| Ruchika Gupta | 55583eb | 2022-01-25 12:47:07 +0530 | [diff] [blame] | 1 | .. _arm_security_extensions: |
| 2 | |
| 3 | ####################### |
| 4 | Arm Security Extensions |
| 5 | ####################### |
| 6 | |
| 7 | .. _bti: |
| 8 | |
| 9 | Branch Target Identification |
| 10 | **************************** |
| 11 | |
| 12 | Branch Target Identification (BTI) is an ARMv8.5 extension that provides |
| 13 | Control Flow Integrity (CFI) around indirect branches and their targets, thus helping |
| 14 | to limit the JOP (Jump Oriented Programming) attacks. |
| 15 | |
| 16 | With this extension, ARM8.5-A introduces Branch Target Instructions (BTIs). |
| 17 | BTIs are also called landing pads. The processor can be configured so that |
| 18 | indirect branches (BR and BLR) only allows target landing pad instructions. |
| 19 | If the target of an indirect branch is not a landing pad, a Branch Target Exception |
| 20 | is generated. |
| 21 | |
| 22 | How to enable BTI for OP-TEE core |
| 23 | ================================== |
| 24 | |
| 25 | To make use of BTI in TEE core on CPU's that support it, enable the option |
| 26 | ``CFG_CORE_BTI``. |
| 27 | |
| 28 | OP-TEE core makes use of some built-ins in the GCC/clang toolchains. So, in order |
| 29 | to use the option ``CFG_CORE_BTI``, make sure that GCC toolchain has been built with |
| 30 | ``--enable-standard-branch-protection`` is used else OP-TEE will fail to build. |
| 31 | By default libraries such as libgcc.a are built with flags (``-mbranch-protection=none``), |
| 32 | hence are incompatible with branch protection enabled. The Arm GNU compiler team |
| 33 | is looking for ways of providing users easy access to BTI-enabled libraries. |
| 34 | In the short-term, they plan to create documentation to make it easier for users to |
| 35 | build BTI-enabled libraries themselves. Longer-term, they will begin discussions |
| 36 | on how to ensure BTI-enabled libraries are available automatically to users. |
| Jerome Forissier | 2f11d80 | 2022-01-26 10:08:27 +0100 | [diff] [blame] | 37 | Please contact GCC team for more information on same. In the meantime, building a |
| 38 | BTI-enabled GCC toolchain is possible as decribed in :ref:`faq_gcc_bti`. |
| Ruchika Gupta | 55583eb | 2022-01-25 12:47:07 +0530 | [diff] [blame] | 39 | |
| 40 | The same problem is also there with clang toolchain. So, when using clang to build |
| 41 | OP-TEE with ``CFG_CORE_BTI=y``, builtins (found in llvm's "compiler-rt" |
| 42 | project) must be built with BTI protection enabled. We have some instructions on |
| Jerome Forissier | 2f11d80 | 2022-01-26 10:08:27 +0100 | [diff] [blame] | 43 | how to build the compiler-rt with BTI enabled. These are available in |
| 44 | :ref:`faq_llvm_bti`. |
| Ruchika Gupta | 55583eb | 2022-01-25 12:47:07 +0530 | [diff] [blame] | 45 | |
| 46 | |
| 47 | How to enable BTI for TA's |
| 48 | =========================== |
| 49 | |
| 50 | To make use of BTI support for TA's and user mode libraries, enable the option |
| 51 | ``CFG_TA_BTI``. This will ensure that all libraries provided by OP-TEE to the TA's |
| 52 | as well as the TA's are built with BTI option. |
| 53 | |
| 54 | When the TA's are loaded by ldelf, they are checked at run time for the BTI NOTE |
| 55 | property in ELF before enabling the protection for the TA. |
| 56 | |
| 57 | When building TA's, you need to ensure that any external library used has been |
| 58 | built with branch-protection. This can be done by checking the library using readelf |
| 59 | command with option ``-n``. The BTI enabled libraries will have BTI NOTE property in |
| 60 | ``.note.gnu.property`` section. If that is not the case, compilation will stop with a |
| 61 | warning. This is done intentionally to warn the user. |
| 62 | |
| 63 | |
| 64 | .. note:: |
| 65 | |
| 66 | The BTI support is currently not compatible with options ``CFG_VIRTUALIZATION`` and |
| 67 | ``CFG_WITH_PAGER``. |