diff options
Diffstat (limited to 'Makefile')
| -rw-r--r-- | Makefile | 84 |
1 files changed, 61 insertions, 23 deletions
@@ -117,6 +117,29 @@ ifneq (${GENERATE_COT},0) FWU_FIP_DEPS += fwu_certificates endif +# Process BRANCH_PROTECTION value and set +# Pointer Authentication and Branch Target Identification flags +ifeq (${BRANCH_PROTECTION},0) + # Default value turns off all types of branch protection + BP_OPTION := none +else ifneq (${ARCH},aarch64) + $(error BRANCH_PROTECTION requires AArch64) +else ifeq (${BRANCH_PROTECTION},1) + # Enables all types of branch protection features + BP_OPTION := standard + ENABLE_BTI := 1 + ENABLE_PAUTH := 1 +else ifeq (${BRANCH_PROTECTION},2) + # Return address signing to its standard level + BP_OPTION := pac-ret + ENABLE_PAUTH := 1 +else ifeq (${BRANCH_PROTECTION},3) + # Extend the signing to include leaf functions + BP_OPTION := pac-ret+leaf + ENABLE_PAUTH := 1 +else + $(error Unknown BRANCH_PROTECTION value ${BRANCH_PROTECTION}) +endif ################################################################################ # Toolchain @@ -189,27 +212,27 @@ endif TF_CFLAGS_aarch32 += -mno-unaligned-access TF_CFLAGS_aarch64 += -mgeneral-regs-only -mstrict-align +ifneq (${BP_OPTION},none) +TF_CFLAGS_aarch64 += -mbranch-protection=${BP_OPTION} +endif + ASFLAGS_aarch32 = $(march32-directive) ASFLAGS_aarch64 = $(march64-directive) WARNING1 := -Wextra -WARNING1 += -Wunused -Wno-unused-parameter WARNING1 += -Wmissing-declarations WARNING1 += -Wmissing-format-attribute WARNING1 += -Wmissing-prototypes WARNING1 += -Wold-style-definition -WARNING1 += -Wunused-but-set-variable WARNING1 += -Wunused-const-variable WARNING2 := -Waggregate-return WARNING2 += -Wcast-align -WARNING2 += -Wdisabled-optimization WARNING2 += -Wnested-externs WARNING2 += -Wshadow WARNING2 += -Wlogical-op WARNING2 += -Wmissing-field-initializers WARNING2 += -Wsign-compare -WARNING2 += -Wmaybe-uninitialized WARNING3 := -Wbad-function-cast WARNING3 += -Wcast-qual @@ -219,8 +242,6 @@ WARNING3 += -Wpadded WARNING3 += -Wpointer-arith WARNING3 += -Wredundant-decls WARNING3 += -Wswitch-default -WARNING3 += -Wpacked-bitfield-compat -WARNING3 += -Wvla ifeq (${W},1) WARNINGS := $(WARNING1) @@ -230,6 +251,16 @@ else ifeq (${W},3) WARNINGS := $(WARNING1) $(WARNING2) $(WARNING3) endif +WARNINGS += -Wunused -Wno-unused-parameter \ + -Wdisabled-optimization \ + -Wvla + +ifeq ($(findstring clang,$(notdir $(CC))),) +WARNINGS += -Wunused-but-set-variable \ + -Wmaybe-uninitialized \ + -Wpacked-bitfield-compat +endif + ifneq (${E},0) ERRORS := -Werror endif @@ -451,26 +482,30 @@ ifeq ($(DYN_DISABLE_AUTH), 1) endif # If pointer authentication is used in the firmware, make sure that all the -# registers associated to it are also saved and restored. Not doing it would -# leak the value of the key used by EL3 to EL1 and S-EL1. +# registers associated to it are also saved and restored. +# Not doing it would leak the value of the keys