This is an archive of the discontinued LLVM Phabricator instance.

Differential D156784

[AArch64][PAC] Declare FPAC subtarget feature
Needs ReviewPublic

Authored by atrosinenko on Aug 1 2023, 3:30 AM.

Details

Reviewers
ab
kristof.beyls
apazos
pcc
psmith
t.p.northover
Summary

In some situations, such as re-signing pointers or performing tail
calls, the code generator has to authenticate a signed pointer that will
not be dereferenced immediately. In such cases it may be necessary to
emit extra code to make sure that the authentication succeeded to prevent
introducing authentication/signing oracles.

If the target CPU is known to support FEAT_FPAC, this extra code can be
skipped as AUT* instructions are known to fault on invalid PAC by
themselves.

Note that unlike many other features, FEAT_FPAC does not add any new
supported instructions, but changes the semantics of several existing
ones. Thus, care should be taken to not enable FPAC when not actually
supported as it does not make code fail explicitly under normal
operation, but makes it less secure on unsupported CPUs.

Diff Detail

Event Timeline

atrosinenko created this revision.Aug 1 2023, 3:30 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 1 2023, 3:30 AM
Herald added a subscriber: hiraditya. · View Herald Transcript
atrosinenko requested review of this revision.Aug 1 2023, 3:30 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptAug 1 2023, 3:30 AM
Herald added subscribers: llvm-commits, cfe-commits. · View Herald Transcript
atrosinenko added a child revision: D156785: [AArch64][PAC] Skip checking LR during tail call if FPAC is enabled.Aug 1 2023, 4:01 AM
Harbormaster completed remote builds in B249442: Diff 545993.Aug 1 2023, 4:11 AM
atrosinenko mentioned this in D156716: [AArch64][PAC] Check authenticated LR value during tail call.Aug 4 2023, 8:42 AM
atrosinenko planned changes to this revision.Aug 14 2023, 9:50 AM

Looks like adding FeatureFPAC may require changes in more places - need to investigate whether I have to add something like AEK_FPAC constant, etc.

atrosinenko updated this revision to Diff 557488.Sep 29 2023, 8:43 AM

Updated the patch:

  • added FPAC to Extensions array in AArch64TargetParser.h, so it can be used in -march=...+fpac command line option. Adding one more feature seems mostly harmless after PR 65423 was merged
  • dropped changes to clang/lib/Basic/Targets/AArch64.(h|cpp) as I don't actually use them to set any C defines or so (I don't see any mentioning of FPAC in ACLE 2023Q2)
  • not adding FPAC to ExtensionMap in AArch64AsmParser.cpp as it doesn't look relevant for assembler (maybe it would be relevant someday for storing the set of expected features to object files)
Harbormaster completed remote builds in B257688: Diff 557488.Sep 29 2023, 8:44 AM
atrosinenko added a comment.Oct 11 2023, 5:39 AM

As discussed in D156716, it is not clear if I have to add FeatureFPAC to every relevant CPU. Maybe it is worth conservatively assuming that this feature should only be enabled manually by the user as a precaution against "I have CPU core X but it is not listed, so let's use cpu=Y because X supports all the instructions supported by Y (but not FEAT_FPAC)" - that would not cause any obvious run-time crashes under normal operation, but would make the code less secure.

chill added a subscriber: chill.Oct 14 2023, 4:56 AM
In D156784#4653741, @atrosinenko wrote:

As discussed in D156716, it is not clear if I have to add FeatureFPAC to every relevant CPU.

I would say, yes, it has to be added to each CPU that has that feature - that's what a subtarget feature is for. If we need to a way to alter code generation
as a response to a user choice, that ought to be done with a specific command line option and TargetOptions and/or function and module level
attributes.

Maybe it is worth conservatively assuming that this feature should only be enabled manually by the user as a precaution against "I have CPU core X but it is not listed, so let's use cpu=Y because X supports all the instructions supported by Y (but not FEAT_FPAC)" - that would not cause any obvious run-time crashes under normal operation, but would make the code less secure.

As far as I can tell, the existing practice for security-related code generation is to have it disabled by default
and enable it explicitly by clang command line options (c.f -mbranch-protection=..., -mharden-sls=..., -fstack-clash-protection, -fsanitize=memtag, ...).

