Thanks Alexei.

 

From: Alexei Fedorov <Alexei.Fedorov@arm.com>
Sent: Monday, April 13, 2020 7:22 AM
To: tf-a@lists.trustedfirmware.org; Varun Wadekar <vwadekar@nvidia.com>
Cc: Kalyani Chidambaram Vaidyanathan <kalyanic@nvidia.com>; Anthony Zhou <anzhou@nvidia.com>
Subject: Re: BRANCH_PROTECTION

 

External email: Use caution opening links or attachments

 

Hi Varun,

  1. The value of '1' sets ‘standard’ type of BP which according to GCC documentation:
    "turns on all types of branch protection features. If a feature has additional tuning options, then ‘
    standard’ sets it to its standard level. "
    It equals to "bti+pac-ret".
  2. Yes. See above and use option value of '1'.

Regards.

Alexei


From: TF-A <tf-a-bounces@lists.trustedfirmware.org> on behalf of Varun Wadekar via TF-A <tf-a@lists.trustedfirmware.org>
Sent: 10 April 2020 19:28
To: tf-a@lists.trustedfirmware.org <tf-a@lists.trustedfirmware.org>
Cc: Kalyani Chidambaram Vaidyanathan <kalyanic@nvidia.com>; Anthony Zhou <anzhou@nvidia.com>
Subject: Re: [TF-A] BRANCH_PROTECTION

 

Hello,

 

Can someone please help clarify?

 

-Varun

 

From: TF-A <tf-a-bounces@lists.trustedfirmware.org> On Behalf Of Varun Wadekar via TF-A
Sent: Tuesday, April 7, 2020 9:58 PM
To: tf-a@lists.trustedfirmware.org
Cc: Kalyani Chidambaram Vaidyanathan <kalyanic@nvidia.com>; Anthony Zhou <anzhou@nvidia.com>
Subject: [TF-A] BRANCH_PROTECTION

 

External email: Use caution opening links or attachments

 

Hello,

 

Can someone please help me understand if

 

  1. a ‘value’ of ‘1’ for BRANCH_PROTECTION covers the PAuth protection provided by a value of ‘2’ and/or ‘3’?
  2. there is a way to enable BTI and “pac-ret” at the same time?

 

The docs provide this information.

 

<snip>

-  ``BRANCH_PROTECTION``: Numeric value to enable ARMv8.3 Pointer Authentication
   and ARMv8.5 Branch Target Identification support for TF-A BL images themselves.
   If enabled, it is needed to use a compiler that supports the option
   ``-mbranch-protection``. Selects the branch protection features to use:
-  0: Default value turns off all types of branch protection
-  1: Enables all types of branch protection features
-  2: Return address signing to its standard level
-  3: Extend the signing to include leaf functions
 
   The table below summarizes ``BRANCH_PROTECTION`` values, GCC compilation options
   and resulting PAuth/BTI features.
 
   +-------+--------------+-------+-----+
   | Value |  GCC option  | PAuth | BTI |
   +=======+==============+=======+=====+
   |   0   |     none     |   N   |  N  |
   +-------+--------------+-------+-----+
   |   1   |   standard   |   Y   |  Y  |
   +-------+--------------+-------+-----+
   |   2   |   pac-ret    |   Y   |  N  |
   +-------+--------------+-------+-----+
   |   3   | pac-ret+leaf |   Y   |  N  |
   +-------+--------------+-------+-----+
 
   This option defaults to 0 and this is an experimental feature.
   Note that Pointer Authentication is enabled for Non-secure world
   irrespective of the value of this option if the CPU supports it.

<snip>

 

Thanks,

Varun


This email message is for the sole use of the intended recipient(s) and may contain confidential information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.