Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-11-30 Thread Kyrill Tkachov 


On 30/11/16 15:32, Andre Vieira (lists) wrote:

On 23/11/16 11:52, Andre Vieira (lists) wrote:

Hi,

After some extra testing I realized there was an issue with the way we
were clearing registers when returning from a cmse_nonsecure_entry
function for ARMv8-M.Baseline.  This patch fixes that and changes the
testcase to catch the issue.

The problem was I was always using LR to clear the registers, however,
due to the way the Thumb-1 backend works, we can't guarantee LR will
contain the address to which we will be returning at the time of
clearing. Instead we use r0 to clear r1-r3 and IP. If the function does
not use r0 to return a value, we clear r0 with 0 before using it to
clear everything else. As for LR, we move the value of the register used
to return into it prior to returning.

This satisfies the requirements of not leaking secure information since
all registers hold either:
- values to return
- 0
- return address

No changes to ChangeLog.

Cheers,
Andre


Hi,

So I seemed to have forgotten to address two of your comments earlier,
done in this version.

To reiterate:
After some extra testing I realized there was an issue with the way we
were clearing registers when returning from a cmse_nonsecure_entry
function for ARMv8-M Baseline.  This patch fixes that and changes the
testcase to catch the issue.

The problem was I was always using LR to clear the registers, however,
due to the way the Thumb-1 backend works, we can't guarantee LR will
contain the address to which we will be returning at the time of
clearing. Instead we use r0 to clear r1-r3 and IP. If the function does
not use r0 to return a value, we clear r0 with 0 before using it to
clear everything else. As for LR, we move the value of the register used
to return into it prior to returning.

This satisfies the requirements of not leaking secure information since
all registers hold either:
- values to return
- 0
- return address

*** gcc/ChangeLog ***
2016-11-xx  Andre Vieira
  Thomas Preud'homme  

  * config/arm/arm.c (output_return_instruction): Clear
  registers.
  (thumb2_expand_return): Likewise.
  (thumb1_expand_epilogue): Likewise.
  (thumb_exit): Likewise.
  (arm_expand_epilogue): Likewise.
  (cmse_nonsecure_entry_clear_before_return): New.
  (comp_not_to_clear_mask_str_un): New.
  (compute_not_to_clear_mask): New.
  * config/arm/thumb1.md (*epilogue_insns): Change length attribute.
  * config/arm/thumb2.md (*thumb2_cmse_entry_return): Duplicate
  thumb2_return pattern for cmse_nonsecure_entry functions.

*** gcc/testsuite/ChangeLog ***
2016-11-xx  Andre Vieira
  Thomas Preud'homme  

  * gcc.target/arm/cmse/cmse.exp: Test different multilibs separate.
  * gcc.target/arm/cmse/struct-1.c: New.
  * gcc.target/arm/cmse/bitfield-1.c: New.
  * gcc.target/arm/cmse/bitfield-2.c: New.
  * gcc.target/arm/cmse/bitfield-3.c: New.
  * gcc.target/arm/cmse/baseline/cmse-2.c: Test that registers are
cleared.
  * gcc.target/arm/cmse/mainline/soft/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/hard/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/hard-sp/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/softfp/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/softfp-sp/cmse-5.c: New.


Ok, thanks for addressing the issues.
Kyrill


Cheers,
Andre

Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-11-30 Thread Andre Vieira (lists) 
On 23/11/16 11:52, Andre Vieira (lists) wrote:
> Hi,
> 
> After some extra testing I realized there was an issue with the way we
> were clearing registers when returning from a cmse_nonsecure_entry
> function for ARMv8-M.Baseline.  This patch fixes that and changes the
> testcase to catch the issue.
> 
> The problem was I was always using LR to clear the registers, however,
> due to the way the Thumb-1 backend works, we can't guarantee LR will
> contain the address to which we will be returning at the time of
> clearing. Instead we use r0 to clear r1-r3 and IP. If the function does
> not use r0 to return a value, we clear r0 with 0 before using it to
> clear everything else. As for LR, we move the value of the register used
> to return into it prior to returning.
> 
> This satisfies the requirements of not leaking secure information since
> all registers hold either:
> - values to return
> - 0
> - return address
> 
> No changes to ChangeLog.
> 
> Cheers,
> Andre
> 
Hi,

So I seemed to have forgotten to address two of your comments earlier,
done in this version.

To reiterate:
After some extra testing I realized there was an issue with the way we
were clearing registers when returning from a cmse_nonsecure_entry
function for ARMv8-M Baseline.  This patch fixes that and changes the
testcase to catch the issue.

The problem was I was always using LR to clear the registers, however,
due to the way the Thumb-1 backend works, we can't guarantee LR will
contain the address to which we will be returning at the time of
clearing. Instead we use r0 to clear r1-r3 and IP. If the function does
not use r0 to return a value, we clear r0 with 0 before using it to
clear everything else. As for LR, we move the value of the register used
to return into it prior to returning.

This satisfies the requirements of not leaking secure information since
all registers hold either:
- values to return
- 0
- return address

*** gcc/ChangeLog ***
2016-11-xx  Andre Vieira
 Thomas Preud'homme  

 * config/arm/arm.c (output_return_instruction): Clear
 registers.
 (thumb2_expand_return): Likewise.
 (thumb1_expand_epilogue): Likewise.
 (thumb_exit): Likewise.
 (arm_expand_epilogue): Likewise.
 (cmse_nonsecure_entry_clear_before_return): New.
 (comp_not_to_clear_mask_str_un): New.
 (compute_not_to_clear_mask): New.
 * config/arm/thumb1.md (*epilogue_insns): Change length attribute.
 * config/arm/thumb2.md (*thumb2_cmse_entry_return): Duplicate
 thumb2_return pattern for cmse_nonsecure_entry functions.

*** gcc/testsuite/ChangeLog ***
2016-11-xx  Andre Vieira
 Thomas Preud'homme  

 * gcc.target/arm/cmse/cmse.exp: Test different multilibs separate.
 * gcc.target/arm/cmse/struct-1.c: New.
 * gcc.target/arm/cmse/bitfield-1.c: New.
 * gcc.target/arm/cmse/bitfield-2.c: New.
 * gcc.target/arm/cmse/bitfield-3.c: New.
 * gcc.target/arm/cmse/baseline/cmse-2.c: Test that registers are
cleared.
 * gcc.target/arm/cmse/mainline/soft/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/hard/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/hard-sp/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/softfp/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/softfp-sp/cmse-5.c: New.

