[PAuthABIELF64] Use .note.gnu.property section as ELF marking scheme. #240
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,6 +13,7 @@ | |
| .. _CPPABI64: https://github.com/ARM-software/abi-aa/releases | ||
| .. _LSB: https://refspecs.linuxfoundation.org/LSB_1.2.0/gLSB/noteabitag.html | ||
| .. _SCO-ELF: http://www.sco.com/developers/gabi/ | ||
| .. _SYSVABI64: https://github.com/ARM-software/abi-aa/releases | ||
| .. _TLSDESC: http://www.fsfla.org/~lxoliva/writeups/TLS/paper-lk2006.pdf | ||
| .. _LINUX_ABI: https://github.com/hjl-tools/linux-abi/wiki | ||
| .. footer:: | ||
|
|
@@ -234,6 +235,8 @@ changes to the content of the document for that release. | |
| | 2023Q3 | 6\ :sup:`th` October 2023 | Update tags in `Dynamic Section`_ to avoid conflict with | | ||
| | | | DT_AARCH64_VARIANT_PCS. | | ||
| +------------+-----------------------------+------------------------------------------------------------------+ | ||
| | 2024Q1 | 29\ :sup:`th` January 2024 | Update preferred ELF marking scheme to be GNU property based | | ||
| +------------+-----------------------------+------------------------------------------------------------------+ | ||
|
|
||
| References | ||
| ---------- | ||
|
|
@@ -257,11 +260,14 @@ This document refers to, or is referred to by, the following documents. | |
| +-----------------------------------------------------------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ | ||
| | SCO-ELF_ | http://www.sco.com/developers/gabi/ | System V Application Binary Interface – DRAFT | | ||
| +-----------------------------------------------------------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ | ||
| | SYSVABI64_ | sysvabi64 | System V Application Binary Interface (ABI) for the Arm 64-bit | | ||
| | | | Architecture | | ||
| +-----------------------------------------------------------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ | ||
| | TLSDESC_ | http://www.fsfla.org/~lxoliva/writeups/TLS/paper-lk2006.pdf | TLS Descriptors for Arm. Original proposal document | | ||
| +-----------------------------------------------------------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ | ||
| | `GABI_SHT_RELR <https://groups.google.com/d/msg/generic-abi/bX460iggiKg/YT2RrjpMAwAJ>`_ | ELF GABI Google Groups | Proposal for a new section type SHT_RELR | | ||
| +-----------------------------------------------------------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ | ||
| | `LINUX_ABI`_ | https://github.com/hjl-tools/linux-abi/wiki | Linux Extensions to gABI | | ||
| +-----------------------------------------------------------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ | ||
|
|
||
| Terms and Abbreviations | ||
|
|
@@ -841,31 +847,27 @@ language to signing schema is expected to evolve over time. Even if | |
| the low-level ELF extensions remain constant, a change to the | ||
| high-level language mapping may result in incompatible ELF files. | ||
|
|
||
| This document defines the core information that any ELF marking | ||
| scheme must contain and the base compatibility model that uses that | ||
| information. | ||
|
|
||
| The default ELF marking scheme uses the Program Property note format | ||
| defined in (`LINUX_ABI`_). An alternative encoding that uses a Arm | ||
| defined Note section called ``.note.AARCH64-PAUTH-ABI-tag`` is defined | ||
| for platforms that do not support Program Properties, or have legacy | ||
| binaries from earlier versions of this specification. This is described | ||
| in `Appendix Alternative ELF Marking Using SHT_NOTE section`_. | ||
|
|
||
| Core information | ||
| ---------------- | ||
|
|
||
| The core information used by the base compatibility model is made up | ||
| of two values, both of which must be present. | ||
|
|
||
| * ``platform identifier`` is a 64-bit value that specifies the platform vendor. The | ||
| values of the ``platform identifier`` in the table below are reserved: | ||
|
|
||
| .. table:: Reserved id | ||
|
|
||
| +-----------+-----------+ | ||
| | Platform | Hex value | | ||
|
|
@@ -875,56 +877,100 @@ The following values of the platform id are reserved: | |
| | Baremetal | 0x1 | | ||
| +-----------+-----------+ | ||
|
|
||
| * ``version number`` is a 64-bit value that identifies the signing | ||
| schema used by the ELF file. The meaning of the value is determined | ||
| by the platform vendor identified by the ``platform identifier`` | ||
| above. | ||
|
|
||
| The tuple of (``platform identifier``, ``version number``) equal to | ||
| (0,0) is reserved to mean an ELF file incompatible with the PAuth ABI | ||
| Extension to ELF for the Arm® 64-bit Architecture (AArch64). | ||
|
|
||
| Default Marking Schema | ||
| ---------------------- | ||
|
|
||
| The default ELF marking scheme for executables and shared-libraries | ||
| uses the ``.note.gnu.property`` section. The format of this section is | ||
| defined in (`LINUX_ABI`_). | ||
|
|
||
| The following processor-specific program property types are defined: | ||
|
|
||
| +----------------------------------------+------------+ | ||
| | Name | Value | | ||
| +========================================+============+ | ||
| | GNU\_PROPERTY\_AARCH64\_FEATURE\_PAUTH | 0xc0000001 | | ||
| +----------------------------------------+------------+ | ||
|
|
||
| Other processor-specific program property types defined by the 64-bit | ||
| ABI for the Arm Architecture are defined in (SYSVABI64_). | ||
|
|
||
| The format of the data in ``pr_data`` is two 64-bit words. With the | ||
| first 64-bit word being the ``platform identifier``, and the second | ||
| 64-bit word being the ``version number``. Both of these form the | ||
| information required in `Core Information`_ above. | ||
|
|
||
| ``.note.gnu.property`` sections can be used as ELF marking for | ||
| relocatable objects as well as executables and shared libraries. Arm | ||
| intends to use standardize build attributes for all relocatable-object | ||
| ELF marking. When this change occurs the default ELF marking for | ||
| relocatable objects will be updated to use build attributes. | ||
|
|
||
| Base Compatibility Model | ||
| ------------------------ | ||
|
|
||
| A per-ELF file marking scheme permits a coarse way of reasoning about | ||
| compatibility. | ||
|
|
||
| * All reasoning about compatibility is done using the `Core Information`_. | ||
| This permits an ELF file using the ``.note.gnu.property`` ELF marking to | ||
| be compared to an ELF file using the ``.note.AARCH64-PAUTH-ABI-tag`` ELF | ||
| marking. | ||
|
|
||
| * If an ELF file contains multiple ELF markings of the `Core | ||
| Information`_, for example it contains both a ``.note.gnu.property`` | ||
| section and a ``.note.AARCH64-PAUTH-ABI-tag`` section, then all | ||
| must encode the same `Core Information`_. | ||
|
|
||
| * The absence of any ELF marking means no information on how pointers | ||
| are signed is available for this ELF file. When used in combination | ||
|
There was a problem hiding this comment.
