Add BTI enablement in TS Add BTI_ENABLED option which enables bti in the sp, opteesp and arm-linux environments. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: I2ed477f52000839c61d4f0631c5fd19465c5b7a3

commit: b446a1eb9e8fcecbfa2ca7fdb1ddac48563dc151 [log] [tgz]
author: Gabor Toth <gabor.toth2@arm.com> Fri May 10 10:42:20 2024 +0200
committer: gabor-toth-arm <Gabor.Toth2@arm.com> Fri Jul 12 10:06:28 2024 +0200
tree: 3a930ab75094972303dfec12390883a0fc3eb93e
parent: 22d04d6c5f154f5a205ad55a6e107d4cd8a9f0ce [diff]
diff --git a/environments/arm-linux/default_toolchain_file.cmake b/environments/arm-linux/default_toolchain_file.cmake
index d5efc4c..308c2a7 100644
--- a/environments/arm-linux/default_toolchain_file.cmake
+++ b/environments/arm-linux/default_toolchain_file.cmake

@@ -22,6 +22,19 @@
 set(TS_WARNING_FLAGS "-Wall -Werror" CACHE STRING "Compiler flags affecting generating warning messages.")
 set(TS_MANDATORY_LINKER_FLAGS "" CACHE STRING "Linker flags needed for correct builds.")
 
+set(BTI_ENABLED unset CACHE STRING "Enable Branch Target Identification (BTI)")
+set_property(CACHE BTI_ENABLED PROPERTY STRINGS unset OFF ON)
+
+if(BTI_ENABLED STREQUAL "ON")
+	# branch-protection enables bti while compile force-bti tells the linker to
+	# warn if some object files lack the .note.gnu.property section with the BTI
+	# flag, and to turn on the BTI flag in the output anyway.
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=bti")
+	set(TS_MANDATORY_LINKER_FLAGS "${TS_MANDATORY_LINKER_FLAGS} -zforce-bti")
+elseif(BTI_ENABLED STREQUAL "OFF")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=none")
+endif()
+
 # Set flags affecting all build types
 string(APPEND CMAKE_C_FLAGS_INIT " ${TS_MANDATORY_AARCH_FLAGS}")
 string(APPEND CMAKE_CXX_FLAGS_INIT " ${TS_MANDATORY_AARCH_FLAGS}")

diff --git a/environments/opteesp/default_toolchain_file.cmake b/environments/opteesp/default_toolchain_file.cmake
index 11b689e..00ddf89 100644
--- a/environments/opteesp/default_toolchain_file.cmake
+++ b/environments/opteesp/default_toolchain_file.cmake

@@ -25,6 +25,19 @@
 set(TS_MANDATORY_LINKER_FLAGS "-pie -Wl,--as-needed -Wl,--sort-section=alignment -zmax-page-size=4096"
 	CACHE STRING "Linker flags needed for correct builds.")
 
+set(BTI_ENABLED unset CACHE STRING "Enable Branch Target Identification (BTI)")
+set_property(CACHE BTI_ENABLED PROPERTY STRINGS unset OFF ON)
+
+if(BTI_ENABLED STREQUAL "ON")
+	# branch-protection enables bti while compile force-bti tells the linker to
+	# warn if some object files lack the .note.gnu.property section with the BTI
+	# flag, and to turn on the BTI flag in the output anyway.
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=bti")
+	set(TS_MANDATORY_LINKER_FLAGS "${TS_MANDATORY_LINKER_FLAGS} -zforce-bti")
+elseif(BTI_ENABLED STREQUAL "OFF")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=none")
+endif()
+
 # Set flags affecting all build types
 string(APPEND CMAKE_C_FLAGS_INIT " ${TS_MANDATORY_AARCH_FLAGS}")
 string(APPEND CMAKE_CXX_FLAGS_INIT " ${TS_MANDATORY_AARCH_FLAGS}")

diff --git a/environments/opteesp/sp.ld.S b/environments/opteesp/sp.ld.S
index a3999f2..e5d3545 100644
--- a/environments/opteesp/sp.ld.S
+++ b/environments/opteesp/sp.ld.S

@@ -52,6 +52,7 @@
 	.dynstr : { *(.dynstr) }
 	.hash : { *(.hash) }
 	.note.gnu.build-id : { *(.note.gnu.build-id) }
+	.note.gnu.property : { *(.note.gnu.property) }
 