In that spirit, I would suggest not using target features to alter code generation in a rather obscure way but being quite explicit about it.
For example, have an option -mauth-ret-check=default|force where:

  • the presence of the option enables LR check before tail calls
  • default (or enable) would mean FEAT_FPAC takes precedence
  • force would mean FEAT_FPAC is ignored

Alternatively, maybe even better, these could be options to -mbranch-protection=....

pratlucas added a subscriber: pratlucas.Oct 16 2023, 1:30 AM

Revision Contents

PathSize
llvm/
include/
llvm/
TargetParser/
4 lines
lib/
Target/
AArch64/
4 lines
unittests/
TargetParser/
4 lines

Diff 557488

llvm/include/llvm/TargetParser/AArch64TargetParser.h

Show First 20 LinesShow All 150 Lines▼ Show 20 Linesenum ArchExtKind : unsigned {
AEK_RCPC3 = 50, // FEAT_LRCPC3 AEK_RCPC3 = 50, // FEAT_LRCPC3
AEK_THE = 51, // FEAT_THE AEK_THE = 51, // FEAT_THE
AEK_D128 = 52, // FEAT_D128 AEK_D128 = 52, // FEAT_D128
AEK_LSE128 = 53, // FEAT_LSE128 AEK_LSE128 = 53, // FEAT_LSE128
AEK_SPECRES2 = 54, // FEAT_SPECRES2 AEK_SPECRES2 = 54, // FEAT_SPECRES2
AEK_RASv2 = 55, // FEAT_RASv2 AEK_RASv2 = 55, // FEAT_RASv2
AEK_ITE = 56, // FEAT_ITE AEK_ITE = 56, // FEAT_ITE
AEK_GCS = 57, // FEAT_GCS AEK_GCS = 57, // FEAT_GCS
AEK_NUM_EXTENSIONS = AEK_GCS + 1 AEK_FPAC = 58, // FEAT_FPAC
AEK_NUM_EXTENSIONS = AEK_FPAC + 1
}; };
using ExtensionBitset = Bitset<AEK_NUM_EXTENSIONS>; using ExtensionBitset = Bitset<AEK_NUM_EXTENSIONS>;
// clang-format on // clang-format on
// Represents an extension that can be enabled with -march=<arch>+<extension>. // Represents an extension that can be enabled with -march=<arch>+<extension>.
// Typically these correspond to Arm Architecture extensions, unlike // Typically these correspond to Arm Architecture extensions, unlike
// SubtargetFeature which may represent either an actual extension or some // SubtargetFeature which may represent either an actual extension or some
// internal LLVM property. // internal LLVM property.
▲ Show 20 LinesShow All 91 Lines▼ Show 20 Linesinline constexpr ExtensionInfo Extensions[] = {
{"sve2-sha3", AArch64::AEK_SVE2SHA3, "+sve2-sha3", "-sve2-sha3", FEAT_SVE_SHA3, "+sve2,+sve,+sve2-sha3,+fullfp16,+fp-armv8,+neon", 410}, {"sve2-sha3", AArch64::AEK_SVE2SHA3, "+sve2-sha3", "-sve2-sha3", FEAT_SVE_SHA3, "+sve2,+sve,+sve2-sha3,+fullfp16,+fp-armv8,+neon", 410},
{"sve2-sm4", AArch64::AEK_SVE2SM4, "+sve2-sm4", "-sve2-sm4", FEAT_SVE_SM4, "+sve2,+sve,+sve2-sm4,+fullfp16,+fp-armv8,+neon", 420}, {"sve2-sm4", AArch64::AEK_SVE2SM4, "+sve2-sm4", "-sve2-sm4", FEAT_SVE_SM4, "+sve2,+sve,+sve2-sm4,+fullfp16,+fp-armv8,+neon", 420},
{"sve2", AArch64::AEK_SVE2, "+sve2", "-sve2", FEAT_SVE2, "+sve2,+sve,+fullfp16,+fp-armv8,+neon", 370}, {"sve2", AArch64::AEK_SVE2, "+sve2", "-sve2", FEAT_SVE2, "+sve2,+sve,+fullfp16,+fp-armv8,+neon", 370},
{"sve2p1", AArch64::AEK_SVE2p1, "+sve2p1", "-sve2p1", FEAT_MAX, "+sve2p1,+sve2,+sve,+fullfp16,+fp-armv8,+neon", 0}, {"sve2p1", AArch64::AEK_SVE2p1, "+sve2p1", "-sve2p1", FEAT_MAX, "+sve2p1,+sve2,+sve,+fullfp16,+fp-armv8,+neon", 0},
{"the", AArch64::AEK_THE, "+the", "-the", FEAT_MAX, "", 0}, {"the", AArch64::AEK_THE, "+the", "-the", FEAT_MAX, "", 0},
{"tme", AArch64::AEK_TME, "+tme", "-tme", FEAT_MAX, "", 0}, {"tme", AArch64::AEK_TME, "+tme", "-tme", FEAT_MAX, "", 0},
{"wfxt", AArch64::AEK_NONE, {}, {}, FEAT_WFXT, "+wfxt", 550}, {"wfxt", AArch64::AEK_NONE, {}, {}, FEAT_WFXT, "+wfxt", 550},
{"gcs", AArch64::AEK_GCS, "+gcs", "-gcs", FEAT_MAX, "", 0}, {"gcs", AArch64::AEK_GCS, "+gcs", "-gcs", FEAT_MAX, "", 0},
{"fpac", AArch64::AEK_FPAC, "+fpac", "-fpac", FEAT_MAX, "", 0},
// Special cases // Special cases
{"none", AArch64::AEK_NONE, {}, {}, FEAT_MAX, "", ExtensionInfo::MaxFMVPriority}, {"none", AArch64::AEK_NONE, {}, {}, FEAT_MAX, "", ExtensionInfo::MaxFMVPriority},
}; };
// clang-format on // clang-format on
enum ArchProfile { AProfile = 'A', RProfile = 'R', InvalidProfile = '?' }; enum ArchProfile { AProfile = 'A', RProfile = 'R', InvalidProfile = '?' };
// Information about a specific architecture, e.g. V8.1-A // Information about a specific architecture, e.g. V8.1-A
▲ Show 20 LinesShow All 398 LinesShow Last 20 Lines

