1# Copyright 2021 The Chromium Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# This file contains a test function for checking Arm's branch target 6# identification (BTI) feature, which helps mitigate jump-oriented 7# programming. To get it working, BTI instructions must be executed 8# on a compatible core, and the executable pages must be mapped with 9# PROT_BTI. To validate that pages mapped with PROT_BTI are working 10# correctly: 11# 1) Allocate a read-write page. 12# 2) Copy between the start and end symbols into that page. 13# 3) Set the page to read-execute with PROT_BTI. 14# 4) Call the first offset of the page, verify the result. 15# 5) Call the second offset of the page (skipping the landing pad). 16# Verify that it crashes as expected. 17# This test works irrespective of whether BTI is enabled for C/C++ 18# objects via -mbranch-protection=standard. 19 20.text 21.global arm_bti_test_function 22.global arm_bti_test_function_invalid_offset 23.global arm_bti_test_function_end 24arm_bti_test_function: 25 # Mark the start of this function as a valid call target. 26 bti jc 27 add x0, x0, #1 28arm_bti_test_function_invalid_offset: 29 # This label simulates calling an incomplete function. 30 # Jumping here should crash systems which support BTI. 31 add x0, x0, #2 32 ret 33arm_bti_test_function_end: 34 nop 35 36// For details see section "6.2 Program Property" in 37// "ELF for the Arm 64-bit Architecture (AArch64)" 38// https://github.com/ARM-software/abi-aa/blob/main/aaelf64/aaelf64.rst#62program-property 39.pushsection .note.gnu.property, "a"; 40.balign 8; 41.long 4; 42.long 0x10; 43.long 0x5; 44.asciz "GNU"; 45.long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */ 46.long 4; 47.long 1; /* GNU_PROPERTY_AARCH64_BTI */; 48.long 0; 49.popsection 50 51