Cheers,
Andre
diff --git a/gcc/config/arm/arm.c b/gcc/config/arm/arm.c
index 
db7e0c842fff1b0aee5059e3ea4813059caa8d03..6a9db85aa879e1c5547908dcc9f036ee37de489e
 100644
--- a/gcc/config/arm/arm.c
+++ b/gcc/config/arm/arm.c
@@ -16297,6 +16297,279 @@ note_invalid_constants (rtx_insn *insn, HOST_WIDE_INT 
address, int do_pushes)
   return;
 }
 
+/* This function computes the clear mask and PADDING_BITS_TO_CLEAR for structs
+   and unions in the context of ARMv8-M Security Extensions.  It is used as a
+   helper function for both 'cmse_nonsecure_call' and 'cmse_nonsecure_entry'
+   functions.  The PADDING_BITS_TO_CLEAR pointer can be the base to either one
+   or four masks, depending on whether it is being computed for a
+   'cmse_nonsecure_entry' return value or a 'cmse_nonsecure_call' argument
+   respectively.  The tree for the type of the argument or a field within an
+   argument is passed in ARG_TYPE, the current register this argument or field
+   starts in is kept in the pointer REGNO and updated accordingly, the bit this
+   argument or field starts at is passed in STARTING_BIT and the last used bit
+   is kept in LAST_USED_BIT which is also updated accordingly.  */
+
+static unsigned HOST_WIDE_INT
+comp_not_to_clear_mask_str_un (tree arg_type, int * regno,
+  uint32_t * padding_bits_to_clear,
+  unsigned starting_bit, int * last_used_bit)
+
+{
+  unsigned HOST_WIDE_INT not_to_clear_reg_mask = 0;
+
+

Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-11-23 Thread Andre Vieira (lists) 
Hi,

After some extra testing I realized there was an issue with the way we
were clearing registers when returning from a cmse_nonsecure_entry
function for ARMv8-M.Baseline.  This patch fixes that and changes the
testcase to catch the issue.

The problem was I was always using LR to clear the registers, however,
due to the way the Thumb-1 backend works, we can't guarantee LR will
contain the address to which we will be returning at the time of
clearing. Instead we use r0 to clear r1-r3 and IP. If the function does
not use r0 to return a value, we clear r0 with 0 before using it to
clear everything else. As for LR, we move the value of the register used
to return into it prior to returning.

This satisfies the requirements of not leaking secure information since
all registers hold either:
- values to return
- 0
- return address

No changes to ChangeLog.

Cheers,
Andre
diff --git a/gcc/config/arm/arm.c b/gcc/config/arm/arm.c
index 
fdbdd423236e7388802bc4bd568f260d95485bbe..0b93ece84b3ebab3c36beeb170a245c29453215d
 100644
--- a/gcc/config/arm/arm.c
+++ b/gcc/config/arm/arm.c
@@ -17499,6 +17499,279 @@ note_invalid_constants (rtx_insn *insn, HOST_WIDE_INT 
address, int do_pushes)
   return;
 }
 
+/* This function computes the clear mask and PADDING_BITS_TO_CLEAR for structs
+   and unions in the context of ARMv8-M Security Extensions.  It is used as a
+   helper function for both 'cmse_nonsecure_call' and 'cmse_nonsecure_entry'
+   functions.  The PADDING_BITS_TO_CLEAR pointer can be the base to either one
+   or four masks, depending on whether it is being computed for a
+   'cmse_nonsecure_entry' return value or a 'cmse_nonsecure_call' argument
+   respectively.  The tree for the type of the argument or a field within an
+   argument is passed in ARG_TYPE, the current register this argument or field
+   starts in is kept in the pointer REGNO and updated accordingly, the bit this
+   argument or field starts at is passed in STARTING_BIT and the last used bit
+   is kept in LAST_USED_BIT which is also updated accordingly.  */
+
+static unsigned HOST_WIDE_INT
+comp_not_to_clear_mask_str_un (tree arg_type, int * regno,
+  uint32_t * padding_bits_to_clear,
+  unsigned starting_bit, int * last_used_bit)
+
+{
+  unsigned HOST_WIDE_INT not_to_clear_reg_mask = 0;
+
+  if (TREE_CODE (arg_type) == RECORD_TYPE)
+{
+  unsigned current_bit = starting_bit;
+  tree field;
+  long int offset, size;
+
+
+  field = TYPE_FIELDS (arg_type);
+  while (field)
+   {
+ /* The offset within a structure is always an offset from
+the start of that structure.  Make sure we take that into the
+calculation of the register based offset that we use here.  */
+ offset = starting_bit;
+ offset += TREE_INT_CST_ELT (DECL_FIELD_BIT_OFFSET (field), 0);
+ offset %= 32;
+
+ /* This is the actual size of the field, for bitfields this is the
+bitfield width and not the container size.  */
+ size = TREE_INT_CST_ELT (DECL_SIZE (field), 0);
+
+ if (*last_used_bit != offset)
+   {
+ if (offset < *last_used_bit)
+   {
+ /* This field's offset is before the 'last_used_bit', that
+means this field goes on the next register.  So we need to
+pad the rest of the current register and increase the
+register number.  */
+ uint32_t mask;
+ mask  = ((uint32_t)-1) - ((uint32_t) 1 << *last_used_bit);
+ mask++;
+
+ padding_bits_to_clear[*regno] |= mask;
+ not_to_clear_reg_mask |= HOST_WIDE_INT_1U << *regno;
+ (*regno)++;
+   }
+ else
+   {
+ /* Otherwise we pad the bits between the last field's end and
+the start of the new field.  */
+ uint32_t mask;
+
+ mask = ((uint32_t)-1) >> (32 - offset);
+ mask -= ((uint32_t) 1 << *last_used_bit) - 1;
+ padding_bits_to_clear[*regno] |= mask;
+   }
+ current_bit = offset;
+   }
+
+ /* Calculate further padding bits for inner structs/unions too.  */
+ if (RECORD_OR_UNION_TYPE_P (TREE_TYPE (field)))
+   {
+ *last_used_bit = current_bit;
+ not_to_clear_reg_mask
+   |= comp_not_to_clear_mask_str_un (TREE_TYPE (field), regno,
+ padding_bits_to_clear, offset,
+ last_used_bit);
+   }
+ else
+   {
+ /* Update 'current_bit' with this field's size.  If the
+'current_bit' lies in a subsequent register, update 'regno' and
+reset 'current_bit' to point to the current bit in that new
+

Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-11-08 Thread Kyrill Tkachov 


On 28/10/16 17:07, Andre Vieira (lists) wrote:

On 27/10/16 11:44, Kyrill Tkachov wrote:

On 27/10/16 11:00, Andre Vieira (lists) wrote:

On 26/10/16 17:30, Kyrill Tkachov wrote:

On 26/10/16 17:26, Andre Vieira (lists) wrote:

On 26/10/16 13:51, Kyrill Tkachov wrote:

Hi Andre,

On 25/10/16 17:29, Andre Vieira (lists) wrote:

On 24/08/16 12:01, Andre Vieira (lists) wrote:

On 25/07/16 14:23, Andre Vieira (lists) wrote:

This patch extends support for the ARMv8-M Security Extensions
'cmse_nonsecure_entry' attribute to safeguard against leak of
information through unbanked registers.

