LLVM 23.0.0git
AArch64PointerAuth.cpp
Go to the documentation of this file.
1//===-- AArch64PointerAuth.cpp -- Harden code using PAuth ------------------==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8
10
11#include "AArch64.h"
13#include "AArch64InstrInfo.h"
15#include "AArch64Subtarget.h"
20
21using namespace llvm;
22using namespace llvm::AArch64PAuth;
23
24#define AARCH64_POINTER_AUTH_NAME "AArch64 Pointer Authentication"
25
26namespace {
27
28class AArch64PointerAuthImpl {
29public:
30 bool run(MachineFunction &MF);
31
32private:
33 const AArch64Subtarget *Subtarget = nullptr;
34 const AArch64InstrInfo *TII = nullptr;
35
36 void signLR(MachineFunction &MF, MachineBasicBlock::iterator MBBI) const;
37
38 void authenticateLR(MachineFunction &MF,
40};
41
42class AArch64PointerAuthLegacy : public MachineFunctionPass {
43public:
44 static char ID;
45
46 AArch64PointerAuthLegacy() : MachineFunctionPass(ID) {}
47
48 bool runOnMachineFunction(MachineFunction &MF) override;
49
50 StringRef getPassName() const override { return AARCH64_POINTER_AUTH_NAME; }
51};
52
53} // end anonymous namespace
54
55INITIALIZE_PASS(AArch64PointerAuthLegacy, "aarch64-ptrauth",
56 AARCH64_POINTER_AUTH_NAME, false, false)
57
59 return new AArch64PointerAuthLegacy();
60}
61
62char AArch64PointerAuthLegacy::ID = 0;
63
78
80 MachineInstr::MIFlag Flags, bool EmitCFI) {
81 if (!EmitCFI)
82 return;
83
84 auto &MF = *MBB.getParent();
85 auto &MFnI = *MF.getInfo<AArch64FunctionInfo>();
86
87 // DW_CFA_AARCH64_negate_ra_state_with_pc is semantically broken for
88 // functions where shrinkwrapping places signing/authenticating pairs on
89 // distinct CFG paths.
90 //
91 // DWARF CFI is evaluated linearly over the byte stream, not along control
92 // flow edges. The toggle semantics of this directive therefore cannot
93 // faithfully represent the signed/unsigned RA state for all possible CFG
94 // paths. The added complexity versus DW_CFA_AARCH64_negate_ra_state is that
95 // an unwinder must also reconstruct the PC of the PACI[AB]SPPC in order to
96 // verify the signed LR, and that address is derived from the location of this
97 // directive in the linear CFI stream.
98 //
99 // The correct fix is to use DW_CFA_AARCH64_set_ra_state_with_pc, which sets
100 // the RA state and signing address absolutely rather than toggling them. An
101 // unwinder that supports this directive can reconstruct the correct state on
102 // any CFG path, regardless of how many signing/authenticating pairs exist in
103 // the function. However, not all unwinders support this directive, so we
104 // cannot rely on it exclusively.
105 //
106 // For unwinders that only support DW_CFA_AARCH64_negate_ra_state_with_pc,
107 // libunwind exploits a loophole: it records the address at the
108 // DW_CFA_AARCH64_negate_ra_state_with_pc site to authenticate the LR, but
109 // does not care that the CFI state remains "signed with pc" after
110 // authentication has occurred. This means we can safely omit the
111 // FrameDestroy emission of this directive, treating it solely as a marker
112 // for the signing site, as long as each function has at most one such
113 // signing location. That invariant holds today because shrinkwrapping
114 // does not yet hoist or sink PAuth_LR frame code across CFG join/split
115 // points; once it does, we must avoid those transformations on platforms that
116 // have this limitation.
117 //
118 // https://github.com/ARM-software/abi-aa/issues/327
119 // https://github.com/ARM-software/abi-aa/pull/346
120 if (Flags == MachineInstr::FrameDestroy && MFnI.branchProtectionPAuthLR())
121 return;
122
123 CFIInstBuilder CFIBuilder(MBB, MBBI, Flags);
124 if (MFnI.branchProtectionPAuthLR()) {
125 CFIBuilder.buildNegateRAStateWithPC();
126 } else if (!MF.getTarget().getTargetTriple().isOSBinFormatMachO()) {
127 CFIBuilder.buildNegateRAState();
128 }
129}
130
131void AArch64PointerAuthImpl::signLR(MachineFunction &MF,
133 auto &MFnI = *MF.getInfo<AArch64FunctionInfo>();
134 bool UseBKey = MFnI.shouldSignWithBKey();
135 bool EmitCFI = MFnI.needsDwarfUnwindInfo(MF);
136 bool NeedsWinCFI = MF.hasWinCFI();
137
138 MachineBasicBlock &MBB = *MBBI->getParent();
139
140 // Debug location must be unknown, see AArch64FrameLowering::emitPrologue.
