Enable pointer authentication The same way as in TF-A make memory protection be selectable via the BRANCH_PROTECTION variable: unset: Default value. mbranch-protection flag is not provided 0: Turns off all types of branch protection 1: Enables all types of branch protection features 2: Return address signing to its standard level 3: Extend the signing to include leaf functions 4: Turn on branch target identification mechanism Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: Ide8035599e131986e7bcfd50d0a3b5234ac6354f

commit: 350452a505b229666b4a72d47d93be0c64ea2d4f [log] [tgz]
author: Gabor Toth <gabor.toth2@arm.com> Wed Jun 19 12:35:08 2024 +0200
committer: gabor-toth-arm <Gabor.Toth2@arm.com> Fri Jul 12 10:07:11 2024 +0200
tree: d239ba9eafed0676396f59f263705f0d308ec170
parent: 65e1dac82c51917e64350ac3e4b730d25b4c96cf [diff]
diff --git a/environments/arm-linux/default_toolchain_file.cmake b/environments/arm-linux/default_toolchain_file.cmake
index 308c2a7..5869fa4 100644
--- a/environments/arm-linux/default_toolchain_file.cmake
+++ b/environments/arm-linux/default_toolchain_file.cmake

@@ -22,17 +22,26 @@
 set(TS_WARNING_FLAGS "-Wall -Werror" CACHE STRING "Compiler flags affecting generating warning messages.")
 set(TS_MANDATORY_LINKER_FLAGS "" CACHE STRING "Linker flags needed for correct builds.")
 
-set(BTI_ENABLED unset CACHE STRING "Enable Branch Target Identification (BTI)")
-set_property(CACHE BTI_ENABLED PROPERTY STRINGS unset OFF ON)
+# branch-protection enables bti/pac while compile force-bti tells the linker to
+# warn if some object files lack the .note.gnu.property section with the BTI
+# flag, and to turn on the BTI flag in the output anyway.
+set(BRANCH_PROTECTION unset CACHE STRING "Enable branch protection")
+set_property(CACHE BRANCH_PROTECTION PROPERTY STRINGS unset 0 1 2 3 4)
 
-if(BTI_ENABLED STREQUAL "ON")
-	# branch-protection enables bti while compile force-bti tells the linker to
-	# warn if some object files lack the .note.gnu.property section with the BTI
-	# flag, and to turn on the BTI flag in the output anyway.
+if(BRANCH_PROTECTION STREQUAL "0")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=none")
+elseif(BRANCH_PROTECTION STREQUAL "1")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=standard")
+	set(TS_MANDATORY_LINKER_FLAGS "${TS_MANDATORY_LINKER_FLAGS} -zforce-bti")
+	add_compile_definitions("BTI_ENABLED")
+elseif(BRANCH_PROTECTION STREQUAL "2")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=pac-ret")
+elseif(BRANCH_PROTECTION STREQUAL "3")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=pac-ret+leaf")
+elseif(BRANCH_PROTECTION STREQUAL "4")
 	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=bti")
 	set(TS_MANDATORY_LINKER_FLAGS "${TS_MANDATORY_LINKER_FLAGS} -zforce-bti")
-elseif(BTI_ENABLED STREQUAL "OFF")
-	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=none")
+	add_compile_definitions("BTI_ENABLED")
 endif()
 
 # Set flags affecting all build types

diff --git a/environments/opteesp/default_toolchain_file.cmake b/environments/opteesp/default_toolchain_file.cmake
index 613cd43..b150b85 100644
--- a/environments/opteesp/default_toolchain_file.cmake
+++ b/environments/opteesp/default_toolchain_file.cmake

@@ -25,18 +25,26 @@
 set(TS_MANDATORY_LINKER_FLAGS "-pie -Wl,--as-needed -Wl,--sort-section=alignment -zmax-page-size=4096"
 	CACHE STRING "Linker flags needed for correct builds.")
 
-set(BTI_ENABLED unset CACHE STRING "Enable Branch Target Identification (BTI)")
-set_property(CACHE BTI_ENABLED PROPERTY STRINGS unset OFF ON)
+# branch-protection enables bti/pac while compile force-bti tells the linker to
+# warn if some object files lack the .note.gnu.property section with the BTI
+# flag, and to turn on the BTI flag in the output anyway.
+set(BRANCH_PROTECTION unset CACHE STRING "Enable branch protection")
+set_property(CACHE BRANCH_PROTECTION PROPERTY STRINGS unset 0 1 2 3 4)
 
