LLVM 23.0.0git
AArch64PointerAuth.cpp
Go to the documentation of this file.
1//===-- AArch64PointerAuth.cpp -- Harden code using PAuth ------------------==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8
9#include "AArch64PointerAuth.h"
10
11#include "AArch64.h"
12#include "AArch64InstrInfo.h"
13#include "AArch64MachineFunctionInfo.h"
14#include "AArch64Subtarget.h"
15#include "llvm/CodeGen/CFIInstBuilder.h"
16#include "llvm/CodeGen/MachineBasicBlock.h"
17#include "llvm/CodeGen/MachineInstrBuilder.h"
18#include "llvm/CodeGen/MachineModuleInfo.h"
19
20using namespace llvm;
21using namespace llvm::AArch64PAuth;
22
23#define AARCH64_POINTER_AUTH_NAME "AArch64 Pointer Authentication"
24
25namespace {
26
27class AArch64PointerAuthImpl {
28public:
29 bool run(MachineFunction &MF);
30
31private:
32 const AArch64Subtarget *Subtarget = nullptr;
33 const AArch64InstrInfo *TII = nullptr;
34
35 void signLR(MachineFunction &MF, MachineBasicBlock::iterator MBBI) const;
36
37 void authenticateLR(MachineFunction &MF,
38 MachineBasicBlock::iterator MBBI) const;
39};
40
41class AArch64PointerAuthLegacy : public MachineFunctionPass {
42public:
43 static char ID;
44
45 AArch64PointerAuthLegacy() : MachineFunctionPass(ID) {}
46
47 bool runOnMachineFunction(MachineFunction &MF) override;
48
49 StringRef getPassName() const override { return AARCH64_POINTER_AUTH_NAME; }
50};
51
52} // end anonymous namespace
53
54INITIALIZE_PASS(AArch64PointerAuthLegacy, "aarch64-ptrauth",
55 AARCH64_POINTER_AUTH_NAME, false, false)
56
57FunctionPass *llvm::createAArch64PointerAuthPass() {
58 return new AArch64PointerAuthLegacy();
59}
60
61char AArch64PointerAuthLegacy::ID = 0;
62
63static void emitPACSymOffsetIntoX16(const TargetInstrInfo &TII,
64 MachineBasicBlock &MBB,
65 MachineBasicBlock::iterator I, DebugLoc DL,
66 MCSymbol *PACSym) {
67 BuildMI(MBB, I, DL, TII.get(AArch64::ADRP), AArch64::X16)
68 .addSym(PACSym, AArch64II::MO_PAGE);
69 BuildMI(MBB, I, DL, TII.get(AArch64::ADDXri), AArch64::X16)
70 .addReg(AArch64::X16)
71 .addSym(PACSym, AArch64II::MO_PAGEOFF | AArch64II::MO_NC)
72 .addImm(0);
73}
74
75static void emitPACCFI(MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI,
76 MachineInstr::MIFlag Flags, bool EmitCFI) {
77 if (!EmitCFI)
78 return;
79
80 auto &MF = *MBB.getParent();
81 auto &MFnI = *MF.getInfo<AArch64FunctionInfo>();
82
83 CFIInstBuilder CFIBuilder(MBB, MBBI, Flags);
84 MFnI.branchProtectionPAuthLR() ? CFIBuilder.buildNegateRAStateWithPC()
85 : CFIBuilder.buildNegateRAState();
86}
87
88void AArch64PointerAuthImpl::signLR(MachineFunction &MF,
89 MachineBasicBlock::iterator MBBI) const {
90 auto &MFnI = *MF.getInfo<AArch64FunctionInfo>();
91 bool UseBKey = MFnI.shouldSignWithBKey();
92 bool EmitCFI = MFnI.needsDwarfUnwindInfo(MF);
93 bool NeedsWinCFI = MF.hasWinCFI();
94
95 MachineBasicBlock &MBB = *MBBI->getParent();
96
97 // Debug location must be unknown, see AArch64FrameLowering::emitPrologue.
