Thanks Alexei.
From: Alexei Fedorov Alexei.Fedorov@arm.com Sent: Monday, April 13, 2020 7:22 AM To: tf-a@lists.trustedfirmware.org; Varun Wadekar vwadekar@nvidia.com Cc: Kalyani Chidambaram Vaidyanathan kalyanic@nvidia.com; Anthony Zhou anzhou@nvidia.com Subject: Re: BRANCH_PROTECTION
External email: Use caution opening links or attachments
Hi Varun,
1. The value of '1' sets 'standard' type of BP which according to GCC documentation: "turns on all types of branch protection features. If a feature has additional tuning options, then 'standard' sets it to its standard level. " It equals to "bti+pac-ret". 2. Yes. See above and use option value of '1'.
Regards.
Alexei
________________________________ From: TF-A <tf-a-bounces@lists.trustedfirmware.orgmailto:tf-a-bounces@lists.trustedfirmware.org> on behalf of Varun Wadekar via TF-A <tf-a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmware.org> Sent: 10 April 2020 19:28 To: tf-a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmware.org <tf-a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmware.org> Cc: Kalyani Chidambaram Vaidyanathan <kalyanic@nvidia.commailto:kalyanic@nvidia.com>; Anthony Zhou <anzhou@nvidia.commailto:anzhou@nvidia.com> Subject: Re: [TF-A] BRANCH_PROTECTION
Hello,
Can someone please help clarify?
-Varun
From: TF-A <tf-a-bounces@lists.trustedfirmware.orgmailto:tf-a-bounces@lists.trustedfirmware.org> On Behalf Of Varun Wadekar via TF-A Sent: Tuesday, April 7, 2020 9:58 PM To: tf-a@lists.trustedfirmware.orgmailto:tf-a@lists.trustedfirmware.org Cc: Kalyani Chidambaram Vaidyanathan <kalyanic@nvidia.commailto:kalyanic@nvidia.com>; Anthony Zhou <anzhou@nvidia.commailto:anzhou@nvidia.com> Subject: [TF-A] BRANCH_PROTECTION
External email: Use caution opening links or attachments
Hello,
Can someone please help me understand if
1. a 'value' of '1' for BRANCH_PROTECTION covers the PAuth protection provided by a value of '2' and/or '3'? 2. there is a way to enable BTI and "pac-ret" at the same time?
The docs provide this information.
<snip>
- ``BRANCH_PROTECTION``: Numeric value to enable ARMv8.3 Pointer Authentication
and ARMv8.5 Branch Target Identification support for TF-A BL images themselves.
If enabled, it is needed to use a compiler that supports the option
``-mbranch-protection``. Selects the branch protection features to use:
- 0: Default value turns off all types of branch protection
- 1: Enables all types of branch protection features
- 2: Return address signing to its standard level
- 3: Extend the signing to include leaf functions
The table below summarizes ``BRANCH_PROTECTION`` values, GCC compilation options
and resulting PAuth/BTIhttps://tegra-sw-opengrok.nvidia.com/source/s?path=PAuth/BTI&project=stage-main_automotive features.
+-------+--------------+-------+-----+
| Value | GCC option | PAuth | BTI |
+=======+==============+=======+=====+
| 0 | none | N | N |
+-------+--------------+-------+-----+
| 1 | standard | Y | Y |
+-------+--------------+-------+-----+
| 2 | pac-ret | Y | N |
+-------+--------------+-------+-----+
| 3 | pac-ret+leaf | Y | N |
+-------+--------------+-------+-----+
This option defaults to 0 and this is an experimental feature.
Note that Pointer Authentication is enabled for Non-secure world
irrespective of the value of this option if the CPU supports it.
<snip>
Thanks,
Varun
________________________________
This email message is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
________________________________ IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.