When returning from a nonsecure entry function we clear all
caller-saved
registers that are not used to pass return values, by writing
either
the
LR, in case of general purpose registers, or the value 0, in case
of FP
registers. We use the LR to write to APSR and FPSCR too. We
currently do
not support entry functions that pass arguments or return
variables on
the stack and we diagnose this. This patch relies on the existing
code
to make sure callee-saved registers used in cmse_nonsecure_entry
functions are saved and restored thus retaining their nonsecure
mode
value, this should be happening already as it is required by AAPCS.

This patch also clears padding bits for cmse_nonsecure_entry
functions
with struct and union return types. For unions a bit is only
considered
a padding bit if it is an unused bit in every field of that union.
The
function that calculates these is used in a later patch to do the
same
for arguments of cmse_nonsecure_call's.

*** gcc/ChangeLog ***
2016-07-25  Andre Vieira
Thomas Preud'homme  

* config/arm/arm.c (output_return_instruction): Clear
registers.
(thumb2_expand_return): Likewise.
(thumb1_expand_epilogue): Likewise.
(thumb_exit): Likewise.
(arm_expand_epilogue): Likewise.
(cmse_nonsecure_entry_clear_before_return): New.
(comp_not_to_clear_mask_str_un): New.
(compute_not_to_clear_mask): New.
* config/arm/thumb1.md (*epilogue_insns): Change length
attribute.
* config/arm/thumb2.md (*thumb2_return): Likewise.

*** gcc/testsuite/ChangeLog ***
2016-07-25  Andre Vieira
Thomas Preud'homme  

* gcc.target/arm/cmse/cmse.exp: Test different multilibs
separate.
* gcc.target/arm/cmse/struct-1.c: New.
* gcc.target/arm/cmse/bitfield-1.c: New.
* gcc.target/arm/cmse/bitfield-2.c: New.
* gcc.target/arm/cmse/bitfield-3.c: New.
* gcc.target/arm/cmse/baseline/cmse-2.c: Test that
registers are
cleared.
* gcc.target/arm/cmse/mainline/soft/cmse-5.c: New.
* gcc.target/arm/cmse/mainline/hard/cmse-5.c: New.
* gcc.target/arm/cmse/mainline/hard-sp/cmse-5.c: New.
* gcc.target/arm/cmse/mainline/softfp/cmse-5.c: New.
* gcc.target/arm/cmse/mainline/softfp-sp/cmse-5.c: New.


Updated this patch to correctly clear only the cumulative
exception-status (0-4,7) and the condition code bits (28-31) of the
FPSCR. I also adapted the code to be handle the bigger floating
point
register files.



This patch extends support for the ARMv8-M Security Extensions
'cmse_nonsecure_entry' attribute to safeguard against leak of
information through unbanked registers.

When returning from a nonsecure entry function we clear all
caller-saved
registers that are not used to pass return values, by writing
either the
LR, in case of general purpose registers, or the value 0, in case
of FP
registers. We use the LR to write to APSR. For FPSCR we clear
only the
cumulative exception-status (0-4, 7) and the condition code bits
(28-31). We currently do not support entry functions that pass
arguments
or return variables on the stack and we diagnose this. This patch
relies
on the existing code to make sure callee-saved registers used in
cmse_nonsecure_entry functions are saved and restored thus retaining
their nonsecure mode value, this should be happening already as
it is
required by AAPCS.

This patch also clears padding bits for cmse_nonsecure_entry
functions
with struct and union return types. For unions a bit is only
considered
a padding bit if it is an unused bit in every field of that
union. The
function that calculates these is used in a later patch to do the
same
for arguments of cmse_nonsecure_call's.

*** gcc/ChangeLog ***
2016-07-xx  Andre Vieira
Thomas Preud'homme  

* config/arm/arm.c (output_return_instruction): Clear
registers.
(thumb2_expand_return): Likewise.
(thumb1_expand_epilogue): Likewise.
(thumb_exit): Likewise.
(arm_expand_epilogue): Likewise.

Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-10-28 Thread Andre Vieira (lists) 
On 27/10/16 11:44, Kyrill Tkachov wrote:
> 
> On 27/10/16 11:00, Andre Vieira (lists) wrote:
>> On 26/10/16 17:30, Kyrill Tkachov wrote:
>>> On 26/10/16 17:26, Andre Vieira (lists) wrote:
 On 26/10/16 13:51, Kyrill Tkachov wrote:
> Hi Andre,
>
> On 25/10/16 17:29, Andre Vieira (lists) wrote:
>> On 24/08/16 12:01, Andre Vieira (lists) wrote:
>>> On 25/07/16 14:23, Andre Vieira (lists) wrote:
 This patch extends support for the ARMv8-M Security Extensions
 'cmse_nonsecure_entry' attribute to safeguard against leak of
 information through unbanked registers.

 When returning from a nonsecure entry function we clear all
 caller-saved
 registers that are not used to pass return values, by writing
 either
 the
 LR, in case of general purpose registers, or the value 0, in case
 of FP
 registers. We use the LR to write to APSR and FPSCR too. We
 currently do
 not support entry functions that pass arguments or return
 variables on
 the stack and we diagnose this. This patch relies on the existing
 code
 to make sure callee-saved registers used in cmse_nonsecure_entry
 functions are saved and restored thus retaining their nonsecure
 mode
 value, this should be happening already as it is required by AAPCS.

 This patch also clears padding bits for cmse_nonsecure_entry
 functions
 with struct and union return types. For unions a bit is only
 considered
 a padding bit if it is an unused bit in every field of that union.
 The
 function that calculates these is used in a later patch to do the
 same
 for arguments of cmse_nonsecure_call's.

 *** gcc/ChangeLog ***
 2016-07-25  Andre Vieira
Thomas Preud'homme  

* config/arm/arm.c (output_return_instruction): Clear
registers.
(thumb2_expand_return): Likewise.
(thumb1_expand_epilogue): Likewise.
(thumb_exit): Likewise.
(arm_expand_epilogue): Likewise.
(cmse_nonsecure_entry_clear_before_return): New.
(comp_not_to_clear_mask_str_un): New.
(compute_not_to_clear_mask): New.
* config/arm/thumb1.md (*epilogue_insns): Change length
 attribute.
* config/arm/thumb2.md (*thumb2_return): Likewise.

 *** gcc/testsuite/ChangeLog ***
 2016-07-25  Andre Vieira
Thomas Preud'homme  

* gcc.target/arm/cmse/cmse.exp: Test different multilibs
 separate.
* gcc.target/arm/cmse/struct-1.c: New.
* gcc.target/arm/cmse/bitfield-1.c: New.
* gcc.target/arm/cmse/bitfield-2.c: New.
* gcc.target/arm/cmse/bitfield-3.c: New.
* gcc.target/arm/cmse/baseline/cmse-2.c: Test that
 registers are
 cleared.
* gcc.target/arm/cmse/mainline/soft/cmse-5.c: New.
* gcc.target/arm/cmse/mainline/hard/cmse-5.c: New.
* gcc.target/arm/cmse/mainline/hard-sp/cmse-5.c: New.
* gcc.target/arm/cmse/mainline/softfp/cmse-5.c: New.
* gcc.target/arm/cmse/mainline/softfp-sp/cmse-5.c: New.

