Arm Security Extensions

Branch Target Identification

Branch Target Identification (BTI) is an ARMv8.5 extension that provides Control Flow Integrity (CFI) around indirect branches and their targets, thus helping to limit the JOP (Jump Oriented Programming) attacks.

With this extension, ARM8.5-A introduces Branch Target Instructions (BTIs). BTIs are also called landing pads. The processor can be configured so that indirect branches (BR and BLR) only allows target landing pad instructions. If the target of an indirect branch is not a landing pad, a Branch Target Exception is generated.

How to enable BTI for OP-TEE core

To make use of BTI in TEE core on CPU’s that support it, enable the option CFG_CORE_BTI.

OP-TEE core makes use of some built-ins in the GCC/clang toolchains. So, in order to use the option CFG_CORE_BTI, make sure that GCC toolchain has been built with --enable-standard-branch-protection is used else OP-TEE will fail to build. By default libraries such as libgcc.a are built with flags (-mbranch-protection=none), hence are incompatible with branch protection enabled. The Arm GNU compiler team is looking for ways of providing users easy access to BTI-enabled libraries. In the short-term, they plan to create documentation to make it easier for users to build BTI-enabled libraries themselves. Longer-term, they will begin discussions on how to ensure BTI-enabled libraries are available automatically to users. Please contact GCC team for more information on same. In the meantime, building a BTI-enabled GCC toolchain is possible as decribed in Q: How can I build GCC with BTI enabled?.

The same problem is also there with clang toolchain. So, when using clang to build OP-TEE with CFG_CORE_BTI=y, builtins (found in llvm’s “compiler-rt” project) must be built with BTI protection enabled. We have some instructions on how to build the compiler-rt with BTI enabled. These are available in Q: How can I build LLVM compiler-rt with BTI enabled ?.

How to enable BTI for TA’s

To make use of BTI support for TA’s and user mode libraries, enable the option CFG_TA_BTI. This will ensure that all libraries provided by OP-TEE to the TA’s as well as the TA’s are built with BTI option.

When the TA’s are loaded by ldelf, they are checked at run time for the BTI NOTE property in ELF before enabling the protection for the TA.

When building TA’s, you need to ensure that any external library used has been built with branch-protection. This can be done by checking the library using readelf command with option -n. The BTI enabled libraries will have BTI NOTE property in .note.gnu.property section. If that is not the case, compilation will stop with a warning. This is done intentionally to warn the user.

Note

The BTI support is currently not compatible with options CFG_VIRTUALIZATION and CFG_WITH_PAGER.