TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m / fc1bf772d5d907ee8fa7a0a8a7a806346a6b5b93^! / . / toolchain_ARMCLANG.cmake
commitfc1bf772d5d907ee8fa7a0a8a7a806346a6b5b93[log] [tgz]
authorNicola Mazzucato <nicola.mazzucato@arm.com>Tue May 07 16:21:33 2024 +0100
committerAntonio de Angelis <Antonio.deAngelis@arm.com>Fri Jun 28 00:21:44 2024 +0200
treed367fe32c8c1227be1362885c3fd4d03bc0595c2
parentd69d4b0f8fa868b95a984b7d450ef09b1e894d4d [diff] [blame]
Build: Add support for PACBTI

PACBTI (Pointer Authentication and Branch Target Identification) is an
optional feature to improve robustness of the system, preventing some
attacks like Return-Oriented Programming (ROP) and Jump-Oriented
Programming (JOP).

This feature needs to be enabled by the compiler and needs
architectural support (Armv8.1-M).

This patch adds support for PACBTI in the build system for GNU and
ARMClang compilers. It is provided for the SPE build only.

It is by default DISABLED.

To enable the feature, use the CONFIG_TFM_BRANCH_PROTECTION_FEAT option.

Signed-off-by: Nicola Mazzucato <nicola.mazzucato@arm.com>
Change-Id: I0a3542501ce040a86a58f1bd3b71ab48f4e041eb

diff --git a/toolchain_ARMCLANG.cmake b/toolchain_ARMCLANG.cmake
index 99c3ccf..9027e08 100644
--- a/toolchain_ARMCLANG.cmake
+++ b/toolchain_ARMCLANG.cmake

@@ -267,6 +267,40 @@
     endif()
 
     set(CMAKE_C_FLAGS_MINSIZEREL "-Oz -DNDEBUG")
+
+    #
+    # Pointer Authentication Code and Branch Target Identification (PACBTI) Options
+    #
+    if (${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_NONE)
+        set(BRANCH_PROTECTION_OPTIONS "none")
+    elseif(${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_STANDARD)
+        set(BRANCH_PROTECTION_OPTIONS "standard")
+    elseif(${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_PACRET)
+        set(BRANCH_PROTECTION_OPTIONS "pac-ret")
+    elseif(${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_PACRET_LEAF)
+        set(BRANCH_PROTECTION_OPTIONS "pac-ret+leaf")
+    elseif(${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_BTI)
+        set(BRANCH_PROTECTION_OPTIONS "bti")
+    endif()
+
+    if(NOT ${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_DISABLED)
+        if(CMAKE_C_COMPILER_VERSION VERSION_LESS 6.18)
+            message(FATAL_ERROR "Your compiler does not support BRANCH_PROTECTION")
+        else()
+            if((TFM_SYSTEM_PROCESSOR MATCHES "cortex-m85") AND
+                (TFM_SYSTEM_ARCHITECTURE STREQUAL "armv8.1-m.main"))
+                message(NOTICE "BRANCH_PROTECTION enabled with: ${BRANCH_PROTECTION_OPTIONS}")
+
+                string(APPEND CMAKE_C_FLAGS " -mbranch-protection=${BRANCH_PROTECTION_OPTIONS}")
+                string(APPEND CMAKE_CXX_FLAGS " -mbranch-protection=${BRANCH_PROTECTION_OPTIONS}")
+
+                add_link_options(--library_security=pacbti-m)
+            else()
+                message(FATAL_ERROR "Your architecture does not support BRANCH_PROTECTION")
+            endif()
+        endif()
+    endif()
+
 endmacro()
 
 # Configure environment for the compiler setup run by cmake at the first