[WIP] Introduce aarch64-unknown-linux-pauthtest target

[jchlanda]

View all comments

This PR introduces aarch64-unknown-linux-pauthtest target, that enables
Pointer Authentication Code (PAC) support in Rust on AArch64 ELF based Linux
systems using a pauthtest ABI (provided by LLVM) and pauthtest-enabled sysroot
with custom musl, serving as a reference libc implementation.

Supported features include:

• authenticating signed function pointers for extern "C" function calls
  (corresponds to -fptrauth-calls included in pauthtest ABI as defined in
  LLVM)
• signing return address before spilling to stack and authenticating return
  address after restoring from stack for non-leaf functions (corresponds to
  -fptrauth-returns)
• Trapping if authentication failure is detected and FPAC feature is not present
  (corresponds to -fptrauth-auth-traps)
• Signing of init/fini array entries with the signing schema defined used for
  pauthtest ABI (corresponding to -fptrauth-init-fini,
  -fptrauth-init-fini-address-discrimination)
• Non-ABI-affecting indirect control flow hardening features included in
  pauthtest ABI (corresponding to -faarch64-jump-table-hardening,
  -fptrauth-indirect-gotos)
• signed ELF GOT entries (gated behind -Z pauth_enable_elf_got, off by
  default)

Please note that efforts were made to split the work into individual commits
that encapsulate different areas of the code; however, the commits are not
atomic and cannot be built or tested in isolation.

Useful links:

• project goal
• issue describing the need for the work: Add support for AArch64 Pointer Authentication ABI in Rust #148640

[kovdan01]

View changes since the review

Do we expect values non-conforming to these conditions being passed to this function? Locally, I've commented out these lines, and nothing seems to be broken.

So, can we safely convert these to assertions? Or, maybe, some checks which would be present in release mode as well (and would panic when mismatch is detected)? Please just explain which contract do we have, who is responsible for these checks and whether the checks need to be just assertions or if we need to make them panicking or smth.

If there's a reason why we need to keep the current behavior, it's totally fine. But if so, can we somehow rename the function? Now it's name might make one think that we always wrap the underlying constant pointer value to ptrauth constant. But we also have this chunk of logic returning the exact input value w/o any change, and this is not clear from the function name.

[jchlanda]

Fair.
With it now being wrapped in const_ptr_auth and only two call sites we can't violate the contract.
However it is still a symbol that can be accessed freely. I'm going to change it to asserts.

[jchlanda]

Sure, I'll follow up on that. I don't expect all that subset to pass though.

I suppose that it's worth at least identifying where the root cause of the issue is: frontend or backend. Like, are IRs generated for aarch64-unknown-linux-musl and aarch64-unknown-linux-pauthtest different (so we generate them differently on Rust side and probably we should generate them identically), or are IRs identical and we for some reason behave differently on LLVM side.

If it's a frontend issue, it's actually probably worth fixing in the scope of this PR (unless it's terribly complex and time-consuming). If this is a backend issue, we'll fix that separately in LLVM

Looks like there is no bug in there, it's an expected behaviour. I'm guessing that when you compiled for musl it went with a +v8a. However when targeting pauthtest we request v8.3a, which includes support for lse. See: https://github.com/llvm/llvm-project/blob/8e2a5e37eaf638c536dd71cb685843e8cb2aed2c/llvm/lib/Target/AArch64/AArch64Features.td#L964. bl __aarch64_cas4_relax - which is what the test checks against - is a software fallback, whereas on new enough HW we get a corresponding instruction: cas w8, w9, [x0].

You can verify that by either changing the arch to v3.8a or explicitly enabling lse.

Will disable the test and add a comment.

[kovdan01]

Will disable the test and add a comment.

What I'm worried about is that in compiler/rustc_target/src/spec/targets/aarch64_unknown_linux_pauthtest.rs we have features: "+v8.3a,+outline-atomics,+pauth". So we explicitly request +outline-atomics (the same is done for the musl target, so it looks totally OK for pauthtest target).

And my understanding was that if we add +outline-atomics, we must indeed outline them no matter if we actually support them or not. But I might be wrong and I'd just like to hear your thoughts on this

[kovdan01]

View changes since the review

I've just found this in llvm/lib/Target/AArch64/AArch64ISelLowering.cpp:

  // Generate outline atomics library calls only if LSE was not specified for
  // subtarget
  if (Subtarget->outlineAtomics() && !Subtarget->hasLSE()) {

And I've also inspected test/CodeGen/AArch64/atomic-ops-lse.ll and it looks like that yes, having both +lse and +outline-atomics makes the latter ineffective.

So, I suppose it's worth deleting +outline-atomics from here because it's just misleading. And might be also worth adding a comment explaining that pauthtest target is different to other aarch64-linux targets (all including +outline-atomics), because v8.3a includes lse, and lse makes outline-attomics ineffective.

[jchlanda]

Sorry, posted It in a wrong thread:

Targeting musl with: "target-features"="+lse,+outline-atomics", results:

	.file	"aarch64_outline_atomics.bca081c37e0149a7-cgu.0"
	.text
	.globl	_RNvCsgc3x3YG0xfv_23aarch64_outline_atomics16compare_exchange // -- Begin function _RNvCsgc3x3YG0xfv_23aarch64_outline_atomics16compare_exchange
	.p2align	2
	.type	_RNvCsgc3x3YG0xfv_23aarch64_outline_atomics16compare_exchange,@function
_RNvCsgc3x3YG0xfv_23aarch64_outline_atomics16compare_exchange: // @_RNvCsgc3x3YG0xfv_23aarch64_outline_atomics16compare_exchange
	.cfi_startproc
// %bb.0:                               // %start
	mov	w9, #10                         // =0xa
	mov	w8, wzr
	cas	w8, w9, [x0]
	ret
.Lfunc_end0:
	.size	_RNvCsgc3x3YG0xfv_23aarch64_outline_atomics16compare_exchange, .Lfunc_end0-_RNvCsgc3x3YG0xfv_23aarch64_outline_atomics16compare_exchange
	.cfi_endproc
                                        // -- End function
	.ident	"rustc version 1.97.0-dev"
	.section	".note.GNU-stack","",@progbits
	.addrsig

I guess that means, that we should not be requesting outline-atomics, as the compiler will never be able to provide it.

[kovdan01]

"Trapping" still looks inconsistent

[kovdan01]

View changes since the review

Is it -mbranch-protection for Rust? My understanding was that it's -Z branch-protection (while its indeed -mbranch-protection for clang). See also src/doc/unstable-book/src/compiler-flags/branch-protection.md.

Also, I'm not sure if it's worth talking about BTI - I doubt that anyone would mess BTI with pauthtest. But for pac-ret and pauthtest - it's non-obvious for new-comers because both these are based on the same PAC extension for aarch64 CPUs

[jchlanda]

Reworded.

[kovdan01]

Removing the second one, both paragraphs should belong to the same header.

Is this update already present in this PR? Like, I'm still seeing the same header at lines 94 and 173.

[kovdan01]

View changes since the review

Typo: within

[jchlanda]

Done.

[kovdan01]

View changes since the review

Nit: probably a comma missed before 'off'?

[jchlanda]

Done.