diff options
Diffstat (limited to 'Makefile')
| -rw-r--r-- | Makefile | 64 |
1 files changed, 48 insertions, 16 deletions
@@ -117,6 +117,29 @@ ifneq (${GENERATE_COT},0) FWU_FIP_DEPS += fwu_certificates endif +# Process BRANCH_PROTECTION value and set +# Pointer Authentication and Branch Target Identification flags +ifeq (${BRANCH_PROTECTION},0) + # Default value turns off all types of branch protection + BP_OPTION := none +else ifneq (${ARCH},aarch64) + $(error BRANCH_PROTECTION requires AArch64) +else ifeq (${BRANCH_PROTECTION},1) + # Enables all types of branch protection features + BP_OPTION := standard + ENABLE_BTI := 1 + ENABLE_PAUTH := 1 +else ifeq (${BRANCH_PROTECTION},2) + # Return address signing to its standard level + BP_OPTION := pac-ret + ENABLE_PAUTH := 1 +else ifeq (${BRANCH_PROTECTION},3) + # Extend the signing to include leaf functions + BP_OPTION := pac-ret+leaf + ENABLE_PAUTH := 1 +else + $(error Unknown BRANCH_PROTECTION value ${BRANCH_PROTECTION}) +endif ################################################################################ # Toolchain @@ -189,6 +212,10 @@ endif TF_CFLAGS_aarch32 += -mno-unaligned-access TF_CFLAGS_aarch64 += -mgeneral-regs-only -mstrict-align +ifneq (${BP_OPTION},none) +TF_CFLAGS_aarch64 += -mbranch-protection=${BP_OPTION} +endif + ASFLAGS_aarch32 = $(march32-directive) ASFLAGS_aarch64 = $(march64-directive) @@ -451,26 +478,30 @@ ifeq ($(DYN_DISABLE_AUTH), 1) endif # If pointer authentication is used in the firmware, make sure that all the -# registers associated to it are also saved and restored. Not doing it would -# leak the value of the key used by EL3 to EL1 and S-EL1. +# registers associated to it are also saved and restored. +# Not doing it would leak the value of the keys used by EL3 to EL1 and S-EL1. ifeq ($(ENABLE_PAUTH),1) - ifneq ($(ARCH),aarch64) - $(error ENABLE_PAUTH=1 requires AArch64) - else ifeq ($(CTX_INCLUDE_PAUTH_REGS),0) - $(error ENABLE_PAUTH=1 requires CTX_INCLUDE_PAUTH_REGS=1) - else - $(info ENABLE_PAUTH and CTX_INCLUDE_PAUTH_REGS are experimental features) + ifeq ($(CTX_INCLUDE_PAUTH_REGS),0) + $(error Pointer Authentication requires CTX_INCLUDE_PAUTH_REGS=1) endif -else - ifeq ($(CTX_INCLUDE_PAUTH_REGS),1) - ifneq ($(ARCH),aarch64) - $(error CTX_INCLUDE_PAUTH_REGS=1 requires AArch64) - else - $(info CTX_INCLUDE_PAUTH_REGS is an experimental feature) - endif +endif + +ifeq ($(CTX_INCLUDE_PAUTH_REGS),1) + ifneq (${ARCH},aarch64) + $(error CTX_INCLUDE_PAUTH_REGS requires AArch64) + else + $(info CTX_INCLUDE_PAUTH_REGS is an experimental feature) endif endif +ifeq ($(ENABLE_PAUTH),1) + $(info Pointer Authentication is an experimental feature) +endif + +ifeq ($(ENABLE_BTI),1) + $(info Branch Protection is an experimental feature) +endif + ################################################################################ # Process platform overrideable behaviour ################################################################################ @@ -599,7 +630,6 @@ $(eval $(call assert_boolean,EL3_EXCEPTION_HANDLING)) $(eval $(call assert_boolean,ENABLE_AMU)) $(eval $(call assert_boolean,ENABLE_ASSERTIONS)) $(eval $(call assert_boolean,ENABLE_MPAM_FOR_LOWER_ELS)) -$(eval $(call assert_boolean,ENABLE_PAUTH)) $(eval $(call assert_boolean,ENABLE_PIE)) $(eval $(call assert_boolean,ENABLE_PMF)) $(eval $(call assert_boolean,ENABLE_PSCI_STAT)) @@ -635,6 +665,7 @@ $(eval $(call assert_boolean,BL2_IN_XIP_MEM)) $(eval $(call assert_numeric,ARM_ARCH_MAJOR)) $(eval $(call assert_numeric,ARM_ARCH_MINOR)) +$(eval $(call assert_numeric,BRANCH_PROTECTION)) ################################################################################ # Add definitions to the cpp preprocessor based on the current build options. @@ -651,6 +682,7 @@ $(eval $(call add_define,CTX_INCLUDE_PAUTH_REGS)) $(eval $(call add_define,EL3_EXCEPTION_HANDLING)) $(eval $(call add_define,ENABLE_AMU)) $(eval $(call add_define,ENABLE_ASSERTIONS)) +$(eval $(call add_define,ENABLE_BTI)) $(eval $(call add_define,ENABLE_MPAM_FOR_LOWER_ELS)) $(eval $(call add_define,ENABLE_PAUTH)) $(eval $(call add_define,ENABLE_PIE)) |