Implement version 2 of the memory attributes table, which now contains a

flag informing the OS whether or not code regions may be mapped with CFI

mitigations such as IBT or BTI enabled.



This series covers roughly the following parts:



- (AARCH64) Annotate ELF objects generated from asm as BTI compatible

  when BTI codegen is enabled

- Update the BaseTools to emit the appropriate PE/COFF annotation when a

  BTI/IBT compatible ELF executable is converted to PE/COFF

- Take this PE/COFF annotation into account when populating the memory

  attributes table in the DXE core



TODO:

- X64 changes to make the code IBT compatible and emit the ELF note

- Figure out how to generate such executables with native PE toolchains

- Implement BTI/IBT enforcement at boot time - this is something I

  intend to look into next.



Can be tested with the CLANG38 toolchain (both Clang compiler and LLD

linker, version 3.8 or newer) with the following build options.



[BuildOptions]

  GCC:*_*_AARCH64_PP_FLAGS = -mbranch-protection=bti

  GCC:*_*_AARCH64_CC_FLAGS = -mbranch-protection=bti

  GCC:*_*_AARCH64_DLINK_FLAGS = -fuse-ld=lld -Wl,--no-relax,--no-pie,-z,bti-report=error



Cc: Michael Kinney <michael.d.kinney@intel.com>

Cc: Liming Gao <gaoliming@byosoft.com.cn>

Cc: Jiewen Yao <jiewen.yao@intel.com>

Cc: Michael Kubacki <michael.kubacki@microsoft.com>

Cc: Sean Brogan <sean.brogan@microsoft.com>

Cc: Rebecca Cran <quic_rcran@quicinc.com>

Cc: Leif Lindholm <quic_llindhol@quicinc.com>

Cc: Sami Mujawar <sami.mujawar@arm.com>

Cc: Taylor Beebe <t@taylorbeebe.com>

Cc: Marvin Häuser <mhaeuser@posteo.de>

Cc: Bob Feng <bob.c.feng@intel.com>



Ard Biesheuvel (17):

  MdePkg/ProcessorBind AARCH64: Add asm macro to emit GNU BTI note

  MdePkg/BaseCpuLib AARCH64: Make asm files BTI compatible

  MdePkg/BaseIoLibIntrinsic AARCH64: Make asm files BTI compatible

  MdePkg/BaseLib AARCH64: Make LongJump() BTI compatible

  MdePkg/BaseLib AARCH64: Make asm files BTI compatible

  MdePkg/BaseMemoryLibOptDxe AARCH64: Make asm files BTI compatible

  MdePkg/BaseSynchronizationLib AARCH64: Make asm files BTI compatible

  MdePkg/BaseRngLib AARCH64: Make asm files BTI compatible

  ArmPkg: Emit BTI opcodes when BTI codegen is enabled

  ArmPkg/GccLto AARCH64: Add BTI note to LTO helper library

  ArmPkg, BaseTools AARCH64: Add BTI ELF note to .hii objects

  ArmPlatformPkg/PrePeiCore: Make vector table object BTI compatible

  BaseTools/GenFw: Parse IBT/BTI support status from ELF note

  BaseTools/GenFw: Add DllCharacteristicsEx field to debug data

  MdePkg: Update MemoryAttributesTable to v2.10

  MdePkg/PeCoffLib: Capture DLL characteristics fieldis in image context

  MdeModulePkg: Enable forward edge CFI in mem attributes table



 ArmPkg/Include/AsmMacroIoLibV8.h                                |   3 +-

 ArmPkg/Library/ArmExceptionLib/AArch64/ExceptionSupport.S       |   3 +-

 ArmPkg/Library/ArmSvcLib/AArch64/ArmSvc.S                       |   4 +-

 ArmPkg/Library/GccLto/liblto-aarch64.a                          | Bin 1016 -> 1128 bytes

 ArmPkg/Library/GnuNoteBti.bin                                   | Bin 0 -> 32 bytes

 ArmPlatformPkg/PrePeiCore/AArch64/Exception.S                   |   2 +

 ArmVirtPkg/Library/ArmPlatformLibQemu/IdMap.S                   |   2 +

 BaseTools/Conf/tools_def.template                               |   4 +-

 BaseTools/Source/C/GenFw/Elf64Convert.c                         | 104 +++++++++++++++++---

 BaseTools/Source/C/GenFw/GenFw.c                                |   3 +-

 BaseTools/Source/C/GenFw/elf_common.h                           |   9 ++

 BaseTools/Source/C/Include/IndustryStandard/PeImage.h           |  13 ++-

 MdeModulePkg/Core/Dxe/DxeMain.h                                 |   2 +

 MdeModulePkg/Core/Dxe/Image/Image.c                             |  10 ++

 MdeModulePkg/Core/Dxe/Misc/MemoryAttributesTable.c              |   8 +-

 MdePkg/Include/AArch64/ProcessorBind.h                          |  31 ++++++

 MdePkg/Include/Guid/MemoryAttributesTable.h                     |   8 +-

 MdePkg/Include/IndustryStandard/PeImage.h                       |  13 ++-

 MdePkg/Include/Library/PeCoffLib.h                              |   6 ++

 MdePkg/Library/BaseCpuLib/AArch64/CpuFlushTlb.S                 |   1 +

 MdePkg/Library/BaseCpuLib/AArch64/CpuSleep.S                    |   1 +

 MdePkg/Library/BaseIoLibIntrinsic/AArch64/ArmVirtMmio.S         |   8 ++

 MdePkg/Library/BaseLib/AArch64/CpuBreakpoint.S                  |   1 +

 MdePkg/Library/BaseLib/AArch64/DisableInterrupts.S              |   1 +

 MdePkg/Library/BaseLib/AArch64/EnableInterrupts.S               |   1 +

 MdePkg/Library/BaseLib/AArch64/GetInterruptsState.S             |   1 +

 MdePkg/Library/BaseLib/AArch64/MemoryFence.S                    |   1 +

 MdePkg/Library/BaseLib/AArch64/SetJumpLongJump.S                |   5 +-

 MdePkg/Library/BaseLib/AArch64/SpeculationBarrier.S             |   1 +

 MdePkg/Library/BaseLib/AArch64/SwitchStack.S                    |   2 +

 MdePkg/Library/BaseMemoryLibOptDxe/AArch64/CompareGuid.S        |   1 +

 MdePkg/Library/BaseMemoryLibOptDxe/AArch64/CompareMem.S         |   1 +

 MdePkg/Library/BaseMemoryLibOptDxe/AArch64/CopyMem.S            |   1 +

 MdePkg/Library/BaseMemoryLibOptDxe/AArch64/ScanMem.S            |   1 +

 MdePkg/Library/BaseMemoryLibOptDxe/AArch64/SetMem.S             |   5 +

 MdePkg/Library/BasePeCoffLib/BasePeCoff.c                       |  46 ++++++---

 MdePkg/Library/BaseRngLib/AArch64/ArmReadIdIsar0.S              |   3 +-

 MdePkg/Library/BaseRngLib/AArch64/ArmRng.S                      |   1 +

 MdePkg/Library/BaseSynchronizationLib/AArch64/Synchronization.S |   5 +

 39 files changed, 270 insertions(+), 42 deletions(-)

 create mode 100644 ArmPkg/Library/GnuNoteBti.bin



-- 

2.39.2