Build: Add support for PACBTI PACBTI (Pointer Authentication and Branch Target Identification) is an optional feature to improve robustness of the system, preventing some attacks like Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP). This feature needs to be enabled by the compiler and needs architectural support (Armv8.1-M). This patch adds support for PACBTI in the build system for GNU and ARMClang compilers. It is provided for the SPE build only. It is by default DISABLED. To enable the feature, use the CONFIG_TFM_BRANCH_PROTECTION_FEAT option. Signed-off-by: Nicola Mazzucato <nicola.mazzucato@arm.com> Change-Id: I0a3542501ce040a86a58f1bd3b71ab48f4e041eb

commit: fc1bf772d5d907ee8fa7a0a8a7a806346a6b5b93 [log] [tgz]
author: Nicola Mazzucato <nicola.mazzucato@arm.com> Tue May 07 16:21:33 2024 +0100
committer: Antonio de Angelis <Antonio.deAngelis@arm.com> Fri Jun 28 00:21:44 2024 +0200
tree: d367fe32c8c1227be1362885c3fd4d03bc0595c2
parent: d69d4b0f8fa868b95a984b7d450ef09b1e894d4d [diff] [blame]
diff --git a/toolchain_GNUARM.cmake b/toolchain_GNUARM.cmake
index 4d053b8..6c62ba7 100644
--- a/toolchain_GNUARM.cmake
+++ b/toolchain_GNUARM.cmake

@@ -124,6 +124,36 @@
     $<$<OR:$<BOOL:${TFM_DEBUG_SYMBOLS}>,$<BOOL:${TFM_CODE_COVERAGE}>>:-g>
 )
 
+#
+# Pointer Authentication Code and Branch Target Identification (PACBTI) Options
+#
+if (${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_NONE)
+    set(BRANCH_PROTECTION_OPTIONS "none")
+elseif(${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_STANDARD)
+    set(BRANCH_PROTECTION_OPTIONS "standard")
+elseif(${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_PACRET)
+    set(BRANCH_PROTECTION_OPTIONS "pac-ret")
+elseif(${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_PACRET_LEAF)
+    set(BRANCH_PROTECTION_OPTIONS "pac-ret+leaf")
+elseif(${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_BTI)
+    set(BRANCH_PROTECTION_OPTIONS "bti")
+endif()
+
+if(NOT ${CONFIG_TFM_BRANCH_PROTECTION_FEAT} STREQUAL BRANCH_PROTECTION_DISABLED)
+    if(GCC_VERSION VERSION_LESS "12.2")
+        message(FATAL_ERROR "Your compiler does not support BRANCH_PROTECTION")
+    else()
+        if((TFM_SYSTEM_PROCESSOR MATCHES "cortex-m85") AND
+            (TFM_SYSTEM_ARCHITECTURE STREQUAL "armv8.1-m.main"))
+            message(NOTICE "BRANCH_PROTECTION enabled with: ${BRANCH_PROTECTION_OPTIONS}")
+
+            add_compile_options(-mbranch-protection=${BRANCH_PROTECTION_OPTIONS})
+        else()
+            message(FATAL_ERROR "Your architecture does not support BRANCH_PROTECTION")
+        endif()
+    endif()
+endif()
+
 add_link_options(
     --entry=Reset_Handler
     -specs=nano.specs
commit	fc1bf772d5d907ee8fa7a0a8a7a806346a6b5b93	[log] [tgz]
author	Nicola Mazzucato <nicola.mazzucato@arm.com>	Tue May 07 16:21:33 2024 +0100
committer	Antonio de Angelis <Antonio.deAngelis@arm.com>	Fri Jun 28 00:21:44 2024 +0200
tree	d367fe32c8c1227be1362885c3fd4d03bc0595c2
parent	d69d4b0f8fa868b95a984b7d450ef09b1e894d4d [diff] [blame]