>>> Updated this patch to correctly clear only the cumulative
>>> exception-status (0-4,7) and the condition code bits (28-31) of the
>>> FPSCR. I also adapted the code to be handle the bigger floating
>>> point
>>> register files.
>>>
>>> 
>>>
>>> This patch extends support for the ARMv8-M Security Extensions
>>> 'cmse_nonsecure_entry' attribute to safeguard against leak of
>>> information through unbanked registers.
>>>
>>> When returning from a nonsecure entry function we clear all
>>> caller-saved
>>> registers that are not used to pass return values, by writing
>>> either the
>>> LR, in case of general purpose registers, or the value 0, in case
>>> of FP
>>> registers. We use the LR to write to APSR. For FPSCR we clear
>>> only the
>>> cumulative exception-status (0-4, 7) and the condition code bits
>>> (28-31). We currently do not support entry functions that pass
>>> arguments
>>> or return variables on the stack and we diagnose this. This patch
>>> relies
>>> on the existing code to make sure callee-saved registers used in
>>> cmse_nonsecure_entry functions are saved and restored thus retaining
>>> their nonsecure mode value, this should be happening

Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-10-27 Thread Kyrill Tkachov 


On 27/10/16 11:00, Andre Vieira (lists) wrote:

On 26/10/16 17:30, Kyrill Tkachov wrote:

On 26/10/16 17:26, Andre Vieira (lists) wrote:

On 26/10/16 13:51, Kyrill Tkachov wrote:

Hi Andre,

On 25/10/16 17:29, Andre Vieira (lists) wrote:

On 24/08/16 12:01, Andre Vieira (lists) wrote:

On 25/07/16 14:23, Andre Vieira (lists) wrote:

This patch extends support for the ARMv8-M Security Extensions
'cmse_nonsecure_entry' attribute to safeguard against leak of
information through unbanked registers.

When returning from a nonsecure entry function we clear all
caller-saved
registers that are not used to pass return values, by writing either
the
LR, in case of general purpose registers, or the value 0, in case
of FP
registers. We use the LR to write to APSR and FPSCR too. We
currently do
not support entry functions that pass arguments or return
variables on
the stack and we diagnose this. This patch relies on the existing
code
to make sure callee-saved registers used in cmse_nonsecure_entry
functions are saved and restored thus retaining their nonsecure mode
value, this should be happening already as it is required by AAPCS.

This patch also clears padding bits for cmse_nonsecure_entry
functions
with struct and union return types. For unions a bit is only
considered
a padding bit if it is an unused bit in every field of that union.
The
function that calculates these is used in a later patch to do the
same
for arguments of cmse_nonsecure_call's.

*** gcc/ChangeLog ***
2016-07-25  Andre Vieira
   Thomas Preud'homme  

   * config/arm/arm.c (output_return_instruction): Clear
   registers.
   (thumb2_expand_return): Likewise.
   (thumb1_expand_epilogue): Likewise.
   (thumb_exit): Likewise.
   (arm_expand_epilogue): Likewise.
   (cmse_nonsecure_entry_clear_before_return): New.
   (comp_not_to_clear_mask_str_un): New.
   (compute_not_to_clear_mask): New.
   * config/arm/thumb1.md (*epilogue_insns): Change length
attribute.
   * config/arm/thumb2.md (*thumb2_return): Likewise.

*** gcc/testsuite/ChangeLog ***
2016-07-25  Andre Vieira
   Thomas Preud'homme  

   * gcc.target/arm/cmse/cmse.exp: Test different multilibs
separate.
   * gcc.target/arm/cmse/struct-1.c: New.
   * gcc.target/arm/cmse/bitfield-1.c: New.
   * gcc.target/arm/cmse/bitfield-2.c: New.
   * gcc.target/arm/cmse/bitfield-3.c: New.
   * gcc.target/arm/cmse/baseline/cmse-2.c: Test that
registers are
cleared.
   * gcc.target/arm/cmse/mainline/soft/cmse-5.c: New.
   * gcc.target/arm/cmse/mainline/hard/cmse-5.c: New.
   * gcc.target/arm/cmse/mainline/hard-sp/cmse-5.c: New.
   * gcc.target/arm/cmse/mainline/softfp/cmse-5.c: New.
   * gcc.target/arm/cmse/mainline/softfp-sp/cmse-5.c: New.


Updated this patch to correctly clear only the cumulative
exception-status (0-4,7) and the condition code bits (28-31) of the
FPSCR. I also adapted the code to be handle the bigger floating point
register files.



This patch extends support for the ARMv8-M Security Extensions
'cmse_nonsecure_entry' attribute to safeguard against leak of
information through unbanked registers.

When returning from a nonsecure entry function we clear all
caller-saved
registers that are not used to pass return values, by writing
either the
LR, in case of general purpose registers, or the value 0, in case
of FP
registers. We use the LR to write to APSR. For FPSCR we clear only the
cumulative exception-status (0-4, 7) and the condition code bits
(28-31). We currently do not support entry functions that pass
arguments
or return variables on the stack and we diagnose this. This patch
relies
on the existing code to make sure callee-saved registers used in
cmse_nonsecure_entry functions are saved and restored thus retaining
their nonsecure mode value, this should be happening already as it is
required by AAPCS.

This patch also clears padding bits for cmse_nonsecure_entry functions
with struct and union return types. For unions a bit is only
considered
a padding bit if it is an unused bit in every field of that union. The
function that calculates these is used in a later patch to do the same
for arguments of cmse_nonsecure_call's.

*** gcc/ChangeLog ***
2016-07-xx  Andre Vieira
   Thomas Preud'homme  

   * config/arm/arm.c (output_return_instruction): Clear
   registers.
   (thumb2_expand_return): Likewise.
   (thumb1_expand_epilogue): Likewise.
   (thumb_exit): Likewise.
   (arm_expand_epilogue): Likewise.
   (cmse_nonsecure_entry_clear_before_return): New.
   (comp_not_to_clear_mask_str_un): New.

Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-10-27 Thread Andre Vieira (lists) 
On 26/10/16 17:30, Kyrill Tkachov wrote:
> 
> On 26/10/16 17:26, Andre Vieira (lists) wrote:
>> On 26/10/16 13:51, Kyrill Tkachov wrote:
>>> Hi Andre,
>>>
>>> On 25/10/16 17:29, Andre Vieira (lists) wrote:
 On 24/08/16 12:01, Andre Vieira (lists) wrote:
> On 25/07/16 14:23, Andre Vieira (lists) wrote:
>> This patch extends support for the ARMv8-M Security Extensions
>> 'cmse_nonsecure_entry' attribute to safeguard against leak of
>> information through unbanked registers.
>>
>> When returning from a nonsecure entry function we clear all
>> caller-saved
>> registers that are not used to pass return values, by writing either
>> the
>> LR, in case of general purpose registers, or the value 0, in case
>> of FP
>> registers. We use the LR to write to APSR and FPSCR too. We
>> currently do
>> not support entry functions that pass arguments or return
>> variables on
>> the stack and we diagnose this. This patch relies on the existing
>> code
>> to make sure callee-saved registers used in cmse_nonsecure_entry
>> functions are saved and restored thus retaining their nonsecure mode
>> value, this should be happening already as it is required by AAPCS.
>>
>> This patch also clears padding bits for cmse_nonsecure_entry
>> functions
>> with struct and union return types. For unions a bit is only
>> considered
>> a padding bit if it is an unused bit in every field of that union.
>> The
>> function that calculates these is used in a later patch to do the
>> same
>> for arguments of cmse_nonsecure_call's.
>>
>> *** gcc/ChangeLog ***
>> 2016-07-25  Andre Vieira
>>   Thomas Preud'homme  
>>
>>   * config/arm/arm.c (output_return_instruction): Clear
>>   registers.
>>   (thumb2_expand_return): Likewise.
>>   (thumb1_expand_epilogue): Likewise.
>>   (thumb_exit): Likewise.
>>   (arm_expand_epilogue): Likewise.
>>   (cmse_nonsecure_entry_clear_before_return): New.
>>   (comp_not_to_clear_mask_str_un): New.
>>   (compute_not_to_clear_mask): New.
>>   * config/arm/thumb1.md (*epilogue_insns): Change length
>> attribute.
>>   * config/arm/thumb2.md (*thumb2_return): Likewise.
>>
>> *** gcc/testsuite/ChangeLog ***
>> 2016-07-25  Andre Vieira
>>   Thomas Preud'homme  
>>
>>   * gcc.target/arm/cmse/cmse.exp: Test different multilibs
>> separate.
>>   * gcc.target/arm/cmse/struct-1.c: New.
>>   * gcc.target/arm/cmse/bitfield-1.c: New.
>>   * gcc.target/arm/cmse/bitfield-2.c: New.
>>   * gcc.target/arm/cmse/bitfield-3.c: New.
>>   * gcc.target/arm/cmse/baseline/cmse-2.c: Test that
>> registers are
>> cleared.
>>   * gcc.target/arm/cmse/mainline/soft/cmse-5.c: New.
>>   * gcc.target/arm/cmse/mainline/hard/cmse-5.c: New.
>>   * gcc.target/arm/cmse/mainline/hard-sp/cmse-5.c: New.
>>   * gcc.target/arm/cmse/mainline/softfp/cmse-5.c: New.
>>   * gcc.target/arm/cmse/mainline/softfp-sp/cmse-5.c: New.
>>
> Updated this patch to correctly clear only the cumulative
> exception-status (0-4,7) and the condition code bits (28-31) of the
> FPSCR. I also adapted the code to be handle the bigger floating point
> register files.
>
> 
>
> This patch extends support for the ARMv8-M Security Extensions
> 'cmse_nonsecure_entry' attribute to safeguard against leak of
> information through unbanked registers.
>
> When returning from a nonsecure entry function we clear all
> caller-saved
> registers that are not used to pass return values, by writing
> either the
> LR, in case of general purpose registers, or the value 0, in case
> of FP
> registers. We use the LR to write to APSR. For FPSCR we clear only the
> cumulative exception-status (0-4, 7) and the condition code bits
> (28-31). We currently do not support entry functions that pass
> arguments
> or return variables on the stack and we diagnose this. This patch
> relies
> on the existing code to make sure callee-saved registers used in
> cmse_nonsecure_entry functions are saved and restored thus retaining
> their nonsecure mode value, this should be happening already as it is
> required by AAPCS.
>
> This patch also clears padding bits for cmse_nonsecure_entry functions
> with struct and union return types. For unions a bit is only
> considered
> a padding bit if it is an unused bit in every field of that union. The
> function that calculates these is used in a later patch

Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-10-26 Thread Kyrill Tkachov 


On 26/10/16 17:26, Andre Vieira (lists) wrote:

On 26/10/16 13:51, Kyrill Tkachov wrote:

Hi Andre,

On 25/10/16 17:29, Andre Vieira (lists) wrote:

On 24/08/16 12:01, Andre Vieira (lists) wrote:

On 25/07/16 14:23, Andre Vieira (lists) wrote:

This patch extends support for the ARMv8-M Security Extensions
'cmse_nonsecure_entry' attribute to safeguard against leak of
information through unbanked registers.

When returning from a nonsecure entry function we clear all
caller-saved
registers that are not used to pass return values, by writing either
the
LR, in case of general purpose registers, or the value 0, in case of FP
registers. We use the LR to write to APSR and FPSCR too. We
currently do
not support entry functions that pass arguments or return variables on
the stack and we diagnose this. This patch relies on the existing code
to make sure callee-saved registers used in cmse_nonsecure_entry
functions are saved and restored thus retaining their nonsecure mode
value, this should be happening already as it is required by AAPCS.

This patch also clears padding bits for cmse_nonsecure_entry functions
with struct and union return types. For unions a bit is only considered
a padding bit if it is an unused bit in every field of that union. The
function that calculates these is used in a later patch to do the same
for arguments of cmse_nonsecure_call's.

*** gcc/ChangeLog ***
2016-07-25  Andre Vieira
  Thomas Preud'homme  

  * config/arm/arm.c (output_return_instruction): Clear
  registers.
  (thumb2_expand_return): Likewise.
  (thumb1_expand_epilogue): Likewise.
  (thumb_exit): Likewise.
  (arm_expand_epilogue): Likewise.
  (cmse_nonsecure_entry_clear_before_return): New.
  (comp_not_to_clear_mask_str_un): New.
  (compute_not_to_clear_mask): New.
  * config/arm/thumb1.md (*epilogue_insns): Change length
attribute.
  * config/arm/thumb2.md (*thumb2_return): Likewise.

*** gcc/testsuite/ChangeLog ***
2016-07-25  Andre Vieira
  Thomas Preud'homme  

  * gcc.target/arm/cmse/cmse.exp: Test different multilibs
separate.
  * gcc.target/arm/cmse/struct-1.c: New.
  * gcc.target/arm/cmse/bitfield-1.c: New.
  * gcc.target/arm/cmse/bitfield-2.c: New.
  * gcc.target/arm/cmse/bitfield-3.c: New.
  * gcc.target/arm/cmse/baseline/cmse-2.c: Test that
registers are
cleared.
  * gcc.target/arm/cmse/mainline/soft/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/hard/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/hard-sp/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/softfp/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/softfp-sp/cmse-5.c: New.