llvm/lib/Target/AArch64/AArch64.td

Show First 20 LinesShow All 308 Lines▼ Show 20 Lines
def FeatureDotProd : SubtargetFeature< def FeatureDotProd : SubtargetFeature<
"dotprod", "HasDotProd", "true", "dotprod", "HasDotProd", "true",
"Enable dot product support (FEAT_DotProd)">; "Enable dot product support (FEAT_DotProd)">;
def FeaturePAuth : SubtargetFeature< def FeaturePAuth : SubtargetFeature<
"pauth", "HasPAuth", "true", "pauth", "HasPAuth", "true",
"Enable v8.3-A Pointer Authentication extension (FEAT_PAuth)">; "Enable v8.3-A Pointer Authentication extension (FEAT_PAuth)">;
def FeatureFPAC : SubtargetFeature<
"fpac", "HasFPAC", "true",
"Assume AUT* instructions generate fault on invalid PAC (FEAT_FPAC)">;
def FeatureJS : SubtargetFeature< def FeatureJS : SubtargetFeature<
"jsconv", "HasJS", "true", "jsconv", "HasJS", "true",
"Enable v8.3-A JavaScript FP conversion instructions (FEAT_JSCVT)", "Enable v8.3-A JavaScript FP conversion instructions (FEAT_JSCVT)",
[FeatureFPARMv8]>; [FeatureFPARMv8]>;
def FeatureCCIDX : SubtargetFeature< def FeatureCCIDX : SubtargetFeature<
"ccidx", "HasCCIDX", "true", "ccidx", "HasCCIDX", "true",
"Enable v8.3-A Extend of the CCSIDR number of sets (FEAT_CCIDX)">; "Enable v8.3-A Extend of the CCSIDR number of sets (FEAT_CCIDX)">;
▲ Show 20 LinesShow All 1,286 LinesShow Last 20 Lines

