1 /*===---- ptrauth.h - Pointer authentication -------------------------------=== 2 * 3 * Permission is hereby granted, free of charge, to any person obtaining a copy 4 * of this software and associated documentation files (the "Software"), to deal 5 * in the Software without restriction, including without limitation the rights 6 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 * copies of the Software, and to permit persons to whom the Software is 8 * furnished to do so, subject to the following conditions: 9 * 10 * The above copyright notice and this permission notice shall be included in 11 * all copies or substantial portions of the Software. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 19 * THE SOFTWARE. 20 * 21 *===-----------------------------------------------------------------------=== 22 */ 23 24 #ifndef __PTRAUTH_H 25 #define __PTRAUTH_H 26 27 #include <stdint.h> 28 29 typedef enum { 30 ptrauth_key_asia = 0, 31 ptrauth_key_asib = 1, 32 ptrauth_key_asda = 2, 33 ptrauth_key_asdb = 3, 34 35 /* A process-independent key which can be used to sign code pointers. 36 Signing and authenticating with this key is a no-op in processes 37 which disable ABI pointer authentication. */ 38 ptrauth_key_process_independent_code = ptrauth_key_asia, 39 40 /* A process-specific key which can be used to sign code pointers. 41 Signing and authenticating with this key is enforced even in processes 42 which disable ABI pointer authentication. */ 43 ptrauth_key_process_dependent_code = ptrauth_key_asib, 44 45 /* A process-independent key which can be used to sign data pointers. 46 Signing and authenticating with this key is a no-op in processes 47 which disable ABI pointer authentication. */ 48 ptrauth_key_process_independent_data = ptrauth_key_asda, 49 50 /* A process-specific key which can be used to sign data pointers. 51 Signing and authenticating with this key is a no-op in processes 52 which disable ABI pointer authentication. */ 53 ptrauth_key_process_dependent_data = ptrauth_key_asdb, 54 55 /* The key used to sign C function pointers. 56 The extra data is always 0. */ 57 ptrauth_key_function_pointer = ptrauth_key_process_independent_code, 58 59 /* The key used to sign return addresses on the stack. 60 The extra data is based on the storage address of the return address. 61 On ARM64, that is always the storage address of the return address plus 8 62 (or, in other words, the value of the stack pointer on function entry) */ 63 ptrauth_key_return_address = ptrauth_key_process_dependent_code, 64 65 /* The key used to sign frame pointers on the stack. 66 The extra data is based on the storage address of the frame pointer. 67 On ARM64, that is always the storage address of the frame pointer plus 16 68 (or, in other words, the value of the stack pointer on function entry) */ 69 ptrauth_key_frame_pointer = ptrauth_key_process_dependent_data, 70 71 /* The key used to sign block function pointers, including: 72 invocation functions, 73 block object copy functions, 74 block object destroy functions, 75 __block variable copy functions, and 76 __block variable destroy functions. 77 The extra data is always the address at which the function pointer 78 is stored. 79 80 Note that block object pointers themselves (i.e. the direct 81 representations of values of block-pointer type) are not signed. */ 82 ptrauth_key_block_function = ptrauth_key_asia, 83 84 /* The key used to sign C++ v-table pointers. 85 The extra data is always 0. */ 86 ptrauth_key_cxx_vtable_pointer = ptrauth_key_asda, 87 88 /* Other pointers signed under the ABI use private ABI rules. */ 89 90 } ptrauth_key; 91 92 /* An integer type of the appropriate size for an extra-data argument. */ 93 typedef uintptr_t ptrauth_extra_data_t; 94 95 /* An integer type of the appropriate size for a generic signature. */ 96 typedef uintptr_t ptrauth_generic_signature_t; 97 98 /* A signed pointer value embeds the original pointer together with 99 a signature that attests to the validity of that pointer. Because 100 this signature must use only "spare" bits of the pointer, a 101 signature's validity is probabilistic in practice: it is unlikely 102 but still plausible that an invalidly-derived signature will 103 somehow equal the correct signature and therefore successfully 104 authenticate. Nonetheless, this scheme provides a strong degree 105 of protection against certain kinds of attacks. */ 106 107 /* Authenticating a pointer that was not signed with the given key 108 and extra-data value will (likely) fail. However, an 109 authentication failure will not lead immediately to a trap. 110 Instead, it will yield a value which is guaranteed to trap 111 if actually dereferenced. */ 112 113 /* The null function pointer is always the all-zero bit pattern. 