Re: [TF-A] BRANCH_PROTECTION - TF-A

10 Apr 2020


      Hello,
Can someone please help clarify?
-Varun
From: TF-A tf-a-bounces@lists.trustedfirmware.org On Behalf Of Varun Wadekar via TF-A
Sent: Tuesday, April 7, 2020 9:58 PM
To: tf-a@lists.trustedfirmware.org
Cc: Kalyani Chidambaram Vaidyanathan kalyanic@nvidia.com; Anthony Zhou anzhou@nvidia.com
Subject: [TF-A] BRANCH_PROTECTION
External email: Use caution opening links or attachments
Hello,
Can someone please help me understand if
1.  a 'value' of '1' for BRANCH_PROTECTION covers the PAuth protection provided by a value of '2' and/or '3'?
  2.  there is a way to enable BTI and "pac-ret" at the same time?
The docs provide this information.
<snip>
-  ``BRANCH_PROTECTION``: Numeric value to enable ARMv8.3 Pointer Authentication
and ARMv8.5 Branch Target Identification support for TF-A BL images themselves.
If enabled, it is needed to use a compiler that supports the option
``-mbranch-protection``. Selects the branch protection features to use:
-  0: Default value turns off all types of branch protection
-  1: Enables all types of branch protection features
-  2: Return address signing to its standard level
-  3: Extend the signing to include leaf functions
The table below summarizes ``BRANCH_PROTECTION`` values, GCC compilation options
and resulting PAuth/BTIhttps://tegra-sw-opengrok.nvidia.com/source/s?path=PAuth/BTI&project=stage-main_automotive features.
+-------+--------------+-------+-----+
| Value |  GCC option  | PAuth | BTI |
+=======+==============+=======+=====+
|   0   |     none     |   N   |  N  |
+-------+--------------+-------+-----+
|   1   |   standard   |   Y   |  Y  |
+-------+--------------+-------+-----+
|   2   |   pac-ret    |   Y   |  N  |
+-------+--------------+-------+-----+
|   3   | pac-ret+leaf |   Y   |  N  |
+-------+--------------+-------+-----+
This option defaults to 0 and this is an experimental feature.
Note that Pointer Authentication is enabled for Non-secure world
irrespective of the value of this option if the CPU supports it.
<snip>
Thanks,
Varun
________________________________
This email message is for the sole use of the intended recipient(s) and may contain confidential information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
________________________________