98 DebugLoc DL;
99
100 if (UseBKey) {
101 BuildMI(MBB, MBBI, DL, TII->get(AArch64::EMITBKEY))
102 .setMIFlag(MachineInstr::FrameSetup);
103 }
104
105 // PAuthLR authentication instructions need to know the value of PC at the
106 // point of signing (PACI*).
107 if (MFnI.branchProtectionPAuthLR()) {
108 MCSymbol *PACSym = MF.getContext().createTempSymbol();
109 MFnI.setSigningInstrLabel(PACSym);
110 }
111
112 // No SEH opcode for this one; it doesn't materialize into an
113 // instruction on Windows.
114 if (MFnI.branchProtectionPAuthLR() && Subtarget->hasPAuthLR()) {
115 emitPACCFI(MBB, MBBI, MachineInstr::FrameSetup, EmitCFI);
116 BuildMI(MBB, MBBI, DL,
117 TII->get(MFnI.shouldSignWithBKey() ? AArch64::PACIBSPPC
118 : AArch64::PACIASPPC))
119 .setMIFlag(MachineInstr::FrameSetup)
120 ->setPreInstrSymbol(MF, MFnI.getSigningInstrLabel());
121 } else {
122 if (MFnI.branchProtectionPAuthLR()) {
123 BuildMI(MBB, MBBI, DL, TII->get(AArch64::PACM))
124 .setMIFlag(MachineInstr::FrameSetup);
125 emitPACCFI(MBB, MBBI, MachineInstr::FrameSetup, EmitCFI);
126 }
127 BuildMI(MBB, MBBI, DL,
128 TII->get(MFnI.shouldSignWithBKey() ? AArch64::PACIBSP
129 : AArch64::PACIASP))
130 .setMIFlag(MachineInstr::FrameSetup)
131 ->setPreInstrSymbol(MF, MFnI.getSigningInstrLabel());
132 if (!MFnI.branchProtectionPAuthLR())
133 emitPACCFI(MBB, MBBI, MachineInstr::FrameSetup, EmitCFI);
134 }
135
136 if (!EmitCFI && NeedsWinCFI) {
137 BuildMI(MBB, MBBI, DL, TII->get(AArch64::SEH_PACSignLR))
138 .setMIFlag(MachineInstr::FrameSetup);
139 }
140}
141
142void AArch64PointerAuthImpl::authenticateLR(
143 MachineFunction &MF, MachineBasicBlock::iterator MBBI) const {
144 const AArch64FunctionInfo *MFnI = MF.getInfo<AArch64FunctionInfo>();
145 bool UseBKey = MFnI->shouldSignWithBKey();
146 bool EmitAsyncCFI = MFnI->needsAsyncDwarfUnwindInfo(MF);
147 bool NeedsWinCFI = MF.hasWinCFI();
148
149 MachineBasicBlock &MBB = *MBBI->getParent();
150 DebugLoc DL = MBBI->getDebugLoc();
151 // MBBI points to a PAUTH_EPILOGUE instruction to be replaced and
152 // TI points to a terminator instruction that may or may not be combined.
153 // Note that inserting new instructions "before MBBI" and "before TI" is
154 // not the same because if ShadowCallStack is enabled, its instructions
155 // are placed between MBBI and TI.
156 MachineBasicBlock::iterator TI = MBB.getFirstInstrTerminator();
157
158 // The AUTIASP instruction assembles to a hint instruction before v8.3a so
159 // this instruction can safely used for any v8a architecture.
160 // From v8.3a onwards there are optimised authenticate LR and return
161 // instructions, namely RETA{A,B}, that can be used instead. In this case the
162 // DW_CFA_AARCH64_negate_ra_state can't be emitted.