114 Signing an all-zero bit pattern will embed a (likely) non-zero 115 signature in the result, and so the result will not seem to be 116 a null function pointer. Authenticating this value will yield 117 a null function pointer back. However, authenticating an 118 all-zero bit pattern will probably fail, because the 119 authentication will expect a (likely) non-zero signature to 120 embedded in the value. 121 122 Because of this, if a pointer may validly be null, you should 123 check for null before attempting to authenticate it. */ 124 125 #ifdef __PTRAUTH_INTRINSICS__ 126 127 /* Strip the signature from a value without authenticating it. 128 129 If the value is a function pointer, the result will not be a 130 legal function pointer because of the missing signature, and 131 attempting to call it will result in an authentication failure. 132 133 The value must be an expression of pointer type. 134 The key must be a constant expression of type ptrauth_key. 135 The result will have the same type as the original value. */ 136 #define ptrauth_strip(__value, __key) \ 137 __builtin_ptrauth_strip(__value, __key) 138 139 /* Blend a pointer and a small integer to form a new extra-data 140 discriminator. Not all bits of the inputs are guaranteed to 141 contribute to the result. 142 143 On ARM64, only the low 16 bits of the integer will be considered. 144 145 For the purposes of ptrauth_sign_constant, the result of calling 146 this function is considered a constant expression if the arguments 147 are constant. Some restrictions may be imposed on the pointer. 148 149 The first argument must be an expression of pointer type. 150 The second argument must be an expression of integer type. 151 The result will have type uintptr_t. */ 152 #define ptrauth_blend_discriminator(__pointer, __integer) \ 153 __builtin_ptrauth_blend_discriminator(__pointer, __integer) 154 155 /* Compute the 16-bit integer discriminator of the given type. 156 157 The argument must be a type. 158 */ 159 #if __has_builtin(__builtin_ptrauth_type_discriminator) 160 #define ptrauth_type_discriminator(__type) \ 161 __builtin_ptrauth_type_discriminator(__type) 162 #else 163 #define ptrauth_type_discriminator(__type) ((uintptr_t)0) 164 #endif 165 166 /* Compute the constant discriminator used by Clang to sign pointers with the 167 given C function pointer type. 168 169 A call to this function is an integer constant expression*/ 170 #if __has_feature(ptrauth_function_pointer_type_discrimination) 171 #define ptrauth_function_pointer_type_discriminator(__type) \ 172 __builtin_ptrauth_type_discriminator(__type) 173 #else 174 #define ptrauth_function_pointer_type_discriminator(__type) ((uintptr_t)0) 175 #endif 176 177 /* Add a signature to the given pointer value using a specific key, 178 using the given extra data as a salt to the signing process. 179 180 The value must be a constant expression of pointer type. 181 The key must be a constant expression of type ptrauth_key. 182 The extra data must be a constant expression of pointer or integer type; 183 if an integer, it will be coerced to ptrauth_extra_data_t. 184 The result will have the same type as the original value. 185 186 This is a constant expression if the extra data is an integer or 187 null pointer constant. */ 188 #define ptrauth_sign_constant(__value, __key, __data) \ 189 __builtin_ptrauth_sign_constant(__value, __key, __data) 190 191 /* Add a signature to the given pointer value using a specific key, 192 using the given extra data as a salt to the signing process. 193 194 This operation does not authenticate the original value and is 195 therefore potentially insecure if an attacker could possibly 196 control that value. 197 198 The value must be an expression of pointer type. 199 The key must be a constant expression of type ptrauth_key. 200 The extra data must be an expression of pointer or integer type; 201 if an integer, it will be coerced to ptrauth_extra_data_t. 202 The result will have the same type as the original value. */ 203 #define ptrauth_sign_unauthenticated(__value, __key, __data) \ 204 __builtin_ptrauth_sign_unauthenticated(__value, __key, __data) 205 206 /* Authenticate a pointer using one scheme and resign it using another. 