diff --git a/arch/arm/core/cortex_m/CMakeLists.txt b/arch/arm/core/cortex_m/CMakeLists.txt index 05723811929a..6b6ed7e48fec 100644 --- a/arch/arm/core/cortex_m/CMakeLists.txt +++ b/arch/arm/core/cortex_m/CMakeLists.txt @@ -2,6 +2,23 @@ zephyr_library() +if(CONFIG_ARMV8_1_M_PACBTI_STANDARD) + zephyr_compile_options(-mbranch-protection=standard) +elseif(CONFIG_ARMV8_1_M_PACBTI_PACRET) + zephyr_compile_options(-mbranch-protection=pac-ret) +elseif(CONFIG_ARMV8_1_M_PACBTI_PACRET_LEAF) + zephyr_compile_options(-mbranch-protection=pac-ret+leaf) +elseif(CONFIG_ARMV8_1_M_PACBTI_BTI) + zephyr_compile_options(-mbranch-protection=bti) +elseif(CONFIG_ARMV8_1_M_PACBTI_PACRET_BTI) + zephyr_compile_options(-mbranch-protection=pac-ret+bti) +elseif(CONFIG_ARMV8_1_M_PACBTI_PACRET_LEAF_BTI) + zephyr_compile_options(-mbranch-protection=pac-ret+leaf+bti) +elseif(CONFIG_ARMV8_1_M_PACBTI_NONE) + #TODO: Enable this after Zephyr SDK updates to GCC version >=14.2 + # zephyr_compile_options(-mbranch-protection=none) +endif() + zephyr_library_sources( exc_exit.c fault.c diff --git a/arch/arm/core/cortex_m/Kconfig b/arch/arm/core/cortex_m/Kconfig index c018574429a5..eb54301c30c5 100644 --- a/arch/arm/core/cortex_m/Kconfig +++ b/arch/arm/core/cortex_m/Kconfig @@ -1,6 +1,7 @@ # ARM Cortex-M platform configuration options # Copyright (c) 2014-2015 Wind River Systems, Inc. +# Copyright 2025 Arm Limited and/or its affiliates # SPDX-License-Identifier: Apache-2.0 # NOTE: We have the specific core implementations first and outside of the @@ -298,6 +299,60 @@ config ARMV8_1_M_PMU This option is enabled when the CPU implements ARMv8-M Performance Monitoring Unit (PMU). +choice ARMV8_1_M_PACBTI + prompt "Pointer Authentication and Branch Target Identification" + default ARMV8_1_M_PACBTI_NONE + depends on ARMV8_1_M_MAINLINE + +config ARMV8_1_M_PACBTI_STANDARD + bool "Standard (PACRET + LEAF + BTI)" + help + This option instructs the compiler to generate code with all branch protection features + enabled at their standard level. + +config ARMV8_1_M_PACBTI_PACRET + bool "PACRET only" + help + This option instructs the compiler to generate code with return address signing for + all functions that save the return address to memory. + +config ARMV8_1_M_PACBTI_PACRET_LEAF + bool "PACRET + Leaf" + help + This option instructs the compiler to generate code with return address signing for + all functions that save the return address to memory and, + also sign leaf functions even if they do not write the return address to memory. + +config ARMV8_1_M_PACBTI_BTI + bool "BTI only" + help + This option enables Branch Target Identification (BTI), which inserts special landing + pad instructions at valid indirect branch targets. This option does not enable Pointer + Authentication (PAC). + +config ARMV8_1_M_PACBTI_PACRET_BTI + bool "PACRET + BTI" + help + This option instructs the compiler to generate code with return address signing for + all functions that save the return address to memory and, + add landing-pad instructions at the permitted targets of indirect branch instructions + +config ARMV8_1_M_PACBTI_PACRET_LEAF_BTI + bool "PACRET + Leaf + BTI" + help + This option instructs the compiler to generate code with return address signing for + all functions that save the return address to memory and, + also sign leaf functions even if they do not write the return address to memory and, + add landing-pad instructions at the permitted targets of indirect branch instructions + +config ARMV8_1_M_PACBTI_NONE + bool "None" + help + This option instructs the compiler to generate code without branch protection or return + address signing + +endchoice + config ARMV8_M_PMU_EVENTCNT int "Number of event counters in the Performance Monitoring Unit" depends on ARMV8_1_M_PMU diff --git a/doc/hardware/arch/arm_cortex_m.rst b/doc/hardware/arch/arm_cortex_m.rst index 4bfb05d8026e..2ea646b57321 100644 --- a/doc/hardware/arch/arm_cortex_m.rst +++ b/doc/hardware/arch/arm_cortex_m.rst @@ -17,71 +17,74 @@ The table below summarizes the status of key OS features in the different Arm Cortex-M implementation variants. -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | | **Processor families** | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| Architecture variant | | Arm v6-M | Arm v7-M | Arm v8-M | Arm v8.1-M | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | | **M0/M1** | **M0+** | **M3** | **M4** | **M7** | **M23** | **M33** | **M55** | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| **OS Features** | | | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| Programmable fault | | | | | | | | | | -| IRQ priorities | | Y | N | Y | Y | Y | N | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| Single-thread kernel support | | Y | Y | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| Thread local storage support | | Y | Y | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| Interrupt handling | | | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | Regular interrupts | Y | Y | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | Dynamic interrupts | Y | Y | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | Direct interrupts | Y | Y | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | Zero Latency interrupts | N | N | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| CPU idling | | Y | Y | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| Native system timer (SysTick) | | N [#f1]_ | Y | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| Memory protection | | | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | User mode | N | Y | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | HW stack protection (MPU) | N | N | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | HW-assisted stack limit checking | N | N | N | N | N |Y [#f2]_ | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | Privileged Execute Never | N | N | N | N | N | N | N | Y [#f3]_ | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| HW-assisted null-pointer | | | | | | | | | | -| dereference detection | | N | N | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| HW-assisted atomic operations | | N | N | Y | Y | Y | N | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -|Support for non-cacheable regions| | N | N | Y | Y | Y | N | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| Execute