163 bool TerminatorIsCombinable =
164 TI != MBB.end() && TI->getOpcode() == AArch64::RET;
165 MCSymbol *PACSym = MFnI->getSigningInstrLabel();
166
167 if (Subtarget->hasPAuth() && TerminatorIsCombinable && !NeedsWinCFI &&
168 !MF.getFunction().hasFnAttribute(Attribute::ShadowCallStack)) {
169 if (MFnI->branchProtectionPAuthLR() && Subtarget->hasPAuthLR()) {
170 assert(PACSym && "No PAC instruction to refer to");
171 BuildMI(MBB, TI, DL,
172 TII->get(UseBKey ? AArch64::RETABSPPCi : AArch64::RETAASPPCi))
173 .addSym(PACSym)
174 .copyImplicitOps(*MBBI)
175 .setMIFlag(MachineInstr::FrameDestroy);
176 } else {
177 if (MFnI->branchProtectionPAuthLR()) {
178 emitPACSymOffsetIntoX16(*TII, MBB, MBBI, DL, PACSym);
179 BuildMI(MBB, MBBI, DL, TII->get(AArch64::PACM))
180 .setMIFlag(MachineInstr::FrameDestroy);
181 }
182 BuildMI(MBB, TI, DL, TII->get(UseBKey ? AArch64::RETAB : AArch64::RETAA))
183 .copyImplicitOps(*MBBI)
184 .setMIFlag(MachineInstr::FrameDestroy);
185 }
186 MBB.erase(TI);
187 } else {
188 if (MFnI->branchProtectionPAuthLR() && Subtarget->hasPAuthLR()) {
189 assert(PACSym && "No PAC instruction to refer to");
190 emitPACCFI(MBB, MBBI, MachineInstr::FrameDestroy, EmitAsyncCFI);
191 BuildMI(MBB, MBBI, DL,
192 TII->get(UseBKey ? AArch64::AUTIBSPPCi : AArch64::AUTIASPPCi))
193 .addSym(PACSym)
194 .setMIFlag(MachineInstr::FrameDestroy);
195 } else {
196 if (MFnI->branchProtectionPAuthLR()) {
197 emitPACSymOffsetIntoX16(*TII, MBB, MBBI, DL, PACSym);
198 BuildMI(MBB, MBBI, DL, TII->get(AArch64::PACM))
199 .setMIFlag(MachineInstr::FrameDestroy);
200 emitPACCFI(MBB, MBBI, MachineInstr::FrameDestroy, EmitAsyncCFI);
201 }
202 BuildMI(MBB, MBBI, DL,
203 TII->get(UseBKey ? AArch64::AUTIBSP : AArch64::AUTIASP))
204 .setMIFlag(MachineInstr::FrameDestroy);
205 if (!MFnI->branchProtectionPAuthLR())
206 emitPACCFI(MBB, MBBI, MachineInstr::FrameDestroy, EmitAsyncCFI);
207 }
208
209 if (NeedsWinCFI) {
210 BuildMI(MBB, MBBI, DL, TII->get(AArch64::SEH_PACSignLR))
211 .setMIFlag(MachineInstr::FrameDestroy);
212 }
213 }
214}
215
216unsigned llvm::AArch64PAuth::getCheckerSizeInBytes(AuthCheckMethod Method) {
217 switch (Method) {
218 case AuthCheckMethod::None:
219 return 0;
220 case AuthCheckMethod::DummyLoad:
221 return 4;
222 case AuthCheckMethod::HighBitsNoTBI:
223 return 12;
224 case AuthCheckMethod::XPACHint:
225 case AuthCheckMethod::XPAC:
226 return 20;
227 }
228 llvm_unreachable("Unknown AuthCheckMethod enum");
229}
230
231bool AArch64PointerAuthImpl::run(MachineFunction &MF) {
232 Subtarget = &MF.getSubtarget<AArch64Subtarget>();
233 TII = Subtarget->getInstrInfo();
234
235 SmallVector<MachineBasicBlock::instr_iterator> PAuthPseudoInstrs;
236
237 bool Modified = false;
238
239 for (auto &MBB : MF) {
240 for (auto &MI : MBB) {
241 switch (MI.getOpcode()) {
242 default:
243 break;
244 case AArch64::PAUTH_PROLOGUE:
245 case AArch64::PAUTH_EPILOGUE:
246 PAuthPseudoInstrs.push_back(MI.getIterator());
247 break;
248 }