-if(BTI_ENABLED STREQUAL "ON")
-	# branch-protection enables bti while compile force-bti tells the linker to
-	# warn if some object files lack the .note.gnu.property section with the BTI
-	# flag, and to turn on the BTI flag in the output anyway.
+if(BRANCH_PROTECTION STREQUAL "0")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=none")
+elseif(BRANCH_PROTECTION STREQUAL "1")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=standard")
+	set(TS_MANDATORY_LINKER_FLAGS "${TS_MANDATORY_LINKER_FLAGS} -zforce-bti")
+	add_compile_definitions("BTI_ENABLED")
+elseif(BRANCH_PROTECTION STREQUAL "2")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=pac-ret")
+elseif(BRANCH_PROTECTION STREQUAL "3")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=pac-ret+leaf")
+elseif(BRANCH_PROTECTION STREQUAL "4")
 	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=bti")
 	set(TS_MANDATORY_LINKER_FLAGS "${TS_MANDATORY_LINKER_FLAGS} -zforce-bti")
 	add_compile_definitions("BTI_ENABLED")
-elseif(BTI_ENABLED STREQUAL "OFF")
-	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=none")
 endif()
 
 # Set flags affecting all build types

diff --git a/environments/sp/default_toolchain_file.cmake b/environments/sp/default_toolchain_file.cmake
index f0945f1..d41ecec 100644
--- a/environments/sp/default_toolchain_file.cmake
+++ b/environments/sp/default_toolchain_file.cmake

@@ -24,18 +24,26 @@
 set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.")
 set(TS_MANDATORY_LINKER_FLAGS "-Wl,-pie -Wl,--no-dynamic-linker -Wl,--sort-section=alignment -zmax-page-size=4096" CACHE STRING "Linker flags needed for correct builds.")
 
-set(BTI_ENABLED unset CACHE STRING "Enable Branch Target Identification (BTI)")
-set_property(CACHE BTI_ENABLED PROPERTY STRINGS unset OFF ON)
+# branch-protection enables bti/pac while compile force-bti tells the linker to
+# warn if some object files lack the .note.gnu.property section with the BTI
+# flag, and to turn on the BTI flag in the output anyway.
+set(BRANCH_PROTECTION unset CACHE STRING "Enable branch protection")
+set_property(CACHE BRANCH_PROTECTION PROPERTY STRINGS unset 0 1 2 3 4)
 
-if(BTI_ENABLED STREQUAL "ON")
-	# branch-protection enables bti while compile force-bti tells the linker to
-	# warn if some object files lack the .note.gnu.property section with the BTI
-	# flag, and to turn on the BTI flag in the output anyway.
+if(BRANCH_PROTECTION STREQUAL "0")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=none")
+elseif(BRANCH_PROTECTION STREQUAL "1")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=standard")
+	set(TS_MANDATORY_LINKER_FLAGS "${TS_MANDATORY_LINKER_FLAGS} -zforce-bti")
+	add_compile_definitions("BTI_ENABLED")
+elseif(BRANCH_PROTECTION STREQUAL "2")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=pac-ret")
+elseif(BRANCH_PROTECTION STREQUAL "3")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=pac-ret+leaf")
+elseif(BRANCH_PROTECTION STREQUAL "4")
 	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=bti")
 	set(TS_MANDATORY_LINKER_FLAGS "${TS_MANDATORY_LINKER_FLAGS} -zforce-bti")
 	add_compile_definitions("BTI_ENABLED")
-elseif(BTI_ENABLED STREQUAL "OFF")
-	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=none")
 endif()
 
 # Set flags affecting all build types

diff --git a/external/CppUTest/cpputest-init-cache.cmake.in b/external/CppUTest/cpputest-init-cache.cmake.in
index d73b6ec..c3801cc 100644
--- a/external/CppUTest/cpputest-init-cache.cmake.in
+++ b/external/CppUTest/cpputest-init-cache.cmake.in

@@ -10,7 +10,7 @@
 set(MEMORY_LEAK_DETECTION OFF CACHE BOOL "")
 set(LONGLONG ON CACHE BOOL "")
 set(C++11 ON CACHE BOOL "")
-set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
+set(BRANCH_PROTECTION @BRANCH_PROTECTION@ CACHE STRING "")
 
 string(TOUPPER @CMAKE_CROSSCOMPILING@ CMAKE_CROSSCOMPILING) # CMake expects TRUE
 if (CMAKE_CROSSCOMPILING)

diff --git a/external/MbedTLS/mbedtls-init-cache.cmake.in b/external/MbedTLS/mbedtls-init-cache.cmake.in
index 57042fb..bf93f1b 100644
--- a/external/MbedTLS/mbedtls-init-cache.cmake.in
+++ b/external/MbedTLS/mbedtls-init-cache.cmake.in

@@ -13,7 +13,7 @@
 set(UNSAFE_BUILD On CACHE BOOL "")
 set(EXTERNAL_DEFINITIONS -DMBEDTLS_USER_CONFIG_FILE="@MBEDTLS_USER_CONFIG_FILE@" CACHE STRING "")
 set(EXTERNAL_INCLUDE_PATHS @MBEDTLS_EXTRA_INCLUDES@ CACHE STRING "")
-set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
+set(BRANCH_PROTECTION @BRANCH_PROTECTION@ CACHE STRING "")
 
 set(Python3_EXECUTABLE "@Python3_EXECUTABLE@" CACHE PATH "Location of python3 executable")
 

diff --git a/external/firmware_test_builder/FirmwareTestBuilder.cmake b/external/firmware_test_builder/FirmwareTestBuilder.cmake
index 82a8e2a..8f1a819 100644
--- a/external/firmware_test_builder/FirmwareTestBuilder.cmake
+++ b/external/firmware_test_builder/FirmwareTestBuilder.cmake