207 208 If the result is subsequently authenticated using the new scheme, that 209 authentication is guaranteed to fail if and only if the initial 210 authentication failed. 211 212 The value must be an expression of pointer type. 213 The key must be a constant expression of type ptrauth_key. 214 The extra data must be an expression of pointer or integer type; 215 if an integer, it will be coerced to ptrauth_extra_data_t. 216 The result will have the same type as the original value. 217 218 This operation is guaranteed to not leave the intermediate value 219 available for attack before it is re-signed. 220 221 Do not pass a null pointer to this function. A null pointer 222 will not successfully authenticate. */ 223 #define ptrauth_auth_and_resign(__value, __old_key, __old_data, __new_key, __new_data) \ 224 __builtin_ptrauth_auth_and_resign(__value, __old_key, __old_data, __new_key, __new_data) 225 226 /* Authenticate a pointer using one scheme and resign it as a C 227 function pointer. 228 229 If the result is subsequently authenticated using the new scheme, that 230 authentication is guaranteed to fail if and only if the initial 231 authentication failed. 232 233 The value must be an expression of function pointer type. 234 The key must be a constant expression of type ptrauth_key. 235 The extra data must be an expression of pointer or integer type; 236 if an integer, it will be coerced to ptrauth_extra_data_t. 237 The result will have the same type as the original value. 238 239 This operation is guaranteed to not leave the intermediate value 240 available for attack before it is re-signed. Additionally, if this 241 expression is used syntactically as the function expression in a 242 call, only a single authentication will be performed. */ 243 #define ptrauth_auth_function(__value, __old_key, __old_data) \ 244 ptrauth_auth_and_resign(__value, __old_key, __old_data, ptrauth_key_function_pointer, 0) 245 246 /* Cast a pointer to the given type without changing any signature. 247 248 The type must have the same size as a pointer type. 249 The type of value must have the same size as a pointer type, and will be 250 converted to an rvalue prior to the cast. 251 The result has type given by the first argument. 252 253 The result has an identical bit-pattern to the input pointer. */ 254 #define ptrauth_nop_cast(__type, __value) \ 255 ({ union { \ 256 typeof(__value) __fptr; \ 257 typeof(__type) __opaque; \ 258 } __storage; \ 259 __storage.__fptr = (__value); \ 260 __storage.__opaque; }) 261 262 /* Authenticate a data pointer. 263 264 The value must be an expression of non-function pointer type. 265 The key must be a constant expression of type ptrauth_key. 266 The extra data must be an expression of pointer or integer type; 267 if an integer, it will be coerced to ptrauth_extra_data_t. 268 The result will have the same type as the original value. 269 270 If the authentication fails, dereferencing the resulting pointer 271 will fail. */ 272 #define ptrauth_auth_data(__value, __old_key, __old_data) \ 273 __builtin_ptrauth_auth(__value, __old_key, __old_data) 274 275 /* Return an extra-discriminator value which can validly be used 276 as the second argument to ptrauth_blend_discriminator or the 277 third argument to the __ptrauth qualifier. 278 279 The argument must be a string literal. 280 A call to this function is an integer constant expression. */ 281 #define ptrauth_string_discriminator(__string) \ 282 __builtin_ptrauth_string_discriminator(__string) 283 284 /* Compute a full pointer-width generic signature for the given 285 value, using the given data as a salt. 286 287 This generic signature is process-independent, but may not be 288 consistent across reboots. 289 290 This can be used to validate the integrity of arbitrary data 291 by storing a signature for that data together with it. Because 292 the signature is pointer-sized, if the stored signature matches 293 the result of re-signing the current data, a match provides very 294 strong evidence that the data has not been corrupted. 