249 }
250 }
251
252 for (auto It : PAuthPseudoInstrs) {
253 switch (It->getOpcode()) {
254 case AArch64::PAUTH_PROLOGUE:
255 signLR(MF, It);
256 break;
257 case AArch64::PAUTH_EPILOGUE:
258 authenticateLR(MF, It);
259 break;
260 default:
261 llvm_unreachable("Unhandled opcode");
262 }
263 It->eraseFromParent();
264 Modified = true;
265 }
266
267 return Modified;
268}
269
270bool AArch64PointerAuthLegacy::runOnMachineFunction(MachineFunction &MF) {
271 return AArch64PointerAuthImpl().run(MF);
272}
273
274PreservedAnalyses
275AArch64PointerAuthPass::run(MachineFunction &MF,
276 MachineFunctionAnalysisManager &MFAM) {
277 const bool Changed = AArch64PointerAuthImpl().run(MF);
278 if (!Changed)
279 return PreservedAnalyses::all();
280 PreservedAnalyses PA = getMachineFunctionPassPreservedAnalyses();
281 PA.preserveSet<CFGAnalyses>();
282 return PA;
283}
assert
assert(UImm &&(UImm !=~static_cast< T >(0)) &&"Invalid immediate!")
AARCH64_POINTER_AUTH_NAME
#define AARCH64_POINTER_AUTH_NAME
Definition AArch64PointerAuth.cpp:23
emitPACCFI
static void emitPACCFI(MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI, MachineInstr::MIFlag Flags, bool EmitCFI)
Definition AArch64PointerAuth.cpp:75
emitPACSymOffsetIntoX16
static void emitPACSymOffsetIntoX16(const TargetInstrInfo &TII, MachineBasicBlock &MBB, MachineBasicBlock::iterator I, DebugLoc DL, MCSymbol *PACSym)
Definition AArch64PointerAuth.cpp:63
MBB
MachineBasicBlock & MBB
Definition ARMSLSHardening.cpp:71
DL
MachineBasicBlock MachineBasicBlock::iterator DebugLoc DL
Definition ARMSLSHardening.cpp:73
MBBI
MachineBasicBlock MachineBasicBlock::iterator MBBI
Definition ARMSLSHardening.cpp:72
TII
const HexagonInstrInfo * TII
Definition HexagonCopyToCombine.cpp:118
MI
IRTranslator LLVM IR MI
Definition IRTranslator.cpp:110
I
#define I(x, y, z)
Definition MD5.cpp:57
INITIALIZE_PASS
#define INITIALIZE_PASS(passName, arg, name, cfg, analysis)
Definition PassSupport.h:56
llvm::AArch64FunctionInfo
AArch64FunctionInfo - This class is derived from MachineFunctionInfo and contains private AArch64-spe...
Definition AArch64MachineFunctionInfo.h:56
llvm::AArch64FunctionInfo::needsAsyncDwarfUnwindInfo
bool needsAsyncDwarfUnwindInfo(const MachineFunction &MF) const
Definition AArch64MachineFunctionInfo.cpp:215
llvm::AArch64PointerAuthPass::run
PreservedAnalyses run(MachineFunction &MF, MachineFunctionAnalysisManager &MFAM)
Definition AArch64PointerAuth.cpp:275
llvm::AArch64Subtarget::getInstrInfo
const AArch64InstrInfo * getInstrInfo() const override
Definition AArch64Subtarget.h:149
llvm::CFGAnalyses
Represents analyses that only rely on functions' control flow.
Definition Analysis.h:73
llvm::CFIInstBuilder
Helper class for creating CFI instructions and inserting them into MIR.
Definition CFIInstBuilder.h:20
llvm::DebugLoc
A debug info location.
Definition DebugLoc.h:123
llvm::FunctionPass
FunctionPass class - This class is used to implement most global optimizations.