Updated this patch to correctly clear only the cumulative
exception-status (0-4,7) and the condition code bits (28-31) of the
FPSCR. I also adapted the code to be handle the bigger floating point
register files.



This patch extends support for the ARMv8-M Security Extensions
'cmse_nonsecure_entry' attribute to safeguard against leak of
information through unbanked registers.

When returning from a nonsecure entry function we clear all caller-saved
registers that are not used to pass return values, by writing either the
LR, in case of general purpose registers, or the value 0, in case of FP
registers. We use the LR to write to APSR. For FPSCR we clear only the
cumulative exception-status (0-4, 7) and the condition code bits
(28-31). We currently do not support entry functions that pass arguments
or return variables on the stack and we diagnose this. This patch relies
on the existing code to make sure callee-saved registers used in
cmse_nonsecure_entry functions are saved and restored thus retaining
their nonsecure mode value, this should be happening already as it is
required by AAPCS.

This patch also clears padding bits for cmse_nonsecure_entry functions
with struct and union return types. For unions a bit is only considered
a padding bit if it is an unused bit in every field of that union. The
function that calculates these is used in a later patch to do the same
for arguments of cmse_nonsecure_call's.

*** gcc/ChangeLog ***
2016-07-xx  Andre Vieira
  Thomas Preud'homme  

  * config/arm/arm.c (output_return_instruction): Clear
  registers.
  (thumb2_expand_return): Likewise.
  (thumb1_expand_epilogue): Likewise.
  (thumb_exit): Likewise.
  (arm_expand_epilogue): Likewise.
  (cmse_nonsecure_entry_clear_before_return): New.
  (comp_not_to_clear_mask_str_un): New.
  (compute_not_to_clear_mask): New.
  * config/arm/thumb1.md (*epilogue_insns): Change length
attribute.
  *

Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-10-26 Thread Andre Vieira (lists) 
On 26/10/16 13:51, Kyrill Tkachov wrote:
> Hi Andre,
> 
> On 25/10/16 17:29, Andre Vieira (lists) wrote:
>> On 24/08/16 12:01, Andre Vieira (lists) wrote:
>>> On 25/07/16 14:23, Andre Vieira (lists) wrote:
 This patch extends support for the ARMv8-M Security Extensions
 'cmse_nonsecure_entry' attribute to safeguard against leak of
 information through unbanked registers.

 When returning from a nonsecure entry function we clear all
 caller-saved
 registers that are not used to pass return values, by writing either
 the
 LR, in case of general purpose registers, or the value 0, in case of FP
 registers. We use the LR to write to APSR and FPSCR too. We
 currently do
 not support entry functions that pass arguments or return variables on
 the stack and we diagnose this. This patch relies on the existing code
 to make sure callee-saved registers used in cmse_nonsecure_entry
 functions are saved and restored thus retaining their nonsecure mode
 value, this should be happening already as it is required by AAPCS.

 This patch also clears padding bits for cmse_nonsecure_entry functions
 with struct and union return types. For unions a bit is only considered
 a padding bit if it is an unused bit in every field of that union. The
 function that calculates these is used in a later patch to do the same
 for arguments of cmse_nonsecure_call's.

 *** gcc/ChangeLog ***
 2016-07-25  Andre Vieira
  Thomas Preud'homme  

  * config/arm/arm.c (output_return_instruction): Clear
  registers.
  (thumb2_expand_return): Likewise.
  (thumb1_expand_epilogue): Likewise.
  (thumb_exit): Likewise.
  (arm_expand_epilogue): Likewise.
  (cmse_nonsecure_entry_clear_before_return): New.
  (comp_not_to_clear_mask_str_un): New.
  (compute_not_to_clear_mask): New.
  * config/arm/thumb1.md (*epilogue_insns): Change length
 attribute.
  * config/arm/thumb2.md (*thumb2_return): Likewise.

 *** gcc/testsuite/ChangeLog ***
 2016-07-25  Andre Vieira
  Thomas Preud'homme  

  * gcc.target/arm/cmse/cmse.exp: Test different multilibs
 separate.
  * gcc.target/arm/cmse/struct-1.c: New.
  * gcc.target/arm/cmse/bitfield-1.c: New.
  * gcc.target/arm/cmse/bitfield-2.c: New.
  * gcc.target/arm/cmse/bitfield-3.c: New.
  * gcc.target/arm/cmse/baseline/cmse-2.c: Test that
 registers are
 cleared.
  * gcc.target/arm/cmse/mainline/soft/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/hard/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/hard-sp/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/softfp/cmse-5.c: New.
  * gcc.target/arm/cmse/mainline/softfp-sp/cmse-5.c: New.

>>> Updated this patch to correctly clear only the cumulative
>>> exception-status (0-4,7) and the condition code bits (28-31) of the
>>> FPSCR. I also adapted the code to be handle the bigger floating point
>>> register files.
>>>
>>> 
>>>
>>> This patch extends support for the ARMv8-M Security Extensions
>>> 'cmse_nonsecure_entry' attribute to safeguard against leak of
>>> information through unbanked registers.
>>>
>>> When returning from a nonsecure entry function we clear all caller-saved
>>> registers that are not used to pass return values, by writing either the
>>> LR, in case of general purpose registers, or the value 0, in case of FP
>>> registers. We use the LR to write to APSR. For FPSCR we clear only the
>>> cumulative exception-status (0-4, 7) and the condition code bits
>>> (28-31). We currently do not support entry functions that pass arguments
>>> or return variables on the stack and we diagnose this. This patch relies
>>> on the existing code to make sure callee-saved registers used in
>>> cmse_nonsecure_entry functions are saved and restored thus retaining
>>> their nonsecure mode value, this should be happening already as it is
>>> required by AAPCS.
>>>
>>> This patch also clears padding bits for cmse_nonsecure_entry functions
>>> with struct and union return types. For unions a bit is only considered
>>> a padding bit if it is an unused bit in every field of that union. The
>>> function that calculates these is used in a later patch to do the same
>>> for arguments of cmse_nonsecure_call's.
>>>
>>> *** gcc/ChangeLog ***
>>> 2016-07-xx  Andre Vieira
>>>  Thomas Preud'homme  
>>>
>>>  * config/arm/arm.c (output_return_instruction): Clear
>>>  registers.
>>>  (thumb2_expand_return): Likewise.
>>>

Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-10-26 Thread Kyrill Tkachov 

Hi Andre,

On 25/10/16 17:29, Andre Vieira (lists) wrote:

On 24/08/16 12:01, Andre Vieira (lists) wrote:

On 25/07/16 14:23, Andre Vieira (lists) wrote:

This patch extends support for the ARMv8-M Security Extensions
'cmse_nonsecure_entry' attribute to safeguard against leak of
information through unbanked registers.