@@ -8,7 +8,7 @@
 
 set(FIRMWARE_TEST_BUILDER_URL "https://git.trustedfirmware.org/TS/trusted-services.git" CACHE STRING "firmware-test-builder repository URL")
 set(FIRMWARE_TEST_BUILDER_REFSPEC "topics/fwtb" CACHE STRING "firmware-test-builder git refspec")
-set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
+set(BRANCH_PROTECTION @BRANCH_PROTECTION@ CACHE STRING "")
 
 set(GIT_OPTIONS
 	GIT_REPOSITORY ${FIRMWARE_TEST_BUILDER_URL}

diff --git a/external/nanopb/nanopb-init-cache.cmake.in b/external/nanopb/nanopb-init-cache.cmake.in
index bfb5497..fee5b30 100644
--- a/external/nanopb/nanopb-init-cache.cmake.in
+++ b/external/nanopb/nanopb-init-cache.cmake.in

@@ -12,7 +12,7 @@
 set(nanopb_BUILD_RUNTIME On CACHE BOOL "")
 set(nanopb_BUILD_GENERATOR On CACHE BOOL "")
 set(nanopb_MSVC_STATIC_RUNTIME Off BOOL "")
-set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
+set(BRANCH_PROTECTION @BRANCH_PROTECTION@ CACHE STRING "")
 
 # Specify location of python binary and avoid discovery.
 set(Python_EXECUTABLE "@Python_EXECUTABLE@" CACHE PATH "Location of python3 executable")

diff --git a/external/psa_arch_tests/psa-arch-test-init-cache.cmake.in b/external/psa_arch_tests/psa-arch-test-init-cache.cmake.in
index 9292db2..a6934eb 100644
--- a/external/psa_arch_tests/psa-arch-test-init-cache.cmake.in
+++ b/external/psa_arch_tests/psa-arch-test-init-cache.cmake.in

@@ -13,7 +13,7 @@
 set(ARCH_TEST_EXTERNAL_DEFS "@PSA_ARCH_TEST_EXTERNAL_DEFS@"  CACHE STRING "")
 set(CMAKE_VERBOSE_MAKEFILE OFF CACHE BOOL "")
 set(TARGET "tgt_dev_apis_linux"  CACHE STRING "")
-set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
+set(BRANCH_PROTECTION @BRANCH_PROTECTION@ CACHE STRING "")
 
 # Pass comand line paramter passed to the TS deployment configuration time over to psa-acs build.
 if(NOT "@PSA_TARGET_QCBOR@" STREQUAL "")

diff --git a/external/qcbor/qcbor-init-cache.cmake.in b/external/qcbor/qcbor-init-cache.cmake.in
index 4e4369d..9b61cab 100644
--- a/external/qcbor/qcbor-init-cache.cmake.in
+++ b/external/qcbor/qcbor-init-cache.cmake.in

@@ -7,7 +7,7 @@
 
 set(CMAKE_INSTALL_PREFIX "@BUILD_INSTALL_DIR@" CACHE STRING "")
 set(CMAKE_TOOLCHAIN_FILE "@TS_EXTERNAL_LIB_TOOLCHAIN_FILE@" CACHE STRING "")
-set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
+set(BRANCH_PROTECTION @BRANCH_PROTECTION@ CACHE STRING "")
 
 # Determine floating point configuration
 set(TS_NO_FLOAT_HW "@TS_NO_FLOAT_HW@")

diff --git a/external/t_cose/t_cose-init-cache.cmake.in b/external/t_cose/t_cose-init-cache.cmake.in
index 1068409..01f3f16 100644
--- a/external/t_cose/t_cose-init-cache.cmake.in
+++ b/external/t_cose/t_cose-init-cache.cmake.in

@@ -7,7 +7,7 @@
 
 set(CMAKE_INSTALL_PREFIX "@BUILD_INSTALL_DIR@" CACHE STRING "")
 set(CMAKE_TOOLCHAIN_FILE "@TS_EXTERNAL_LIB_TOOLCHAIN_FILE@" CACHE STRING "")
-set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
+set(BRANCH_PROTECTION @BRANCH_PROTECTION@ CACHE STRING "")
 
 set(MBEDTLS On CACHE STRING "")
commit	350452a505b229666b4a72d47d93be0c64ea2d4f	[log] [tgz]
author	Gabor Toth <gabor.toth2@arm.com>	Wed Jun 19 12:35:08 2024 +0200
committer	gabor-toth-arm <Gabor.Toth2@arm.com>	Fri Jul 12 10:07:11 2024 +0200
tree	d239ba9eafed0676396f59f263705f0d308ec170
parent	65e1dac82c51917e64350ac3e4b730d25b4c96cf [diff]