Definition Pass.h:314
llvm::Function::hasFnAttribute
bool hasFnAttribute(Attribute::AttrKind Kind) const
Return true if the function has the attribute.
Definition Function.cpp:728
llvm::MCContext::createTempSymbol
LLVM_ABI MCSymbol * createTempSymbol()
Create a temporary symbol with a unique name.
Definition MCContext.cpp:393
llvm::MCSymbol
MCSymbol - Instances of this class represent a symbol name in the MC file, and MCSymbols are created ...
Definition MCSymbol.h:42
llvm::MachineBasicBlock::getParent
const MachineFunction * getParent() const
Return the MachineFunction containing this basic block.
Definition MachineBasicBlock.h:328
llvm::MachineBasicBlock::erase
LLVM_ABI instr_iterator erase(instr_iterator I)
Remove an instruction from the instruction list and delete it.
Definition MachineBasicBlock.cpp:1488
llvm::MachineBasicBlock::getFirstInstrTerminator
LLVM_ABI instr_iterator getFirstInstrTerminator()
Same getFirstTerminator but it ignores bundles and return an instr_iterator instead.
Definition MachineBasicBlock.cpp:253
llvm::MachineBasicBlock::iterator
MachineInstrBundleIterator< MachineInstr > iterator
Definition MachineBasicBlock.h:346
llvm::MachineFunctionPass
MachineFunctionPass - This class adapts the FunctionPass interface to allow convenient creation of pa...
Definition MachineFunctionPass.h:31
llvm::MachineFunction::getSubtarget
const TargetSubtargetInfo & getSubtarget() const
getSubtarget - Return the subtarget for which this machine code is being compiled.
Definition MachineFunction.h:794
llvm::MachineFunction::getContext
MCContext & getContext() const
Definition MachineFunction.h:741
llvm::MachineFunction::getFunction
Function & getFunction()
Return the LLVM function that this machine code represents.
Definition MachineFunction.h:755
llvm::MachineFunction::getInfo
Ty * getInfo()
getInfo - Keep track of various per-function pieces of information for backends that would like to do...
Definition MachineFunction.h:896
llvm::MachineInstrBuilder::addReg
const MachineInstrBuilder & addReg(Register RegNo, RegState Flags={}, unsigned SubReg=0) const
Add a new virtual register operand.
Definition MachineInstrBuilder.h:199
llvm::MachineInstrBuilder::setMIFlag
const MachineInstrBuilder & setMIFlag(MachineInstr::MIFlag Flag) const
Definition MachineInstrBuilder.h:384
llvm::MachineInstrBuilder::addImm
const MachineInstrBuilder & addImm(int64_t Val) const
Add a new immediate operand.
Definition MachineInstrBuilder.h:233
llvm::MachineInstrBuilder::addSym
const MachineInstrBuilder & addSym(MCSymbol *Sym, unsigned char TargetFlags=0) const
Definition MachineInstrBuilder.h:373
llvm::MachineInstrBuilder::copyImplicitOps
const MachineInstrBuilder & copyImplicitOps(const MachineInstr &OtherMI) const
Copy all the implicit operands from OtherMI onto this one.
Definition MachineInstrBuilder.h:436
llvm::MachineInstr::setPreInstrSymbol
LLVM_ABI void setPreInstrSymbol(MachineFunction &MF, MCSymbol *Symbol)
Set a symbol that will be emitted just prior to the instruction itself.
Definition MachineInstr.cpp:480
llvm::PreservedAnalyses
A set of analyses that are preserved following a run of a transformation pass.
Definition Analysis.h:112
llvm::PreservedAnalyses::all
static PreservedAnalyses all()
Construct a special preserved set that preserves all passes.
Definition Analysis.h:118
llvm::PreservedAnalyses::preserveSet
PreservedAnalyses & preserveSet()
Mark an analysis set as preserved.
