TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TS / trusted-services / 350452a505b229666b4a72d47d93be0c64ea2d4f^! / . / environments / opteesp / default_toolchain_file.cmake
commit350452a505b229666b4a72d47d93be0c64ea2d4f[log] [tgz]
authorGabor Toth <gabor.toth2@arm.com>Wed Jun 19 12:35:08 2024 +0200
committergabor-toth-arm <Gabor.Toth2@arm.com>Fri Jul 12 10:07:11 2024 +0200
treed239ba9eafed0676396f59f263705f0d308ec170
parent65e1dac82c51917e64350ac3e4b730d25b4c96cf [diff] [blame]
Enable pointer authentication

The same way as in TF-A make memory protection be selectable
via the BRANCH_PROTECTION variable:
unset: Default value. mbranch-protection flag is not provided
0: Turns off all types of branch protection
1: Enables all types of branch protection features
2: Return address signing to its standard level
3: Extend the signing to include leaf functions
4: Turn on branch target identification mechanism

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Change-Id: Ide8035599e131986e7bcfd50d0a3b5234ac6354f

diff --git a/environments/opteesp/default_toolchain_file.cmake b/environments/opteesp/default_toolchain_file.cmake
index 613cd43..b150b85 100644
--- a/environments/opteesp/default_toolchain_file.cmake
+++ b/environments/opteesp/default_toolchain_file.cmake

@@ -25,18 +25,26 @@
 set(TS_MANDATORY_LINKER_FLAGS "-pie -Wl,--as-needed -Wl,--sort-section=alignment -zmax-page-size=4096"
 	CACHE STRING "Linker flags needed for correct builds.")
 
-set(BTI_ENABLED unset CACHE STRING "Enable Branch Target Identification (BTI)")
-set_property(CACHE BTI_ENABLED PROPERTY STRINGS unset OFF ON)
+# branch-protection enables bti/pac while compile force-bti tells the linker to
+# warn if some object files lack the .note.gnu.property section with the BTI
+# flag, and to turn on the BTI flag in the output anyway.
+set(BRANCH_PROTECTION unset CACHE STRING "Enable branch protection")
+set_property(CACHE BRANCH_PROTECTION PROPERTY STRINGS unset 0 1 2 3 4)
 
-if(BTI_ENABLED STREQUAL "ON")
-	# branch-protection enables bti while compile force-bti tells the linker to
-	# warn if some object files lack the .note.gnu.property section with the BTI
-	# flag, and to turn on the BTI flag in the output anyway.
+if(BRANCH_PROTECTION STREQUAL "0")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=none")
+elseif(BRANCH_PROTECTION STREQUAL "1")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=standard")
+	set(TS_MANDATORY_LINKER_FLAGS "${TS_MANDATORY_LINKER_FLAGS} -zforce-bti")
+	add_compile_definitions("BTI_ENABLED")
+elseif(BRANCH_PROTECTION STREQUAL "2")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=pac-ret")
+elseif(BRANCH_PROTECTION STREQUAL "3")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=pac-ret+leaf")
+elseif(BRANCH_PROTECTION STREQUAL "4")
 	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=bti")
 	set(TS_MANDATORY_LINKER_FLAGS "${TS_MANDATORY_LINKER_FLAGS} -zforce-bti")
 	add_compile_definitions("BTI_ENABLED")
-elseif(BTI_ENABLED STREQUAL "OFF")
-	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=none")
 endif()
 
 # Set flags affecting all build types