 	/* Page align to allow dropping execute bit for RW data */
 	. = ALIGN(4096);

diff --git a/environments/sp/default_toolchain_file.cmake b/environments/sp/default_toolchain_file.cmake
index ccac1d3..b2c4bb1 100644
--- a/environments/sp/default_toolchain_file.cmake
+++ b/environments/sp/default_toolchain_file.cmake

@@ -24,6 +24,19 @@
 set(TS_WARNING_FLAGS "-Wall" CACHE STRING "Compiler flags affecting generating warning messages.")
 set(TS_MANDATORY_LINKER_FLAGS "-Wl,-pie -Wl,--no-dynamic-linker -Wl,--sort-section=alignment -zmax-page-size=4096" CACHE STRING "Linker flags needed for correct builds.")
 
+set(BTI_ENABLED unset CACHE STRING "Enable Branch Target Identification (BTI)")
+set_property(CACHE BTI_ENABLED PROPERTY STRINGS unset OFF ON)
+
+if(BTI_ENABLED STREQUAL "ON")
+	# branch-protection enables bti while compile force-bti tells the linker to
+	# warn if some object files lack the .note.gnu.property section with the BTI
+	# flag, and to turn on the BTI flag in the output anyway.
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=bti")
+	set(TS_MANDATORY_LINKER_FLAGS "${TS_MANDATORY_LINKER_FLAGS} -zforce-bti")
+elseif(BTI_ENABLED STREQUAL "OFF")
+	set(TS_MANDATORY_AARCH_FLAGS "${TS_MANDATORY_AARCH_FLAGS} -mbranch-protection=none")
+endif()
+
 # Set flags affecting all build types
 string(APPEND CMAKE_C_FLAGS_INIT " ${TS_MANDATORY_AARCH_FLAGS}")
 string(APPEND CMAKE_CXX_FLAGS_INIT " ${TS_MANDATORY_AARCH_FLAGS}")

diff --git a/environments/sp/sp.ld.S b/environments/sp/sp.ld.S
index ac29bb1..3e0e69e 100644
--- a/environments/sp/sp.ld.S
+++ b/environments/sp/sp.ld.S

@@ -51,6 +51,7 @@
 	.dynstr : { *(.dynstr) }
 	.hash : { *(.hash) }
 	.note.gnu.build-id : { *(.note.gnu.build-id) }
+	.note.gnu.property : { *(.note.gnu.property) }
 
 	. = ALIGN(8);
 	__rela_start = .;

diff --git a/external/CppUTest/cpputest-init-cache.cmake.in b/external/CppUTest/cpputest-init-cache.cmake.in
index b24f5de..d73b6ec 100644
--- a/external/CppUTest/cpputest-init-cache.cmake.in
+++ b/external/CppUTest/cpputest-init-cache.cmake.in

@@ -10,6 +10,7 @@
 set(MEMORY_LEAK_DETECTION OFF CACHE BOOL "")
 set(LONGLONG ON CACHE BOOL "")
 set(C++11 ON CACHE BOOL "")
+set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
 
 string(TOUPPER @CMAKE_CROSSCOMPILING@ CMAKE_CROSSCOMPILING) # CMake expects TRUE
 if (CMAKE_CROSSCOMPILING)

diff --git a/external/MbedTLS/mbedtls-init-cache.cmake.in b/external/MbedTLS/mbedtls-init-cache.cmake.in
index c60bbf2..57042fb 100644
--- a/external/MbedTLS/mbedtls-init-cache.cmake.in
+++ b/external/MbedTLS/mbedtls-init-cache.cmake.in

@@ -13,6 +13,7 @@
 set(UNSAFE_BUILD On CACHE BOOL "")
 set(EXTERNAL_DEFINITIONS -DMBEDTLS_USER_CONFIG_FILE="@MBEDTLS_USER_CONFIG_FILE@" CACHE STRING "")
 set(EXTERNAL_INCLUDE_PATHS @MBEDTLS_EXTRA_INCLUDES@ CACHE STRING "")
+set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
 
 set(Python3_EXECUTABLE "@Python3_EXECUTABLE@" CACHE PATH "Location of python3 executable")
 

diff --git a/external/firmware_test_builder/FirmwareTestBuilder.cmake b/external/firmware_test_builder/FirmwareTestBuilder.cmake
index f5450c6..82a8e2a 100644
--- a/external/firmware_test_builder/FirmwareTestBuilder.cmake
+++ b/external/firmware_test_builder/FirmwareTestBuilder.cmake

