Skip to content

Commit

Permalink
[pauthabi64][aaelf64] Move PAuth GOT relocs out of private space
Browse files Browse the repository at this point in the history 
In the initial draft relocations for signing GOT entries were
defined in the private space reserved for experiments. It was not
known if these relocations would be useful as if RELRO is supported
the GOT does not need to be signed. There is now at least one user
of the GOT signing relocations so we should move the relocations
out of the private space and into the space reserved for the
PAuthABI.

This PR includes relocations added in
#295

Fixes: #298
  • Loading branch information
@smithp35
smithp35 committed Nov 29, 2024
1 parent 671ee0b commit 6b15b45
Show file tree
Hide file tree
Showing 2 changed files with 110 additions and 62 deletions.
123 changes: 84 additions & 39 deletions aaelf64/aaelf64.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,9 @@ changes to the content of the document for that release.
| | | - Clarify use of addends in MOVZ, MOVK, |
| | | and ADRP |
+---------------+--------------------+-----------------------------------------+
| 2024Q4 | 29\ :sup:`th` | - Moved PAuthABI GOT relocations out of |
| | November 2024 | reserved space. |
+---------------+--------------------+-----------------------------------------+

References
----------
Expand Down Expand Up @@ -1696,15 +1699,51 @@ The PAuth ABI Extension defines a number of static and dynamic relocations.
The information in this document is sufficient to reserve the relocation types.
For details on the relocations and operations see `PAUTHABIELF64`_.

The ``PAUTH`` and ``ENCD`` operators are defined in `PAUTHABIELF64`_.

.. class:: aaelf64-pauth-descriptor-relocations

.. table:: PAuthABI static relocations

+------------+------------+---------------------------------+----------------------------------+-----------------------------------------------------+
| ELF64 Code | ELF32 Code | Name | Operation | Comment |
+============+============+=================================+==================================+=====================================================+
| 580 | \- | R\_<CLS>\_AUTH\_ABS64 | PAUTH(S+A) | See `PAUTHABIELF64`_ |
+------------+------------+---------------------------------+----------------------------------+-----------------------------------------------------+
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| ELF64 Code | ELF32 Code | Name | Operation | Comment |
+============+============+========================================+======================================+======================+
| 580 | \- | R\_<CLS>\_AUTH\_ABS64 | PAUTH(S+A) | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 581 | \- | R\_AARCH64\_AUTH\_MOVW\_GOTOFF\_G0 | G(ENCD(GDAT(S))) - GOT | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 582 | \- | R\_AARCH64\_AUTH\_MOVW\_GOTOFF\_G0\_NC | G(ENCD(GDAT(S))) - GOT | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 583 | \- | R\_AARCH64\_AUTH\_MOVW\_GOTOFF\_G1 | G(ENCD(GDAT(S))) - GOT | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 584 | \- | R\_AARCH64\_AUTH\_MOVW\_GOTOFF\_G1\_NC | G(ENCD(GDAT(S))) - GOT | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 585 | \- | R\_AARCH64\_AUTH\_MOVW\_GOTOFF\_G2 | G(ENCD(GDAT(S))) - GOT | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 586 | \- | R\_AARCH64\_AUTH\_MOVW\_GOTOFF\_G2\_NC | G(ENCD(GDAT(S))) - GOT | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 587 | \- | R\_AARCH64\_AUTH\_MOVW\_GOTOFF\_G3 | G(ENCD(GDAT(S))) - GOT | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 588 | \- | R\_AARCH64\_AUTH\_GOT\_LD\_PREL19 | G(ENCD(GDAT(S))) - P | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 589 | \- | R\_AARCH64\_AUTH\_LD64\_GOTOFF\_LO15 | G(ENCD(GDAT(S))) - GOT | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 590 | \- | R\_AARCH64\_AUTH\_ADR\_GOT\_PAGE | G(ENCD(GDAT(S))) - Page(P) | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 591 | \- | R\_AARCH64\_AUTH\_LD64\_GOT\_LO12_NC | G(ENCD(GDAT(S))) | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 592 | \- | R\_AARCH64\_AUTH\_LD64\_GOTPAGE\_LO15 | G(ENCD(GDAT(S))) - Page(GOT) | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 593 | \- | R\_AARCH64\_AUTH\_GOT\_ADD_LO12_NC | G(ENCD(GDAT(S))) | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 594 | \- | R\_AARCH64\_AUTH\_GOT\_ADR\_PREL\_LO21 | G(ENCD(GDAT(S))) - P | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 595 | \- | R\_AARCH64\_AUTH\_TLSDESC\_ADR\_PAGE21 | Page(G(ENCD(GTLSDESC(S)))) - Page(P) | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 596 | \- | R\_AARCH64\_AUTH\_TLSDESC\_LD64\_LO12 | G(ENCD(GTLSDESC(S))) | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
| 597 | \- | R\_AARCH64\_AUTH\_TLSDESC\_ADD\_LO12 | G(ENCD(GTLSDESC(S))) | See `PAUTHABIELF64`_ |
+------------+------------+----------------------------------------+--------------------------------------+----------------------+

Dynamic relocations
^^^^^^^^^^^^^^^^^^^
Expand All @@ -1715,39 +1754,45 @@ The dynamic relocations for those execution environments that support only a lim