295 296 The value must be an expression of pointer or integer type; if 297 an integer, it will be coerced to uintptr_t. 298 The extra data must be an expression of pointer or integer type; 299 if an integer, it will be coerced to ptrauth_extra_data_t. 300 The result will have type ptrauth_generic_signature_t. 301 302 This operation will compute a meaningful signature even in processes 303 which disable ABI pointer authentication. */ 304 #define ptrauth_sign_generic_data(__value, __data) \ 305 __builtin_ptrauth_sign_generic_data(__value, __data) 306 307 308 /* Define some standard __ptrauth qualifiers used in the ABI. */ 309 #define __ptrauth_function_pointer \ 310 __ptrauth(ptrauth_key_function_pointer,0,0) 311 #define __ptrauth_return_address \ 312 __ptrauth(ptrauth_key_return_address,1,0) 313 #define __ptrauth_block_invocation_pointer \ 314 __ptrauth(ptrauth_key_function_pointer,1,0) 315 #define __ptrauth_block_copy_helper \ 316 __ptrauth(ptrauth_key_function_pointer,1,0) 317 #define __ptrauth_block_destroy_helper \ 318 __ptrauth(ptrauth_key_function_pointer,1,0) 319 #define __ptrauth_block_byref_copy_helper \ 320 __ptrauth(ptrauth_key_function_pointer,1,0) 321 #define __ptrauth_block_byref_destroy_helper \ 322 __ptrauth(ptrauth_key_function_pointer,1,0) 323 #define __ptrauth_objc_method_list_imp \ 324 __ptrauth(ptrauth_key_function_pointer,1,0) 325 #define __ptrauth_cxx_vtable_pointer \ 326 __ptrauth(ptrauth_key_cxx_vtable_pointer,0,0) 327 #define __ptrauth_cxx_vtt_vtable_pointer \ 328 __ptrauth(ptrauth_key_cxx_vtable_pointer,0,0) 329 #define __ptrauth_swift_heap_object_destructor \ 330 __ptrauth(ptrauth_key_function_pointer,1,0xbbbf) 331 332 /* Some situations in the C++ and Swift ABIs use declaration-specific 333 or type-specific extra discriminators. */ 334 #define __ptrauth_cxx_virtual_function_pointer(__declkey) \ 335 __ptrauth(ptrauth_key_function_pointer,1,__declkey) 336 #define __ptrauth_swift_function_pointer(__typekey) \ 337 __ptrauth(ptrauth_key_function_pointer,0,__typekey) 338 #define __ptrauth_swift_class_method_pointer(__declkey) \ 339 __ptrauth(ptrauth_key_function_pointer,1,__declkey) 340 #define __ptrauth_swift_protocol_witness_function_pointer(__declkey) \ 341 __ptrauth(ptrauth_key_function_pointer,1,__declkey) 342 #define __ptrauth_swift_value_witness_function_pointer(__key) \ 343 __ptrauth(ptrauth_key_function_pointer,1,__key) 344 345 #else 346 347 #define ptrauth_strip(__value, __key) ({ (void)__key; __value; }) 348 #define ptrauth_blend_discriminator(__pointer, __integer) ({ (void)__pointer; (void)__integer; (uintptr_t)0; }) 349 #define ptrauth_type_discriminator(__type) ((uintptr_t)0) 350 #define ptrauth_function_pointer_type_discriminator(__type) ((uintptr_t)0) 351 #define ptrauth_sign_constant(__value, __key, __data) ({ (void)__key; (void)__data; __value; }) 352 #define ptrauth_sign_unauthenticated(__value, __key, __data) ({ (void)__key; (void)__data; __value; }) 353 #define ptrauth_auth_and_resign(__value, __old_key, __old_data, __new_key, __new_data) ({ \ 354 (void)__old_key; \ 355 (void)__old_data; \ 356 (void)__new_key; \ 357 (void)__new_data; \ 358 __value; }) 359 #define ptrauth_auth_function(__value, __old_key, __old_data) ({ (void)__old_key; (void)__old_data; __value; }) 360 #define ptrauth_nop_cast(__type, __value) ((__type)__value) 361 #define ptrauth_auth_data(__value, __old_key, __old_data) ({ (void)__old_key; (void)__old_data; __value; }) 362 #define ptrauth_string_discriminator(__string) ({ (void)__string; (int)0; }) 363 #define ptrauth_sign_generic_data(__value, __data) ({ (void)__value; (void)__data; (ptrauth_generic_signature_t)0; }) 364 365 #define __ptrauth_function_pointer 366 #define __ptrauth_return_address 367 #define __ptrauth_block_invocation_pointer 368 #define __ptrauth_block_copy_helper 369 #define __ptrauth_block_destroy_helper 370 #define __ptrauth_block_byref_copy_helper 371 #define __ptrauth_block_byref_destroy_helper 372 #define __ptrauth_objc_method_list_imp 373 #define __ptrauth_cxx_vtable_pointer 374 #define __ptrauth_cxx_vtt_vtable_pointer 375 #define __ptrauth_swift_heap_object_destructor 376 #define __ptrauth_cxx_virtual_function_pointer(__declkey) 377 #define __ptrauth_swift_function_pointer(__typekey) 378 #define __ptrauth_swift_class_method_pointer(__declkey) 379 #define __ptrauth_swift_protocol_witness_function_pointer(__declkey) 380 #define __ptrauth_swift_value_witness_function_pointer(__key) 381 382 #endif /* __PTRAUTH_INTRINSICS__ */ 383 384 #endif /* __PTRAUTH_H */ 385