used by EL3 to EL1 and S-EL1. ifeq ($(ENABLE_PAUTH),1) - ifneq ($(ARCH),aarch64) - $(error ENABLE_PAUTH=1 requires AArch64) - else ifeq ($(CTX_INCLUDE_PAUTH_REGS),0) - $(error ENABLE_PAUTH=1 requires CTX_INCLUDE_PAUTH_REGS=1) - else - $(info ENABLE_PAUTH and CTX_INCLUDE_PAUTH_REGS are experimental features) + ifeq ($(CTX_INCLUDE_PAUTH_REGS),0) + $(error Pointer Authentication requires CTX_INCLUDE_PAUTH_REGS=1) endif -else - ifeq ($(CTX_INCLUDE_PAUTH_REGS),1) - ifneq ($(ARCH),aarch64) - $(error CTX_INCLUDE_PAUTH_REGS=1 requires AArch64) - else - $(info CTX_INCLUDE_PAUTH_REGS is an experimental feature) - endif +endif + +ifeq ($(CTX_INCLUDE_PAUTH_REGS),1) + ifneq (${ARCH},aarch64) + $(error CTX_INCLUDE_PAUTH_REGS requires AArch64) + else + $(info CTX_INCLUDE_PAUTH_REGS is an experimental feature) endif endif +ifeq ($(ENABLE_PAUTH),1) + $(info Pointer Authentication is an experimental feature) +endif + +ifeq ($(ENABLE_BTI),1) + $(info Branch Protection is an experimental feature) +endif + ################################################################################ # Process platform overrideable behaviour ################################################################################ @@ -599,7 +634,6 @@ $(eval $(call assert_boolean,EL3_EXCEPTION_HANDLING)) $(eval $(call assert_boolean,ENABLE_AMU)) $(eval $(call assert_boolean,ENABLE_ASSERTIONS)) $(eval $(call assert_boolean,ENABLE_MPAM_FOR_LOWER_ELS)) -$(eval $(call assert_boolean,ENABLE_PAUTH)) $(eval $(call assert_boolean,ENABLE_PIE)) $(eval $(call assert_boolean,ENABLE_PMF)) $(eval $(call assert_boolean,ENABLE_PSCI_STAT)) @@ -635,6 +669,7 @@ $(eval $(call assert_boolean,BL2_IN_XIP_MEM)) $(eval $(call assert_numeric,ARM_ARCH_MAJOR)) $(eval $(call assert_numeric,ARM_ARCH_MINOR)) +$(eval $(call assert_numeric,BRANCH_PROTECTION)) ################################################################################ # Add definitions to the cpp preprocessor based on the current build options. @@ -651,6 +686,7 @@ $(eval $(call add_define,CTX_INCLUDE_PAUTH_REGS)) $(eval $(call add_define,EL3_EXCEPTION_HANDLING)) $(eval $(call add_define,ENABLE_AMU)) $(eval $(call add_define,ENABLE_ASSERTIONS)) +$(eval $(call add_define,ENABLE_BTI)) $(eval $(call add_define,ENABLE_MPAM_FOR_LOWER_ELS)) $(eval $(call add_define,ENABLE_PAUTH)) $(eval $(call add_define,ENABLE_PIE)) @@ -909,11 +945,13 @@ cscope: ${Q}cscope -b -q -k help: - @echo "usage: ${MAKE} PLAT=<${PLATFORM_LIST}> [OPTIONS] [TARGET]" + @echo "usage: ${MAKE} [PLAT=<platform>] [OPTIONS] [TARGET]" @echo "" @echo "PLAT is used to specify which platform you wish to build." @echo "If no platform is specified, PLAT defaults to: ${DEFAULT_PLAT}" @echo "" + @echo "platform = ${PLATFORM_LIST}" + @echo "" @echo "Please refer to the User Guide for a list of all supported options." @echo "Note that the build system doesn't track dependencies for build " @echo "options. Therefore, if any of the build options are changed " |