SRAM functions | | N | N | Y | Y | Y | N | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| Floating Point Services | | N | N | N | Y | Y | N | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| DSP ISA | | N | N | N | Y | Y | N | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| Trusted-Execution | | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | Native TrustZone-M support | N | N | N | N | N | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| | TF-M integration | N | N | N | N | N | N | Y | N | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| Code relocation | | Y | Y | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| SW-based vector table relaying | | Y | Y | Y | Y | Y | Y | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ -| HW-assisted timing functions | | N | N | Y | Y | Y | N | Y | Y | -+---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | | **Processor families** | | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| Architecture variant | | Arm v6-M | Arm v7-M | Arm v8-M | Arm v8.1-M | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | | **M0/M1** | **M0+** | **M3** | **M4** | **M7** | **M23** | **M33** | **M55** | **M85** | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| **OS Features** | | | | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| Programmable fault | | | | | | | | | | | +| IRQ priorities | | Y | N | Y | Y | Y | N | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| Single-thread kernel support | | Y | Y | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| Thread local storage support | | Y | Y | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| **Interrupt handling** | | | | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | Regular interrupts | Y | Y | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | Dynamic interrupts | Y | Y | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | Direct interrupts | Y | Y | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | Zero Latency interrupts | N | N | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| CPU idling | | Y | Y | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| Native system timer (SysTick) | | N [#f1]_ | Y | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| **Memory protection** | | | | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | User mode | N | Y | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | HW stack protection (MPU) | N | N | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | HW-assisted stack limit checking | N | N | N | N | N |Y [#f2]_ | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | Privileged Execute Never [#f3]_ | N | N | N | N | N | N | N | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| HW-assisted Control | | | | | | | | | | | +| Flow integrity | PACBTI | N | N | N | N | N | N | N | N | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| HW-assisted null-pointer | | | | | | | | | | | +| dereference detection | | N | N | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| HW-assisted atomic operations | | N | N | Y | Y | Y | N | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +|Support for non-cacheable regions| | N | N | Y | Y | Y | N | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| Execute SRAM functions | | N | N | Y | Y | Y | N | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| Floating Point Services | | N | N | N | Y | Y | N | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| DSP ISA | | N | N | N | Y | Y | N | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| **Trusted-Execution** | | | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | Native TrustZone-M support | N | N | N | N | N | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| | TF-M integration | N | N | N | N | N | N | Y | N | N | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| Code relocation | | Y | Y | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| SW-based vector table relaying | | Y | Y | Y | Y | Y | Y | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ +| HW-assisted timing functions | | N | N | Y | Y | Y | N | Y | Y | Y | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+------------+ Notes ===== @@ -425,6 +428,43 @@ MPU stack guards detection mechanism; users may override this setting by manually enabling :kconfig:option:`CONFIG_MPU_STACK_GUARD` in these scenarios. +Pointer Authentication and Branch Target Identification (PACBTI) +================================================================ + +The Armv8.1-M Pointer Authentication and Branch Target Identification (PACBTI) extension is an +optional extension for the Armv8.1-M architecture profile and consists of the implementation of the +following control-flow integrity approaches: +* Return address signing and authentication (PAC-RET) as a mitigation for Return Oriented + Programming (ROP) style attack. +* BTI instruction placement (BTI) as a mitigation for Jump Oriented Programming (JOP) style attacks. + +When hardware support is present (e.g., Cortex-M85) and compiler support is available, PACBTI can be +enabled at build time in Zephyr by selecting one of the below configs: + +- :kconfig:option:`CONFIG_ARMV8_1_M_PACBTI_STANDARD` +- :kconfig:option:`CONFIG_ARMV8_1_M_PACBTI_PACRET` +- :kconfig:option:`CONFIG_ARMV8_1_M_PACBTI_PACRET_LEAF` +- :kconfig:option:`CONFIG_ARMV8_1_M_PACBTI_BTI` +- :kconfig:option:`CONFIG_ARMV8_1_M_PACBTI_PACRET_BTI` +- :kconfig:option:`CONFIG_ARMV8_1_M_PACBTI_PACRET_LEAF_BTI` +- :kconfig:option:`CONFIG_ARMV8_1_M_PACBTI_NONE` + +The config options ensures that compiler flags enabling PACBTI instructions are added to the build, +specifically: + +- ``-mbranch-protection=`` for GCC toolchains. + +**Limitations:** + +- Only builds targeting Armv8.1-M Mainline processors with PACBTI hardware support (e.g., + Cortex-M85) are able to fully use this feature. +- Zephyr’s integrated SDK currently includes GCC 12.2 which does not support PACBTI so external GCC + toolchains (14.2 or later) must be used for PACBTI support. + Refer [this](https://docs.zephyrproject.org/latest/develop/toolchains/index.html) on how to set up + toolchains. + +For more information about PACBTI, refer to the official [Arm documentation](https://developer.arm.com/documentation/109576/latest/). + .. _arm_cortex_m_mpu_considerations: Memory map and MPU considerations