llvm/unittests/TargetParser/TargetParserTest.cpp

Show First 20 LinesShow All 1,725 Lines▼ Show 20 Lines std::vector<uint64_t> Extensions = {
AArch64::AEK_F64MM, AArch64::AEK_TME, AArch64::AEK_LS64, AArch64::AEK_F64MM, AArch64::AEK_TME, AArch64::AEK_LS64,
AArch64::AEK_BRBE, AArch64::AEK_PAUTH, AArch64::AEK_FLAGM, AArch64::AEK_BRBE, AArch64::AEK_PAUTH, AArch64::AEK_FLAGM,
AArch64::AEK_SME, AArch64::AEK_SMEF64F64, AArch64::AEK_SMEI16I64, AArch64::AEK_SME, AArch64::AEK_SMEF64F64, AArch64::AEK_SMEI16I64,
AArch64::AEK_SME2, AArch64::AEK_HBC, AArch64::AEK_MOPS, AArch64::AEK_SME2, AArch64::AEK_HBC, AArch64::AEK_MOPS,
AArch64::AEK_PERFMON, AArch64::AEK_SVE2p1, AArch64::AEK_SME2p1, AArch64::AEK_PERFMON, AArch64::AEK_SVE2p1, AArch64::AEK_SME2p1,
AArch64::AEK_B16B16, AArch64::AEK_SMEF16F16, AArch64::AEK_CSSC, AArch64::AEK_B16B16, AArch64::AEK_SMEF16F16, AArch64::AEK_CSSC,
AArch64::AEK_RCPC3, AArch64::AEK_THE, AArch64::AEK_D128, AArch64::AEK_RCPC3, AArch64::AEK_THE, AArch64::AEK_D128,
AArch64::AEK_LSE128, AArch64::AEK_SPECRES2, AArch64::AEK_RASv2, AArch64::AEK_LSE128, AArch64::AEK_SPECRES2, AArch64::AEK_RASv2,
AArch64::AEK_ITE, AArch64::AEK_GCS, AArch64::AEK_ITE, AArch64::AEK_GCS, AArch64::AEK_FPAC,
}; };
std::vector<StringRef> Features; std::vector<StringRef> Features;
AArch64::ExtensionBitset ExtVal; AArch64::ExtensionBitset ExtVal;
for (auto Ext : Extensions) for (auto Ext : Extensions)
ExtVal.set(Ext); ExtVal.set(Ext);
▲ Show 20 LinesShow All 56 Lines▼ Show 20 LinesTEST(TargetParserTest, AArch64ExtensionFeatures) {
EXPECT_TRUE(llvm::is_contained(Features, "+cssc")); EXPECT_TRUE(llvm::is_contained(Features, "+cssc"));
EXPECT_TRUE(llvm::is_contained(Features, "+rcpc3")); EXPECT_TRUE(llvm::is_contained(Features, "+rcpc3"));
EXPECT_TRUE(llvm::is_contained(Features, "+the")); EXPECT_TRUE(llvm::is_contained(Features, "+the"));
EXPECT_TRUE(llvm::is_contained(Features, "+d128")); EXPECT_TRUE(llvm::is_contained(Features, "+d128"));
EXPECT_TRUE(llvm::is_contained(Features, "+lse128")); EXPECT_TRUE(llvm::is_contained(Features, "+lse128"));
EXPECT_TRUE(llvm::is_contained(Features, "+specres2")); EXPECT_TRUE(llvm::is_contained(Features, "+specres2"));
EXPECT_TRUE(llvm::is_contained(Features, "+ite")); EXPECT_TRUE(llvm::is_contained(Features, "+ite"));
EXPECT_TRUE(llvm::is_contained(Features, "+gcs")); EXPECT_TRUE(llvm::is_contained(Features, "+gcs"));
EXPECT_TRUE(llvm::is_contained(Features, "+fpac"));
// Assuming we listed every extension above, this should produce the same // Assuming we listed every extension above, this should produce the same
// result. (note that AEK_NONE doesn't have a name so it won't be in the // result. (note that AEK_NONE doesn't have a name so it won't be in the
// result despite its bit being set) // result despite its bit being set)
std::vector<StringRef> AllFeatures; std::vector<StringRef> AllFeatures;
EXPECT_TRUE(AArch64::getExtensionFeatures(ExtVal, AllFeatures)); EXPECT_TRUE(AArch64::getExtensionFeatures(ExtVal, AllFeatures));
EXPECT_THAT(Features, ::testing::ContainerEq(AllFeatures)); EXPECT_THAT(Features, ::testing::ContainerEq(AllFeatures));
} }
▲ Show 20 LinesShow All 107 Lines▼ Show 20 Lines const char *ArchExt[][4] = {
{"sme2", "nosme2", "+sme2", "-sme2"}, {"sme2", "nosme2", "+sme2", "-sme2"},
{"sme2p1", "nosme2p1", "+sme2p1", "-sme2p1"}, {"sme2p1", "nosme2p1", "+sme2p1", "-sme2p1"},
{"hbc", "nohbc", "+hbc", "-hbc"}, {"hbc", "nohbc", "+hbc", "-hbc"},
{"mops", "nomops", "+mops", "-mops"}, {"mops", "nomops", "+mops", "-mops"},
{"pmuv3", "nopmuv3", "+perfmon", "-perfmon"}, {"pmuv3", "nopmuv3", "+perfmon", "-perfmon"},
{"predres2", "nopredres2", "+specres2", "-specres2"}, {"predres2", "nopredres2", "+specres2", "-specres2"},
{"rasv2", "norasv2", "+rasv2", "-rasv2"}, {"rasv2", "norasv2", "+rasv2", "-rasv2"},
{"gcs", "nogcs", "+gcs", "-gcs"}, {"gcs", "nogcs", "+gcs", "-gcs"},
{"fpac", "nofpac", "+fpac", "-fpac"},
}; };
for (unsigned i = 0; i < std::size(ArchExt); i++) { for (unsigned i = 0; i < std::size(ArchExt); i++) {
EXPECT_EQ(StringRef(ArchExt[i][2]), EXPECT_EQ(StringRef(ArchExt[i][2]),
AArch64::getArchExtFeature(ArchExt[i][0])); AArch64::getArchExtFeature(ArchExt[i][0]));
EXPECT_EQ(StringRef(ArchExt[i][3]), EXPECT_EQ(StringRef(ArchExt[i][3]),
AArch64::getArchExtFeature(ArchExt[i][1])); AArch64::getArchExtFeature(ArchExt[i][1]));
} }
Show All 31 Lines