141 DebugLoc DL;
142
143 if (UseBKey && !MF.getTarget().getTargetTriple().isOSBinFormatMachO()) {
144 BuildMI(MBB, MBBI, DL, TII->get(AArch64::EMITBKEY))
146 }
147
148 // PAuthLR authentication instructions need to know the value of PC at the
149 // point of signing (PACI*).
150 if (MFnI.branchProtectionPAuthLR()) {
151 MCSymbol *PACSym = MF.getContext().createTempSymbol();
152 MFnI.setSigningInstrLabel(PACSym);
153 }
154
155 // No SEH opcode for this one; it doesn't materialize into an
156 // instruction on Windows.
157 if (MFnI.branchProtectionPAuthLR() && Subtarget->hasPAuthLR()) {
159 BuildMI(MBB, MBBI, DL,
160 TII->get(UseBKey ? AArch64::PACIBSPPC : AArch64::PACIASPPC))
162 ->setPreInstrSymbol(MF, MFnI.getSigningInstrLabel());
163 } else {
164 if (MFnI.branchProtectionPAuthLR()) {
165 BuildMI(MBB, MBBI, DL, TII->get(AArch64::PACM))
168 }
169 BuildMI(MBB, MBBI, DL,
170 TII->get(UseBKey ? AArch64::PACIBSP : AArch64::PACIASP))
172 ->setPreInstrSymbol(MF, MFnI.getSigningInstrLabel());
173 if (!MFnI.branchProtectionPAuthLR())
175 }
176
177 if (!EmitCFI && NeedsWinCFI) {
178 BuildMI(MBB, MBBI, DL, TII->get(AArch64::SEH_PACSignLR))
180 }
181}
182
183void AArch64PointerAuthImpl::authenticateLR(
184 MachineFunction &MF, MachineBasicBlock::iterator MBBI) const {
185 const AArch64FunctionInfo *MFnI = MF.getInfo<AArch64FunctionInfo>();
186 bool UseBKey = MFnI->shouldSignWithBKey();
187 bool EmitAsyncCFI = MFnI->needsAsyncDwarfUnwindInfo(MF);
188 bool NeedsWinCFI = MF.hasWinCFI();
189
190 MachineBasicBlock &MBB = *MBBI->getParent();
191 DebugLoc DL = MBBI->getDebugLoc();
192 // MBBI points to a PAUTH_EPILOGUE instruction to be replaced and
193 // TI points to a terminator instruction that may or may not be combined.
194 // Note that inserting new instructions "before MBBI" and "before TI" is
195 // not the same because if ShadowCallStack is enabled, its instructions
196 // are placed between MBBI and TI.
198
199 // The AUTIASP instruction assembles to a hint instruction before v8.3a so
200 // this instruction can safely used for any v8a architecture.
201 // From v8.3a onwards there are optimised authenticate LR and return
202 // instructions, namely RETA{A,B}, that can be used instead. In this case the
203 // DW_CFA_AARCH64_negate_ra_state can't be emitted.
204 bool TerminatorIsCombinable =
205 TI != MBB.end() && TI->getOpcode() == AArch64::RET;
206 MCSymbol *PACSym = MFnI->getSigningInstrLabel();
207
208 if (Subtarget->hasPAuth() && TerminatorIsCombinable && !NeedsWinCFI &&
209 !MF.getFunction().hasFnAttribute(Attribute::ShadowCallStack)) {
210 if (MFnI->branchProtectionPAuthLR() && Subtarget->hasPAuthLR()) {
211 assert(PACSym && "No PAC instruction to refer to");
212 BuildMI(MBB, TI, DL,
213 TII->get(UseBKey ? AArch64::RETABSPPCi : AArch64::RETAASPPCi))
214 .addSym(PACSym)
217 } else {
218 if (MFnI->branchProtectionPAuthLR()) {
220 AArch64::X16);
221 BuildMI(MBB, MBBI, DL, TII->get(AArch64::PACM))
223 }
224 BuildMI(MBB, TI, DL, TII->get(UseBKey ? AArch64::RETAB : AArch64::RETAA))
227 }
228 MBB.erase(TI);
229 return;
230 }
231
232 auto &AFL = *static_cast<const AArch64FrameLowering *>(
233 MF.getSubtarget().getFrameLowering());
234 int64_t ArgumentStackToRestore = AFL.getArgumentStackToRestore(MF, MBB);
235
236 // When ArgumentStackToRestore < 0, the tail callee pops more argument space
237 // than this function received, so after the frame teardown SP is below the
238 // entry SP used as the signing modifier. Reconstruct entry SP in x16 and
239 // authenticate using AUTI[AB]1716 (x17=LR, x16=entry_SP).
