diff --git a/bl1/aarch64/bl1_exceptions.S b/bl1/aarch64/bl1_exceptions.S index 3e72e39..9bba6ee 100644 --- a/bl1/aarch64/bl1_exceptions.S +++ b/bl1/aarch64/bl1_exceptions.S @@ -226,6 +226,15 @@ */ bl save_gp_pmcr_pauth_regs +#if ENABLE_PAUTH + /* ----------------------------------------------------- + * Load and program stored APIAKey firmware key. + * Re-enable pointer authentication in EL3, as it was + * disabled before jumping to the next boot image. + * ----------------------------------------------------- + */ + bl pauth_load_bl1_apiakey_enable +#endif /* ----------------------------------------------------- * Populate the parameters for the SMC handler. We * already have x0-x4 in place. x5 will point to a diff --git a/bl1/bl1_main.c b/bl1/bl1_main.c index 2bb8511..cd6fe7d 100644 --- a/bl1/bl1_main.c +++ b/bl1/bl1_main.c @@ -31,6 +31,10 @@ static void bl1_load_bl2(void); +#if ENABLE_PAUTH +uint64_t bl1_apiakey[2]; +#endif + /******************************************************************************* * Helper utility to calculate the BL2 memory layout taking into consideration * the BL1 RW data assuming that it is at the top of the memory layout. @@ -131,6 +135,12 @@ /* Perform platform setup in BL1. */ bl1_platform_setup(); +#if ENABLE_PAUTH + /* Store APIAKey_EL1 key */ + bl1_apiakey[0] = read_apiakeylo_el1(); + bl1_apiakey[1] = read_apiakeyhi_el1(); +#endif /* ENABLE_PAUTH */ + /* Get the image id of next image to load and run. */ image_id = bl1_plat_get_next_image_id(); diff --git a/bl2u/aarch64/bl2u_entrypoint.S b/bl2u/aarch64/bl2u_entrypoint.S index 452869e..3e37b44 100644 --- a/bl2u/aarch64/bl2u_entrypoint.S +++ b/bl2u/aarch64/bl2u_entrypoint.S @@ -102,6 +102,15 @@ bl bl2u_early_platform_setup bl bl2u_plat_arch_setup +#if ENABLE_PAUTH + /* --------------------------------------------- + * Program APIAKey_EL1 + * and enable pointer authentication. + * --------------------------------------------- + */ + bl pauth_init_enable_el1 +#endif + /* --------------------------------------------- * Jump to bl2u_main function. * --------------------------------------------- diff --git a/lib/extensions/pauth/pauth_helpers.S b/lib/extensions/pauth/pauth_helpers.S index c6808de..d483c7d 100644 --- a/lib/extensions/pauth/pauth_helpers.S +++ b/lib/extensions/pauth/pauth_helpers.S @@ -13,6 +13,7 @@ .global pauth_init_enable_el3 .global pauth_disable_el3 .globl pauth_load_bl31_apiakey + .globl pauth_load_bl1_apiakey_enable /* ------------------------------------------------------------- * Program APIAKey_EL1 and enable pointer authentication in EL1 @@ -97,9 +98,9 @@ endfunc pauth_disable_el3 /* ------------------------------------------------------------- - * The following function strictly follows the AArch64 PCS + * The following functions strictly follow the AArch64 PCS * to use x9-x17 (temporary caller-saved registers) to load - * the APIAKey_EL1 used by the firmware. + * the APIAKey_EL1 and enable pointer authentication. * ------------------------------------------------------------- */ func pauth_load_bl31_apiakey @@ -115,3 +116,26 @@ isb ret endfunc pauth_load_bl31_apiakey + +func pauth_load_bl1_apiakey_enable + /* Load instruction key A used by the Trusted Firmware */ + adrp x9, bl1_apiakey + add x9, x9, :lo12:bl1_apiakey + ldp x10, x11, [x9] + + /* Program instruction key A */ + msr APIAKeyLo_EL1, x10 + msr APIAKeyHi_EL1, x11 + + /* Enable pointer authentication */ + mrs x9, sctlr_el3 + orr x9, x9, #SCTLR_EnIA_BIT + +#if ENABLE_BTI + /* Enable PAC branch type compatibility */ + bic x9, x9, #SCTLR_BT_BIT +#endif + msr sctlr_el3, x9 + isb + ret +endfunc pauth_load_bl1_apiakey_enable