When returning from a nonsecure entry function we clear all caller-saved
registers that are not used to pass return values, by writing either the
LR, in case of general purpose registers, or the value 0, in case of FP
registers. We use the LR to write to APSR and FPSCR too. We currently do
not support entry functions that pass arguments or return variables on
the stack and we diagnose this. This patch relies on the existing code
to make sure callee-saved registers used in cmse_nonsecure_entry
functions are saved and restored thus retaining their nonsecure mode
value, this should be happening already as it is required by AAPCS.

This patch also clears padding bits for cmse_nonsecure_entry functions
with struct and union return types. For unions a bit is only considered
a padding bit if it is an unused bit in every field of that union. The
function that calculates these is used in a later patch to do the same
for arguments of cmse_nonsecure_call's.

*** gcc/ChangeLog ***
2016-07-25  Andre Vieira
 Thomas Preud'homme  

 * config/arm/arm.c (output_return_instruction): Clear
 registers.
 (thumb2_expand_return): Likewise.
 (thumb1_expand_epilogue): Likewise.
 (thumb_exit): Likewise.
 (arm_expand_epilogue): Likewise.
 (cmse_nonsecure_entry_clear_before_return): New.
 (comp_not_to_clear_mask_str_un): New.
 (compute_not_to_clear_mask): New.
 * config/arm/thumb1.md (*epilogue_insns): Change length attribute.
 * config/arm/thumb2.md (*thumb2_return): Likewise.

*** gcc/testsuite/ChangeLog ***
2016-07-25  Andre Vieira
 Thomas Preud'homme  

 * gcc.target/arm/cmse/cmse.exp: Test different multilibs separate.
 * gcc.target/arm/cmse/struct-1.c: New.
 * gcc.target/arm/cmse/bitfield-1.c: New.
 * gcc.target/arm/cmse/bitfield-2.c: New.
 * gcc.target/arm/cmse/bitfield-3.c: New.
 * gcc.target/arm/cmse/baseline/cmse-2.c: Test that registers are
cleared.
 * gcc.target/arm/cmse/mainline/soft/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/hard/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/hard-sp/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/softfp/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/softfp-sp/cmse-5.c: New.


Updated this patch to correctly clear only the cumulative
exception-status (0-4,7) and the condition code bits (28-31) of the
FPSCR. I also adapted the code to be handle the bigger floating point
register files.



This patch extends support for the ARMv8-M Security Extensions
'cmse_nonsecure_entry' attribute to safeguard against leak of
information through unbanked registers.

When returning from a nonsecure entry function we clear all caller-saved
registers that are not used to pass return values, by writing either the
LR, in case of general purpose registers, or the value 0, in case of FP
registers. We use the LR to write to APSR. For FPSCR we clear only the
cumulative exception-status (0-4, 7) and the condition code bits
(28-31). We currently do not support entry functions that pass arguments
or return variables on the stack and we diagnose this. This patch relies
on the existing code to make sure callee-saved registers used in
cmse_nonsecure_entry functions are saved and restored thus retaining
their nonsecure mode value, this should be happening already as it is
required by AAPCS.

This patch also clears padding bits for cmse_nonsecure_entry functions
with struct and union return types. For unions a bit is only considered
a padding bit if it is an unused bit in every field of that union. The
function that calculates these is used in a later patch to do the same
for arguments of cmse_nonsecure_call's.

*** gcc/ChangeLog ***
2016-07-xx  Andre Vieira
 Thomas Preud'homme  

 * config/arm/arm.c (output_return_instruction): Clear
 registers.
 (thumb2_expand_return): Likewise.
 (thumb1_expand_epilogue): Likewise.
 (thumb_exit): Likewise.
 (arm_expand_epilogue): Likewise.
 (cmse_nonsecure_entry_clear_before_return): New.
 (comp_not_to_clear_mask_str_un): New.
 (compute_not_to_clear_mask): New.
 * config/arm/thumb1.md (*epilogue_insns): Change length attribute.
 * config/arm/thumb2.md (*thumb2_return): Duplicate pattern for
 cmse_nonsecure_entry functions.

*** gcc/testsuite/ChangeLog ***

Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-10-26 Thread Kyrill Tkachov 

Hi Andre,

On 25/10/16 17:29, Andre Vieira (lists) wrote:

On 24/08/16 12:01, Andre Vieira (lists) wrote:

On 25/07/16 14:23, Andre Vieira (lists) wrote:

This patch extends support for the ARMv8-M Security Extensions
'cmse_nonsecure_entry' attribute to safeguard against leak of
information through unbanked registers.

When returning from a nonsecure entry function we clear all caller-saved
registers that are not used to pass return values, by writing either the
LR, in case of general purpose registers, or the value 0, in case of FP
registers. We use the LR to write to APSR and FPSCR too. We currently do
not support entry functions that pass arguments or return variables on
the stack and we diagnose this. This patch relies on the existing code
to make sure callee-saved registers used in cmse_nonsecure_entry
functions are saved and restored thus retaining their nonsecure mode
value, this should be happening already as it is required by AAPCS.

This patch also clears padding bits for cmse_nonsecure_entry functions
with struct and union return types. For unions a bit is only considered
a padding bit if it is an unused bit in every field of that union. The
function that calculates these is used in a later patch to do the same
for arguments of cmse_nonsecure_call's.

*** gcc/ChangeLog ***
2016-07-25  Andre Vieira
 Thomas Preud'homme  

 * config/arm/arm.c (output_return_instruction): Clear
 registers.
 (thumb2_expand_return): Likewise.
 (thumb1_expand_epilogue): Likewise.
 (thumb_exit): Likewise.
 (arm_expand_epilogue): Likewise.
 (cmse_nonsecure_entry_clear_before_return): New.
 (comp_not_to_clear_mask_str_un): New.
 (compute_not_to_clear_mask): New.
 * config/arm/thumb1.md (*epilogue_insns): Change length attribute.
 * config/arm/thumb2.md (*thumb2_return): Likewise.

*** gcc/testsuite/ChangeLog ***
2016-07-25  Andre Vieira
 Thomas Preud'homme  

 * gcc.target/arm/cmse/cmse.exp: Test different multilibs separate.
 * gcc.target/arm/cmse/struct-1.c: New.
 * gcc.target/arm/cmse/bitfield-1.c: New.
 * gcc.target/arm/cmse/bitfield-2.c: New.
 * gcc.target/arm/cmse/bitfield-3.c: New.
 * gcc.target/arm/cmse/baseline/cmse-2.c: Test that registers are
cleared.
 * gcc.target/arm/cmse/mainline/soft/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/hard/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/hard-sp/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/softfp/cmse-5.c: New.
 * gcc.target/arm/cmse/mainline/softfp-sp/cmse-5.c: New.


Updated this patch to correctly clear only the cumulative
exception-status (0-4,7) and the condition code bits (28-31) of the
FPSCR. I also adapted the code to be handle the bigger floating point
register files.