240 if (ArgumentStackToRestore < 0) {
241 emitFrameOffset(MBB, MBBI, DL, AArch64::X16, AArch64::SP,
242 StackOffset::getFixed(-ArgumentStackToRestore), TII,
244
245 BuildMI(MBB, MBBI, DL, TII->get(AArch64::ORRXrs), AArch64::X17)
246 .addReg(AArch64::XZR)
247 .addReg(AArch64::LR)
248 .addImm(0)
250
251 if (MFnI->branchProtectionPAuthLR() && Subtarget->hasPAuthLR()) {
252 assert(PACSym && "No PAC instruction to refer to");
254 AArch64::X15);
255
257 unsigned AutOpc = UseBKey ? AArch64::AUTIB171615 : AArch64::AUTIA171615;
258 BuildMI(MBB, MBBI, DL, TII->get(AutOpc))
260 } else if (MFnI->branchProtectionPAuthLR()) {
261 assert(PACSym && "No PAC instruction to refer to");
263 AArch64::X15);
264
265 // The PACM hint-space instruction modifies the following AUTI[AB]1716
266 // to optionally take x15 as an extra operand depending on the
267 // presence of +pauth-lr at runtime. On machines without +pauth-lr, it
268 // behaves as a nop, and the address of the PACI[AB]SP in x15 is
269 // ignored.
270 BuildMI(MBB, MBBI, DL, TII->get(AArch64::PACM))
272
274 unsigned AutOpc = UseBKey ? AArch64::AUTIB1716 : AArch64::AUTIA1716;
275 BuildMI(MBB, MBBI, DL, TII->get(AutOpc))
277 } else {
278 unsigned AutOpc = UseBKey ? AArch64::AUTIB1716 : AArch64::AUTIA1716;
279 BuildMI(MBB, MBBI, DL, TII->get(AutOpc))
282 }
283
284 BuildMI(MBB, MBBI, DL, TII->get(AArch64::ORRXrs), AArch64::LR)
285 .addReg(AArch64::XZR)
286 .addReg(AArch64::X17)
287 .addImm(0)
289 return;
290 }
291
292 // When ArgumentStackToRestore > 0, this function received more argument
293 // space than the tail callee pops. The epilogue contains an SP adjustment
294 // (e.g. "add sp, sp, #N") to discard the leftover argument space. We must
295 // authenticate *before* that adjustment so that AUTI[AB]SP sees the entry
296 // SP discriminator. Move any such SP-adjusting instructions to after the
297 // authentication instruction.
298 //
299 // We cannot simply bump SP first and then use AUTI[AB]SP with the bumped
300 // value, because the live arguments would fall below SP and potentially
301 // outside the red-zone.