I think we should allow different behavior here. A user might want static linker to "ignore" such files with no compatibility info and treat them as compatible with any others. See similar option There was a problem hiding this comment. I've added a clarifying sentence that states that implementations can be provided with supplemental information that can change this default. |
||
| with ELF files that contain ELF marking, then by default the file is | ||
| assigned the (``platform identifer``, ``version number``) of (0,0). | ||
| Implementations may use additional information supplementary to the | ||
| ELF file, such as linker command-line options, to provide an | ||
| implementation defined `Core Information`_ for ELF files with no ELF | ||
| marking. | ||
|
|
||
| * The presence of ELF marking means that, if the file contains | ||
| pointers, they were signed in a compatible way with the schema | ||
| identified in the (platform identifier, version number). `Core | ||
| Information`_. | ||
|
|
||
| * A combination of `Core Information`_ from two ELF files is | ||
| successful if the ``platform identifier`` values match and the | ||
| ``version numbers`` values match. All other combinations are | ||
| unsuccessful. | ||
|
|
||
| * The result of a successful combination of `Core Information`_ is a | ||
| single ELF Marking containing the `Core Information`_. The result of | ||
| an unsuccesful combination must be either a single ELF marking with | ||
| (``platform identifer``, ``version number``) of (0,0), or no ELF | ||
| marking is written to the output file. | ||
|
|
||
| * The static linker may choose to fault the unsuccessful combination | ||
| of `Core Information`_. | ||
|
|
||
| * A dynamic loader may disable pointer authentication, or fault the | ||
| program with an error message, in case it encounters an incompatible | ||
| ELF file. A dynamic loader may consider the ELF file to be | ||
| incompatible with the PAuthABI in any of the following cases: | ||
|
|
||
| * If no ELF marking is present. | ||
|
|
||
| * If the (platform identifier, version number) from the `Core | ||
| Information`_ is not recognized by the loader. | ||
|
|
||
| * If the platform identifier from the `Core Information`_ is the | ||
| reserved Invalid value 0. | ||
|
|
||
| Platforms may replace the base compatibility model with a | ||
| platform-specific model. | ||
|
|
@@ -1236,33 +1282,24 @@ Some observations: | |
| pointer signing information in a custom encoding understood by the | ||
| start-up code used. | ||
|
|
||
| Appendix Alternative ELF Marking Using SHT_NOTE section | ||
| ======================================================= | ||
|
|
||
| A new section named ``.note.AARCH64-PAUTH-ABI-tag`` of type | ||
| ``SHT_NOTE`` is defined. This section is structured as a note section | ||
| as documented in SCO-ELF_, and its attribute flag ``SHF_ALLOC`` must | ||
| be set. | ||
|
|
||
| The ``namesz`` field shall be 4 | ||
|
|
||
| The ``descsz`` field shall be 16. See ``desc`` below. | ||
|
|
||
| The type field shall be ``NT_ARM_TYPE_PAUTH_ABI_TAG``, defined to the | ||
| value 1. | ||
|
|
||
| The ``name`` field shall be the null-terminated string ``ARM``. | ||
|
|
||
| The ``desc`` contain 2 64-bit words. With the first 64-bit word being | ||
| the ``platform identifier``, and the second 64-bit word being the | ||
| ``version number``. Both of these form the information required in | ||
| `Core Information`_ above. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we need to change this part as well? It now describes the compatibility model for ELF marking based on
.note.AARCH64-PAUTH-ABI-tagsection.BTW, it would also be nice to explicitly say if files using different ELF marking ways (but with the same <platform, version> tuple, meaning the same signing schema) should be considered compatible or not. It was somewhere discussed previously and thinking of such files as compatible ones was considered as unneeded complexity - I'm just saying that explicit mention of this in this document would be nice to have IMHO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll need to take a look. I wanted to get a draft out before the Monday so it is possible I've missed something.
I'll add a note to state that the key information is <platform, version> no matter how they are encoded. Will do that before next Monday.