[PATCH] arm64: explicitly disable pointer authentication instructions

Tom Rini trini at konsulko.com
Sun Aug 21 01:02:27 CEST 2022


On Mon, Aug 08, 2022 at 04:12:30PM +0200, Rasmus Villemoes wrote:

> The Yocto project builds their aarch64 cross-compiler with the
> configure knob --enable-standard-branch-protection, which means that
> their gcc behaves as if -mbranch-protection=standard is passed; the
> default (lacking that configure knob) is -mbranch-protection=none.
> 
> This means that when building U-Boot using the Yocto toolchain, most
> functions end up containing paciasp/autiasp/bti instructions. However,
> since U-Boot is not an ordinary userspace application, there's no OS
> kernel which has set up the required authentication keys, so these
> instructions do nothing at all (even on arm64 hardware that does have
> the pointer authentication capability). They do however make the image
> larger.
> 
> It is theoretically possible for U-Boot to make use of the pointer
> authentication protection - cf. the linux kernel's
> CONFIG_ARM64_PTR_AUTH_KERNEL - but it is far from trivial, and it's
> hard to see just what threat model it would protect against in a
> bootloader context. Regardless, we certainly have none of the required
> infrastructure now, so explictly pass -mbranch-protection=none to
> ensure those useless instructions do not get emitted.
> 
> For a toolchain not configured with
> --enable-standard-branch-protection, this changes nothing. For the
> Yocto toolchain, this reduces the size of both SPL and U-Boot proper
> by about 3% for my imx8mp target.
> 
> If you don't have a Yocto toolchain, the effect can easily be
> reproduced by applying this patch and changing =none to =standard.
> 
> Signed-off-by: Rasmus Villemoes <rasmus.villemoes at prevas.dk>
> Reviewed-by: Simon Glass <sjg at chromium.org>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20220820/a9916751/attachment.sig>


More information about the U-Boot mailing list