302 SmallVector<MachineInstr *, 2> SPMods;
303 if (ArgumentStackToRestore > 0) {
304 for (auto I = MBBI; I->getFlag(MachineInstr::FrameDestroy); --I) {
305 if ((I->getOpcode() == AArch64::ADDXri ||
306 I->getOpcode() == AArch64::SUBXri) &&
307 I->getOperand(0).getReg() == AArch64::SP &&
308 I->getOperand(1).getReg() == AArch64::SP)
309 SPMods.push_back(&*I);
310 }
311 }
312 for (auto *MI : SPMods)
313 MI->removeFromParent();
314
315 if (MFnI->branchProtectionPAuthLR() && Subtarget->hasPAuthLR()) {
316 assert(PACSym && "No PAC instruction to refer to");
318 BuildMI(MBB, MBBI, DL,
319 TII->get(UseBKey ? AArch64::AUTIBSPPCi : AArch64::AUTIASPPCi))
320 .addSym(PACSym)
322 } else {
323 if (MFnI->branchProtectionPAuthLR()) {
325 AArch64::X16);
326
327 BuildMI(MBB, MBBI, DL, TII->get(AArch64::PACM))
330 }
331 BuildMI(MBB, MBBI, DL,
332 TII->get(UseBKey ? AArch64::AUTIBSP : AArch64::AUTIASP))
334 if (!MFnI->branchProtectionPAuthLR())
336 }
337
338 if (NeedsWinCFI) {
339 BuildMI(MBB, MBBI, DL, TII->get(AArch64::SEH_PACSignLR))
341 }
342
343 for (auto *MI : SPMods)
344 MBB.insert(MBBI, MI);
345}
346
348 switch (Method) {
350 return 0;
352 return 4;
354 return 12;
357 return 20;
358 }
359 llvm_unreachable("Unknown AuthCheckMethod enum");
360}
361
362bool AArch64PointerAuthImpl::run(MachineFunction &MF) {
363 Subtarget = &MF.getSubtarget<AArch64Subtarget>();
364 TII = Subtarget->getInstrInfo();
365
367
368 bool Modified = false;
369
370 for (auto &MBB : MF) {
371 for (auto &MI : MBB) {
372 switch (MI.getOpcode()) {
373 default:
374 break;
375 case AArch64::PAUTH_PROLOGUE:
376 case AArch64::PAUTH_EPILOGUE:
377 PAuthPseudoInstrs.push_back(MI.getIterator());
378 break;
379 }
380 }
381 }
382
383 for (auto It : PAuthPseudoInstrs) {
384 switch (It->getOpcode()) {
385 case AArch64::PAUTH_PROLOGUE:
386 signLR(MF, It);
387 break;
388 case AArch64::PAUTH_EPILOGUE:
389 authenticateLR(MF, It);
390 break;
391 default:
392 llvm_unreachable("Unhandled opcode");
393 }
394 It->eraseFromParent();
395 Modified = true;
396 }
397
398 return Modified;
399}
400
401bool AArch64PointerAuthLegacy::runOnMachineFunction(MachineFunction &MF) {
402 return AArch64PointerAuthImpl().run(MF);
403}
404
405PreservedAnalyses
408 const bool Changed = AArch64PointerAuthImpl().run(MF);
409 if (!Changed)
410 return PreservedAnalyses::all();
413 return PA;
414}
assert(UImm &&(UImm !=~static_cast< T >(0)) &&"Invalid immediate!")
#define AARCH64_POINTER_AUTH_NAME
static void emitEpiloguePACSymOffsetIntoReg(const TargetInstrInfo &TII, MachineBasicBlock &MBB, MachineBasicBlock::iterator I, DebugLoc DL, MCSymbol *PACSym, Register Reg)
static void emitPACCFI(MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI, MachineInstr::MIFlag Flags, bool EmitCFI)
MachineBasicBlock & MBB
MachineBasicBlock MachineBasicBlock::iterator DebugLoc DL
MachineBasicBlock MachineBasicBlock::iterator MBBI
const HexagonInstrInfo * TII
IRTranslator LLVM IR MI
#define I(x, y, z)
Definition MD5.cpp:57
Register Reg
#define INITIALIZE_PASS(passName, arg, name, cfg, analysis)
Definition PassSupport.h:56
AArch64FunctionInfo - This class is derived from MachineFunctionInfo and contains private AArch64-spe...
bool needsAsyncDwarfUnwindInfo(const MachineFunction &MF) const
PreservedAnalyses run(MachineFunction &MF, MachineFunctionAnalysisManager &MFAM)
const AArch64InstrInfo * getInstrInfo() const override
Represents analyses that only rely on functions' control flow.
Definition Analysis.h:73
Helper class for creating CFI instructions and inserting them into MIR.
void buildNegateRAState() const
void buildNegateRAStateWithPC() const
A debug info location.
Definition DebugLoc.h:126
FunctionPass class - This class is used to implement most global optimizations.
Definition Pass.h:314
bool hasFnAttribute(Attribute::AttrKind Kind) const
Return true if the function has the attribute.
Definition Function.cpp:723
LLVM_ABI MCSymbol * createTempSymbol()
Create a temporary symbol with a unique name.
MCSymbol - Instances of this class represent a symbol name in the MC file, and MCSymbols are created ...
Definition MCSymbol.h:42
LLVM_ABI instr_iterator insert(instr_iterator I, MachineInstr *M)
Insert MI into the instruction list before I, possibly inside a bundle.
const MachineFunction * getParent() const
Return the MachineFunction containing this basic block.
LLVM_ABI instr_iterator erase(instr_iterator I)
Remove an instruction from the instruction list and delete it.
LLVM_ABI instr_iterator getFirstInstrTerminator()
Same getFirstTerminator but it ignores bundles and return an instr_iterator instead.