This patch extends support for the ARMv8-M Security Extensions
'cmse_nonsecure_entry' attribute to safeguard against leak of
information through unbanked registers.

When returning from a nonsecure entry function we clear all caller-saved
registers that are not used to pass return values, by writing either the
LR, in case of general purpose registers, or the value 0, in case of FP
registers. We use the LR to write to APSR. For FPSCR we clear only the
cumulative exception-status (0-4, 7) and the condition code bits
(28-31). We currently do not support entry functions that pass arguments
or return variables on the stack and we diagnose this. This patch relies
on the existing code to make sure callee-saved registers used in
cmse_nonsecure_entry functions are saved and restored thus retaining
their nonsecure mode value, this should be happening already as it is
required by AAPCS.

This patch also clears padding bits for cmse_nonsecure_entry functions
with struct and union return types. For unions a bit is only considered
a padding bit if it is an unused bit in every field of that union. The
function that calculates these is used in a later patch to do the same
for arguments of cmse_nonsecure_call's.

*** gcc/ChangeLog ***
2016-07-xx  Andre Vieira
 Thomas Preud'homme  

 * config/arm/arm.c (output_return_instruction): Clear
 registers.
 (thumb2_expand_return): Likewise.
 (thumb1_expand_epilogue): Likewise.
 (thumb_exit): Likewise.
 (arm_expand_epilogue): Likewise.
 (cmse_nonsecure_entry_clear_before_return): New.
 (comp_not_to_clear_mask_str_un): New.
 (compute_not_to_clear_mask): New.
 * config/arm/thumb1.md (*epilogue_insns): Change length attribute.
 * config/arm/thumb2.md (*thumb2_return): Duplicate pattern for
 cmse_nonsecure_entry functions.

*** gcc/testsuite/ChangeLog ***

Re: [PATCHv2 4/7, GCC, ARM, V8M] ARMv8-M Security Extension's cmse_nonsecure_entry: clear registers

2016-10-25 Thread Andre Vieira (lists) 
On 24/08/16 12:01, Andre Vieira (lists) wrote:
> On 25/07/16 14:23, Andre Vieira (lists) wrote:
>> This patch extends support for the ARMv8-M Security Extensions
>> 'cmse_nonsecure_entry' attribute to safeguard against leak of
>> information through unbanked registers.
>>
>> When returning from a nonsecure entry function we clear all caller-saved
>> registers that are not used to pass return values, by writing either the
>> LR, in case of general purpose registers, or the value 0, in case of FP
>> registers. We use the LR to write to APSR and FPSCR too. We currently do
>> not support entry functions that pass arguments or return variables on
>> the stack and we diagnose this. This patch relies on the existing code
>> to make sure callee-saved registers used in cmse_nonsecure_entry
>> functions are saved and restored thus retaining their nonsecure mode
>> value, this should be happening already as it is required by AAPCS.
>>
>> This patch also clears padding bits for cmse_nonsecure_entry functions
>> with struct and union return types. For unions a bit is only considered
>> a padding bit if it is an unused bit in every field of that union. The
>> function that calculates these is used in a later patch to do the same
>> for arguments of cmse_nonsecure_call's.
>>
>> *** gcc/ChangeLog ***
>> 2016-07-25  Andre Vieira
>> Thomas Preud'homme  
>>
>> * config/arm/arm.c (output_return_instruction): Clear
>> registers.
>> (thumb2_expand_return): Likewise.
>> (thumb1_expand_epilogue): Likewise.
>> (thumb_exit): Likewise.
>> (arm_expand_epilogue): Likewise.
>> (cmse_nonsecure_entry_clear_before_return): New.
>> (comp_not_to_clear_mask_str_un): New.
>> (compute_not_to_clear_mask): New.
>> * config/arm/thumb1.md (*epilogue_insns): Change length attribute.
>> * config/arm/thumb2.md (*thumb2_return): Likewise.
>>
>> *** gcc/testsuite/ChangeLog ***
>> 2016-07-25  Andre Vieira
>> Thomas Preud'homme  
>>
>> * gcc.target/arm/cmse/cmse.exp: Test different multilibs separate.
>> * gcc.target/arm/cmse/struct-1.c: New.
>> * gcc.target/arm/cmse/bitfield-1.c: New.
>> * gcc.target/arm/cmse/bitfield-2.c: New.
>> * gcc.target/arm/cmse/bitfield-3.c: New.
>> * gcc.target/arm/cmse/baseline/cmse-2.c: Test that registers are
>> cleared.
>> * gcc.target/arm/cmse/mainline/soft/cmse-5.c: New.
>> * gcc.target/arm/cmse/mainline/hard/cmse-5.c: New.
>> * gcc.target/arm/cmse/mainline/hard-sp/cmse-5.c: New.
>> * gcc.target/arm/cmse/mainline/softfp/cmse-5.c: New.
>> * gcc.target/arm/cmse/mainline/softfp-sp/cmse-5.c: New.
>>
> 
> Updated this patch to correctly clear only the cumulative
> exception-status (0-4,7) and the condition code bits (28-31) of the
> FPSCR. I also adapted the code to be handle the bigger floating point
> register files.
> 
> 
> 
> This patch extends support for the ARMv8-M Security Extensions
> 'cmse_nonsecure_entry' attribute to safeguard against leak of
> information through unbanked registers.
> 
> When returning from a nonsecure entry function we clear all caller-saved
> registers that are not used to pass return values, by writing either the
> LR, in case of general purpose registers, or the value 0, in case of FP
> registers. We use the LR to write to APSR. For FPSCR we clear only the
> cumulative exception-status (0-4, 7) and the condition code bits
> (28-31). We currently do not support entry functions that pass arguments
> or return variables on the stack and we diagnose this. This patch relies
> on the existing code to make sure callee-saved registers used in
> cmse_nonsecure_entry functions are saved and restored thus retaining
> their nonsecure mode value, this should be happening already as it is
> required by AAPCS.
> 
> This patch also clears padding bits for cmse_nonsecure_entry functions
> with struct and union return types. For unions a bit is only considered
> a padding bit if it is an unused bit in every field of that union. The
> function that calculates these is used in a later patch to do the same
> for arguments of cmse_nonsecure_call's.
> 
> *** gcc/ChangeLog ***
> 2016-07-xx  Andre Vieira
> Thomas Preud'homme  
> 
> * config/arm/arm.c (output_return_instruction): Clear
> registers.
> (thumb2_expand_return): Likewise.
> (thumb1_expand_epilogue): Likewise.
> (thumb_exit): Likewise.
> (arm_expand_epilogue): Likewise.
> (cmse_nonsecure_entry_clear_before_return): New.
> (comp_not_to_clear_mask_str_un): New.
> (compute_not_to_clear_mask): New.
> * config/arm/thumb1.md (*epilogue_insns): Change length attribute.
>