[PATCH] arm64: explicitly disable pointer authentication instructions
Rasmus Villemoes
rasmus.villemoes at prevas.dk
Mon Aug 8 16:12:30 CEST 2022
The Yocto project builds their aarch64 cross-compiler with the
configure knob --enable-standard-branch-protection, which means that
their gcc behaves as if -mbranch-protection=standard is passed; the
default (lacking that configure knob) is -mbranch-protection=none.
This means that when building U-Boot using the Yocto toolchain, most
functions end up containing paciasp/autiasp/bti instructions. However,
since U-Boot is not an ordinary userspace application, there's no OS
kernel which has set up the required authentication keys, so these
instructions do nothing at all (even on arm64 hardware that does have
the pointer authentication capability). They do however make the image
larger.
It is theoretically possible for U-Boot to make use of the pointer
authentication protection - cf. the linux kernel's
CONFIG_ARM64_PTR_AUTH_KERNEL - but it is far from trivial, and it's
hard to see just what threat model it would protect against in a
bootloader context. Regardless, we certainly have none of the required
infrastructure now, so explictly pass -mbranch-protection=none to
ensure those useless instructions do not get emitted.
For a toolchain not configured with
--enable-standard-branch-protection, this changes nothing. For the
Yocto toolchain, this reduces the size of both SPL and U-Boot proper
by about 3% for my imx8mp target.
If you don't have a Yocto toolchain, the effect can easily be
reproduced by applying this patch and changing =none to =standard.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes at prevas.dk>
---
Not sure who to cc, there's no overall arm64 maintainer listed in
MAINTAINERS, but Tom is listed as generally handling arch/arm/.
arch/arm/cpu/armv8/config.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/cpu/armv8/config.mk b/arch/arm/cpu/armv8/config.mk
index 6f9093109f..ca06ed3d4f 100644
--- a/arch/arm/cpu/armv8/config.mk
+++ b/arch/arm/cpu/armv8/config.mk
@@ -3,6 +3,7 @@
# (C) Copyright 2002
# Gary Jennejohn, DENX Software Engineering, <garyj at denx.de>
PLATFORM_RELFLAGS += -fno-common -ffixed-x18
+PLATFORM_RELFLAGS += $(call cc-option,-mbranch-protection=none)
PF_NO_UNALIGNED := $(call cc-option, -mstrict-align)
PLATFORM_CPPFLAGS += $(PF_NO_UNALIGNED)
--
2.31.1
More information about the U-Boot
mailing list