MachineInstrBundleIterator< MachineInstr > iterator
MachineFunctionPass - This class adapts the FunctionPass interface to allow convenient creation of pa...
const TargetSubtargetInfo & getSubtarget() const
getSubtarget - Return the subtarget for which this machine code is being compiled.
MCContext & getContext() const
Function & getFunction()
Return the LLVM function that this machine code represents.
Ty * getInfo()
getInfo - Keep track of various per-function pieces of information for backends that would like to do...
const TargetMachine & getTarget() const
getTarget - Return the target machine this machine code is compiled with
const MachineInstrBuilder & addReg(Register RegNo, RegState Flags={}, unsigned SubReg=0) const
Add a new virtual register operand.
const MachineInstrBuilder & setMIFlag(MachineInstr::MIFlag Flag) const
const MachineInstrBuilder & addImm(int64_t Val) const
Add a new immediate operand.
const MachineInstrBuilder & addSym(MCSymbol *Sym, unsigned char TargetFlags=0) const
const MachineInstrBuilder & copyImplicitOps(const MachineInstr &OtherMI) const
Copy all the implicit operands from OtherMI onto this one.
LLVM_ABI void setPreInstrSymbol(MachineFunction &MF, MCSymbol *Symbol)
Set a symbol that will be emitted just prior to the instruction itself.
A set of analyses that are preserved following a run of a transformation pass.
Definition Analysis.h:112
static PreservedAnalyses all()
Construct a special preserved set that preserves all passes.
Definition Analysis.h:118
PreservedAnalyses & preserveSet()
Mark an analysis set as preserved.
Definition Analysis.h:151
Wrapper class representing virtual and physical registers.
Definition Register.h:20
void push_back(const T &Elt)
This is a 'vector' (really, a variable-sized array), optimized for the case when the array is small.
int64_t getFixed() const
Returns the fixed component of the stack.
Definition TypeSize.h:46
Represent a constant reference to a string, i.e.
Definition StringRef.h:56
TargetInstrInfo - Interface to description of machine instruction set.
const Triple & getTargetTriple() const
bool isOSBinFormatMachO() const
Tests whether the environment is MachO.
Definition Triple.h:786
Changed
#define llvm_unreachable(msg)
Marks that the current location is not supposed to be reachable.
@ MO_NC
MO_NC - Indicates whether the linker is expected to check the symbol reference for overflow.
@ MO_PAGEOFF
MO_PAGEOFF - A symbol operand with this flag represents the offset of that symbol within a 4K page.
@ MO_PAGE
MO_PAGE - A symbol operand with this flag represents the pc-relative offset of the 4K page containing...
unsigned getCheckerSizeInBytes(AuthCheckMethod Method)
Returns the number of bytes added by checkAuthenticatedRegister.
AuthCheckMethod
Variants of check performed on an authenticated pointer.
@ XPACHint
Check by comparing the authenticated value with an XPAC-ed one without using PAuth instructions not e...
@ DummyLoad
Perform a load to a temporary register.
@ HighBitsNoTBI
Check by comparing bits 62 and 61 of the authenticated address.
@ None
Do not check the value at all.
@ XPAC
Similar to XPACHint but using Armv8.3-only XPAC instruction, thus not restricted to LR:
unsigned ID
LLVM IR allows to use arbitrary numbers as calling convention identifiers.
Definition CallingConv.h:24
This is an optimization pass for GlobalISel generic memory operations.
MachineInstrBuilder BuildMI(MachineFunction &MF, const MIMetadata &MIMD, const MCInstrDesc &MCID)
Builder interface. Specify how to create the initial instruction itself.
FunctionPass * createAArch64PointerAuthPass()
AnalysisManager< MachineFunction > MachineFunctionAnalysisManager
LLVM_ABI PreservedAnalyses getMachineFunctionPassPreservedAnalyses()
Returns the minimum set of Analyses that all machine function passes must preserve.
void emitFrameOffset(MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI, const DebugLoc &DL, unsigned DestReg, unsigned SrcReg, StackOffset Offset, const TargetInstrInfo *TII, MachineInstr::MIFlag=MachineInstr::NoFlags, bool SetNZCV=false, bool NeedsWinCFI=false, bool *HasWinCFI=nullptr, bool EmitCFAOffset=false, StackOffset InitialOffset={}, unsigned FrameReg=AArch64::SP)
emitFrameOffset - Emit instructions as needed to set DestReg to SrcReg plus Offset.