[PATCH] D132386: [AArch64][PAC] Lower auth/resign into checked sequence.

Peter Smith via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Thu Aug 25 02:31:30 PDT 2022 

peter.smith added inline comments.


================
Comment at: llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp:1227
+
+  // We can expand AUT/AUTPAC into 3 possible sequences:
+  // - unchecked:
----------------
kristof.beyls wrote:
> peter.smith wrote:
> > apazos wrote:
> > > Should the PAuth ABI for ELF documentation in 
> > > https://github.com/ARM-software/abi-aa/blob/main/pauthabielf64/pauthabielf64.rst 
> > > have a note on x16/x17 being used for lowering auth/resign sequences?
> > Not had a chance to reason through all of this in detail. My instinct is that this is already covered in the PCS (see below) if there are additional restrictions that are needed in the PAuthABI then it will be worth raising a github issue (or a pull request).
> > 
> > The x16/x17 registers are mentioned in the procedure call standard as corruptible by intra-procedure calls so compilers already have to assume that they may be corrupted on a function call https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst#611general-purpose-registers 
> My understanding of the reason to use X16 and X17 here is that there is a platform guarantee that anything that interrupts the execution of the program in an arbitrary location, such as a process context switch, will make sure that when it saves/restores the register context, the registers X16 and X17 will not be written to memory as is.
> My understanding is that the goal is for only registers X16 or X17 to potentially contain unsigned/raw pointers because of the resigning sequences implemented here.
> If these registers would be written to memory on a context switch as is, that leaves an attack vector for an attacker that can overwrite memory - they could simply overwrite the raw pointer.
> 
> I think it's worthwhile to consider if we should add anything related to this to the Arm PAuth ABI. Maybe a good first step would be to raise a ticket at https://github.com/ARM-software/abi-aa/issues describing what the guarantee or guideline is that we'd want there?
> 
> From the compiler perspective, I'm expecting the guideline might be something like "whenever the compiler for some reason has to convert a signed pointer into a raw (unsigned) pointer, where that raw pointer is not requested to be stored in memory according to the source code, only registers X16 or X17 should be used to keep that raw pointer."?
I've raised https://github.com/ARM-software/abi-aa/issues/168 so we don't forget about it. Not sure the ELF extensions are a good place to put it, but it is the closest we have right now.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D132386/new/

https://reviews.llvm.org/D132386

More information about the llvm-commits mailing list