad76 --- /dev/null +++ b/tests/tcg/aarch64/bti-crt.inc.c @@ -0,0 +1,51 @@ +/* + * Minimal user-environment for testing BTI. + * + * Normal libc is not built with BTI support enabled, and so could + * generate a BTI TRAP before ever reaching main. + */ + +#include <stdlib.h> +#include <signal.h> +#include <ucontext.h> +#include <asm/unistd.h> + +int main(void); + +void _start(void) +{ + exit(main()); +} + +void exit(int ret) +{ + register int x0 __asm__("x0") = ret; + register int x8 __asm__("x8") = __NR_exit; + + asm volatile("svc #0" : : "r"(x0), "r"(x8)); + __builtin_unreachable(); +} + +/* + * Irritatingly, the user API struct sigaction does not match the + * kernel API struct sigaction. So for simplicity, isolate the + * kernel ABI here, and make this act like signal. + */ +void signal_info(int sig, void (*fn)(int, siginfo_t *, ucontext_t *)) +{ + struct kernel_sigaction { + void (*handler)(int, siginfo_t *, ucontext_t *); + unsigned long flags; + unsigned long restorer; + unsigned long mask; + } sa = { fn, SA_SIGINFO, 0, 0 }; + + register int x0 __asm__("x0") = sig; + register void *x1 __asm__("x1") = &sa; + register void *x2 __asm__("x2") = 0; + register int x3 __asm__("x3") = sizeof(unsigned long); + register int x8 __asm__("x8") = __NR_rt_sigaction; + + asm volatile("svc #0" + : : "r"(x0), "r"(x1), "r"(x2), "r"(x3), "r"(x8) : "memory"); +} diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target index 08c45b8470..3d56e7c6ea 100644 --- a/tests/tcg/aarch64/Makefile.target +++ b/tests/tcg/aarch64/Makefile.target @@ -8,10 +8,15 @@ VPATH += $(AARCH64_SRC) # we don't build any of the ARM tests AARCH64_TESTS=$(filter-out $(ARM_TESTS), $(TESTS)) AARCH64_TESTS+=fcvt -TESTS:=$(AARCH64_TESTS)
fcvt: LDFLAGS+=-lm
run-fcvt: fcvt $(call run-test,$<,$(QEMU) $<, "$< on $(TARGET_NAME)") $(call diff-out,$<,$(AARCH64_SRC)/fcvt.ref) + +AARCH64_TESTS += bti-1 +bti-1: LDFLAGS += -nostartfiles -nodefaultlibs -nostdlib +run-bti-1: QEMU += -cpu max,guarded_pages=on + +TESTS:=$(AARCH64_TESTS)
linaro-toolchain@lists.linaro.org
-
Richard Henderson