@@ -8,6 +8,7 @@
 
 set(FIRMWARE_TEST_BUILDER_URL "https://git.trustedfirmware.org/TS/trusted-services.git" CACHE STRING "firmware-test-builder repository URL")
 set(FIRMWARE_TEST_BUILDER_REFSPEC "topics/fwtb" CACHE STRING "firmware-test-builder git refspec")
+set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
 
 set(GIT_OPTIONS
 	GIT_REPOSITORY ${FIRMWARE_TEST_BUILDER_URL}

diff --git a/external/nanopb/nanopb-init-cache.cmake.in b/external/nanopb/nanopb-init-cache.cmake.in
index c53b6e5..bfb5497 100644
--- a/external/nanopb/nanopb-init-cache.cmake.in
+++ b/external/nanopb/nanopb-init-cache.cmake.in

@@ -12,6 +12,7 @@
 set(nanopb_BUILD_RUNTIME On CACHE BOOL "")
 set(nanopb_BUILD_GENERATOR On CACHE BOOL "")
 set(nanopb_MSVC_STATIC_RUNTIME Off BOOL "")
+set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
 
 # Specify location of python binary and avoid discovery.
 set(Python_EXECUTABLE "@Python_EXECUTABLE@" CACHE PATH "Location of python3 executable")

diff --git a/external/psa_arch_tests/psa-arch-test-init-cache.cmake.in b/external/psa_arch_tests/psa-arch-test-init-cache.cmake.in
index 5e227a5..9292db2 100644
--- a/external/psa_arch_tests/psa-arch-test-init-cache.cmake.in
+++ b/external/psa_arch_tests/psa-arch-test-init-cache.cmake.in

@@ -13,6 +13,7 @@
 set(ARCH_TEST_EXTERNAL_DEFS "@PSA_ARCH_TEST_EXTERNAL_DEFS@"  CACHE STRING "")
 set(CMAKE_VERBOSE_MAKEFILE OFF CACHE BOOL "")
 set(TARGET "tgt_dev_apis_linux"  CACHE STRING "")
+set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
 
 # Pass comand line paramter passed to the TS deployment configuration time over to psa-acs build.
 if(NOT "@PSA_TARGET_QCBOR@" STREQUAL "")

diff --git a/external/qcbor/qcbor-init-cache.cmake.in b/external/qcbor/qcbor-init-cache.cmake.in
index 88afecf..4e4369d 100644
--- a/external/qcbor/qcbor-init-cache.cmake.in
+++ b/external/qcbor/qcbor-init-cache.cmake.in

@@ -7,6 +7,7 @@
 
 set(CMAKE_INSTALL_PREFIX "@BUILD_INSTALL_DIR@" CACHE STRING "")
 set(CMAKE_TOOLCHAIN_FILE "@TS_EXTERNAL_LIB_TOOLCHAIN_FILE@" CACHE STRING "")
+set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
 
 # Determine floating point configuration
 set(TS_NO_FLOAT_HW "@TS_NO_FLOAT_HW@")

diff --git a/external/t_cose/t_cose-init-cache.cmake.in b/external/t_cose/t_cose-init-cache.cmake.in
index abd3eba..1068409 100644
--- a/external/t_cose/t_cose-init-cache.cmake.in
+++ b/external/t_cose/t_cose-init-cache.cmake.in

@@ -7,6 +7,7 @@
 
 set(CMAKE_INSTALL_PREFIX "@BUILD_INSTALL_DIR@" CACHE STRING "")
 set(CMAKE_TOOLCHAIN_FILE "@TS_EXTERNAL_LIB_TOOLCHAIN_FILE@" CACHE STRING "")
+set(BTI_ENABLED @BTI_ENABLED@ CACHE BOOL "")
 
 set(MBEDTLS On CACHE STRING "")
commit	b446a1eb9e8fcecbfa2ca7fdb1ddac48563dc151	[log] [tgz]
author	Gabor Toth <gabor.toth2@arm.com>	Fri May 10 10:42:20 2024 +0200
committer	gabor-toth-arm <Gabor.Toth2@arm.com>	Fri Jul 12 10:06:28 2024 +0200
tree	3a930ab75094972303dfec12390883a0fc3eb93e
parent	22d04d6c5f154f5a205ad55a6e107d4cd8a9f0ce [diff]