.. table:: Dynamic relocations

+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| ELF64 Code | ELF32 Code | Name | Operation | Comment |
+============+============+==========================+=================================+===========================================+
| 257 | \- | R\_<CLS>\_ABS64 | S + A | See note below. |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| \- | 1 | R\_<CLS>\_ABS32 | S + A | See note below. |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| 580 | \- | R\_<CLS>\_AUTH\_ABS64 | SIGN(S + A, SCHEMA(\*P)) | See note below. |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| 1024 | 180 | R\_<CLS>\_COPY | | See note below. |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| 1025 | 181 | R\_<CLS>\_GLOB\_DAT | S + A | See note below |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| 1026 | 182 | R\_<CLS>\_JUMP\_SLOT | S + A | See note below |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| 1027 | 183 | R\_<CLS>\_RELATIVE | Delta(S) + A | See note below |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| 1028 | 184 | R\_<CLS>\_TLS\_IMPDEF1 | | See note below |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| 1029 | 185 | R\_<CLS>\_TLS\_IMPDEF2 | | See note below |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| | | R\_<CLS>\_TLS\_DTPREL | DTPREL(S+A) | See note below |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| | | R\_<CLS>\_TLS\_DTPMOD | LDM(S) | See note below |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| 1030 | 186 | R\_<CLS>\_TLS\_TPREL | TPREL(S+A) | |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| 1031 | 187 | R\_<CLS>\_TLSDESC | TLSDESC(S+A) | Identifies a TLS descriptor to be filled |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| 1032 | 188 | R\_<CLS>\_IRELATIVE | Indirect(Delta(S) + A) | See note below. |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
| 1041 | \- | R\_<CLS>\_AUTH\_RELATIVE | SIGN(DELTA(S) + A, SCHEMA(\*P)) | See note below. |
+------------+------------+--------------------------+---------------------------------+-------------------------------------------+
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| ELF64 Code | ELF32 Code | Name | Operation | Comment |
+============+============+=============================+====================================+===========================================+
| 257 | \- | R\_<CLS>\_ABS64 | S + A | See note below. |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| \- | 1 | R\_<CLS>\_ABS32 | S + A | See note below. |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 580 | \- | R\_<CLS>\_AUTH\_ABS64 | SIGN(S + A, SCHEMA(\*P)) | See note below. |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1024 | 180 | R\_<CLS>\_COPY | | See note below. |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1025 | 181 | R\_<CLS>\_GLOB\_DAT | S + A | See note below |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1026 | 182 | R\_<CLS>\_JUMP\_SLOT | S + A | See note below |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1027 | 183 | R\_<CLS>\_RELATIVE | Delta(S) + A | See note below |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1028 | 184 | R\_<CLS>\_TLS\_IMPDEF1 | | See note below |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1029 | 185 | R\_<CLS>\_TLS\_IMPDEF2 | | See note below |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| | | R\_<CLS>\_TLS\_DTPREL | DTPREL(S+A) | See note below |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| | | R\_<CLS>\_TLS\_DTPMOD | LDM(S) | See note below |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1030 | 186 | R\_<CLS>\_TLS\_TPREL | TPREL(S+A) | |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1031 | 187 | R\_<CLS>\_TLSDESC | TLSDESC(S+A) | Identifies a TLS descriptor to be filled |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1032 | 188 | R\_<CLS>\_IRELATIVE | Indirect(Delta(S) + A) | See note below. |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1041 | \- | R\_<CLS>\_AUTH\_RELATIVE | SIGN(DELTA(S) + A, SCHEMA(\*P)) | See note below. |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1042 | \- | R\_AARCH64\_AUTH\_GLOB\_DAT | SIGN((S + A), SCHEMA(\*P)) | See note below. |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1043 | \- | R\_AARCH64\_AUTH\_TLSDESC | SIGN(TLSDESC(S + A), SCHEMA(\*P)) | See note below. |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+
| 1044 | \- | R\_AARCH64\_AUTH\_IRELATIVE | SIGN(Indirect(S + A), SCHEMA(\*P)) | See note below. |
+------------+------------+-----------------------------+------------------------------------+-------------------------------------------+

With the exception of ``R_<CLS>_COPY`` all dynamic relocations require that the place being relocated is an 8-byte aligned 64-bit data location in ELF64 or a 4-byte aligned 32-bit data location in ELF32.

Expand Down Expand Up @@ -1779,7 +1824,7 @@ Relocations ``R_AARCH64_TLS_DTPREL``, ``R_AARCH64_TLS_DTPMOD`` and ``R_AARCH64_T

It is implementation defined whether ``R_<CLS>_TLS_IMPDEF1`` implements ``R_<CLS>_TLS_DTPREL`` and ``R_<CLS>_TLS_IMPDEF2`` implements ``R_<CLS>_TLS_DTPMOD`` or whether ``R_<CLS>_TLS_IMPDEF1`` implements ``R_<CLS>_TLS_DTPMOD`` and ``R_<CLS>_TLS_IMPDEF2`` implements ``R_<CLS>_TLS_DTPREL``; a platform must document its choice\ [#aaelf64-f1]_.

``R\_<CLS>\_AUTH\_ABS64`` and ``R\_<CLS>\_AUTH\_RELATIVE`` are part of the PAuth ABI Extension. For details on the relocations and operations see `PAUTHABIELF64`_. Note that ``R\_<CLS>\_AUTH\_ABS64`` is both a static and a dynamic relocation.
``R\_<CLS>\_AUTH\_ABS64``, ``R\_<CLS>\_AUTH\_RELATIVE``, ``R\_AARCH64\_AUTH\_GLOB\_DAT``, ``R\_AARCH64\_AUTH\_TLSDESC`` and ``R\_AARCH64\_AUTH\_IRELATIVE`` are part of the PAuth ABI Extension. For details on the relocations and operations see `PAUTHABIELF64`_. Note that ``R\_<CLS>\_AUTH\_ABS64`` is both a static and a dynamic relocation.

Private and platform-specific relocations
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Expand Down
Loading

0 comments on commit 6b15b45

Please sign in to comment.