Definition Analysis.h:151
llvm::SmallVectorTemplateBase::push_back
void push_back(const T &Elt)
Definition SmallVector.h:419
llvm::SmallVector
This is a 'vector' (really, a variable-sized array), optimized for the case when the array is small.
Definition SmallVector.h:1205
llvm::StringRef
StringRef - Represent a constant reference to a string, i.e.
Definition StringRef.h:55
llvm::TargetInstrInfo
TargetInstrInfo - Interface to description of machine instruction set.
Definition TargetInstrInfo.h:115
Changed
Changed
Definition ObjCARCOpts.cpp:2367
llvm_unreachable
#define llvm_unreachable(msg)
Marks that the current location is not supposed to be reachable.
Definition ErrorHandling.h:164
llvm::AArch64II::MO_NC
@ MO_NC
MO_NC - Indicates whether the linker is expected to check the symbol reference for overflow.
Definition AArch64BaseInfo.h:962
llvm::AArch64II::MO_PAGEOFF
@ MO_PAGEOFF
MO_PAGEOFF - A symbol operand with this flag represents the offset of that symbol within a 4K page.
Definition AArch64BaseInfo.h:926
llvm::AArch64II::MO_PAGE
@ MO_PAGE
MO_PAGE - A symbol operand with this flag represents the pc-relative offset of the 4K page containing...
Definition AArch64BaseInfo.h:921
llvm::AArch64PAuth::getCheckerSizeInBytes
unsigned getCheckerSizeInBytes(AuthCheckMethod Method)
Returns the number of bytes added by checkAuthenticatedRegister.
Definition AArch64PointerAuth.cpp:216
llvm::AArch64PAuth::AuthCheckMethod
AuthCheckMethod
Variants of check performed on an authenticated pointer.
Definition AArch64PointerAuth.h:44
llvm::AArch64PAuth::AuthCheckMethod::XPACHint
@ XPACHint
Check by comparing the authenticated value with an XPAC-ed one without using PAuth instructions not e...
Definition AArch64PointerAuth.h:75
llvm::AArch64PAuth::AuthCheckMethod::DummyLoad
@ DummyLoad
Perform a load to a temporary register.
Definition AArch64PointerAuth.h:49
llvm::AArch64PAuth::AuthCheckMethod::HighBitsNoTBI
@ HighBitsNoTBI
Check by comparing bits 62 and 61 of the authenticated address.
Definition AArch64PointerAuth.h:59
llvm::AArch64PAuth::AuthCheckMethod::None
@ None
Do not check the value at all.
Definition AArch64PointerAuth.h:46
llvm::AArch64PAuth::AuthCheckMethod::XPAC
@ XPAC
Similar to XPACHint but using Armv8.3-only XPAC instruction, thus not restricted to LR:
Definition AArch64PointerAuth.h:85
llvm::CallingConv::ID
unsigned ID
LLVM IR allows to use arbitrary numbers as calling convention identifiers.
Definition CallingConv.h:24
llvm::dwarf_linker::DebugSectionKind::DebugLoc
@ DebugLoc
Definition DWARFLinkerBase.h:34
llvm
This is an optimization pass for GlobalISel generic memory operations.
Definition FunctionInfo.h:25
llvm::BuildMI
MachineInstrBuilder BuildMI(MachineFunction &MF, const MIMetadata &MIMD, const MCInstrDesc &MCID)
Builder interface. Specify how to create the initial instruction itself.
Definition MachineInstrBuilder.h:449
llvm::createAArch64PointerAuthPass
FunctionPass * createAArch64PointerAuthPass()
llvm::MachineFunctionAnalysisManager
AnalysisManager< MachineFunction > MachineFunctionAnalysisManager
Definition MachineFunctionAnalysisManager.h:24
llvm::getMachineFunctionPassPreservedAnalyses
LLVM_ABI PreservedAnalyses getMachineFunctionPassPreservedAnalyses()
Returns the minimum set of Analyses that all machine function passes must preserve.
Definition MachinePassManager.cpp:162
Generated on for LLVM by doxygen 1.14.0