-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tracking Issue for the #[cmse_nonsecure_entry] attribute #75835
Comments
Note: the error produced when an entry function require arguments being passed on the stack is currently a LLVM error. It would be better to have this error being thrown out in Rust ABI, for better user experience. |
…-schievink Add support for cmse_nonsecure_entry attribute This pull request adds the `cmse_nonsecure_entry` attribute under an unstable feature. I was not sure if it was fine for me to send directly the pull-request or if I should submit a RFC first. I was told on Zulip that it was fine to do so but please close it if I need first submit a RFC or follow another process instead. The `cmse_nonsecure_entry` attribute is a LLVM attribute that will be available in LLVM 11. I plan to rebase on the [upgrade PR](rust-lang#73526) once merged to make this one compile. This attribute modifies code generation of the function as explained [here](https://developer.arm.com/documentation/ecm0359818/latest/) to make it work with the TrustZone-M hardware feature. This feature is only available on `thumbv8m` targets so I created an error for that if one tries to use this attribute for another target. I added this attribute in Rust as any other LLVM attribute are added but since this one is target-dependent I am not sure if it was the best thing to do. Please indicate me if you think of other ways, like isolating target-dependent attributes together. ---------------- Tracking issue: rust-lang#75835
noticed the current implementation only allows FFI functions (or extern "C" functions) to be decorated with the attribute. I'm assuming this is only required because the implementation needs the function to use a C ABI and the function by itself is actually safe (i.e. no |
The reason the C ABI is forced for entry function is because parameters must only be passed using registers and not using memory. See this comment for reference:
This is because depending where the parameters would be in memory, there would be more work needed in LLVM to access them from Secure. For example if they were pushed on to the Non-Secure stack when NS calls the entry functions, LLVM would have to put them onto the Secure stack as a prelude before the actual function executes so that the parameters are where expected 👌 |
I am thinking now that this could also be implemented as an ABI, similarly than
We already restrict the C ABI for entry functions anyway! |
We discussed this in today's @rust-lang/lang meeting. We felt like an |
What is the recommended work around to deal with entry functions that require many arguments, e.g., 5x
|
Hey! |
This comment was marked as resolved.
This comment was marked as resolved.
… r=jackh726 add `extern "C-cmse-nonsecure-entry" fn` tracking issue rust-lang#75835 in rust-lang#75835 (comment) it was decided that using an abi, rather than an attribute, was the right way to go for this feature. This PR adds that ABI and removes the `#[cmse_nonsecure_entry]` attribute. All relevant tests have been updated, some are now obsolete and have been removed. Error 0775 is no longer generated. It contains the list of targets that support the CMSE feature, and maybe we want to still use this? right now a generic "this abi is not supported on this platform" error is returned when this abi is used on an unsupported platform. On the other hand, users of this abi are likely to be experienced rust users, so maybe the generic error is good enough.
… r=jackh726 add `extern "C-cmse-nonsecure-entry" fn` tracking issue rust-lang#75835 in rust-lang#75835 (comment) it was decided that using an abi, rather than an attribute, was the right way to go for this feature. This PR adds that ABI and removes the `#[cmse_nonsecure_entry]` attribute. All relevant tests have been updated, some are now obsolete and have been removed. Error 0775 is no longer generated. It contains the list of targets that support the CMSE feature, and maybe we want to still use this? right now a generic "this abi is not supported on this platform" error is returned when this abi is used on an unsupported platform. On the other hand, users of this abi are likely to be experienced rust users, so maybe the generic error is good enough.
Rollup merge of rust-lang#127766 - folkertdev:c-cmse-nonsecure-entry, r=jackh726 add `extern "C-cmse-nonsecure-entry" fn` tracking issue rust-lang#75835 in rust-lang#75835 (comment) it was decided that using an abi, rather than an attribute, was the right way to go for this feature. This PR adds that ABI and removes the `#[cmse_nonsecure_entry]` attribute. All relevant tests have been updated, some are now obsolete and have been removed. Error 0775 is no longer generated. It contains the list of targets that support the CMSE feature, and maybe we want to still use this? right now a generic "this abi is not supported on this platform" error is returned when this abi is used on an unsupported platform. On the other hand, users of this abi are likely to be experienced rust users, so maybe the generic error is good enough.
…ouxu Improve assembly test for CMSE ABIs Tracking issues: rust-lang#75835 rust-lang#81391 This ensures the code-gen for these ABIs does not change silently. There is a small chance that this code-gen might change, however even GCC (https://godbolt.org/z/16arxab5x and https://godbolt.org/z/16arxab5x) generates almost the same assembly for these ABIs. I hope the notes in the comments should help fix the tests if it ever breaks.
Rollup merge of rust-lang#130752 - tdittr:cmse-assembly-tests, r=jieyouxu Improve assembly test for CMSE ABIs Tracking issues: rust-lang#75835 rust-lang#81391 This ensures the code-gen for these ABIs does not change silently. There is a small chance that this code-gen might change, however even GCC (https://godbolt.org/z/16arxab5x and https://godbolt.org/z/16arxab5x) generates almost the same assembly for these ABIs. I hope the notes in the comments should help fix the tests if it ever breaks.
add `extern "C-cmse-nonsecure-entry" fn` tracking issue #75835 in rust-lang/rust#75835 (comment) it was decided that using an abi, rather than an attribute, was the right way to go for this feature. This PR adds that ABI and removes the `#[cmse_nonsecure_entry]` attribute. All relevant tests have been updated, some are now obsolete and have been removed. Error 0775 is no longer generated. It contains the list of targets that support the CMSE feature, and maybe we want to still use this? right now a generic "this abi is not supported on this platform" error is returned when this abi is used on an unsupported platform. On the other hand, users of this abi are likely to be experienced rust users, so maybe the generic error is good enough.
…error-messages, r=compiler-errors improve error messages for `C-cmse-nonsecure-entry` functions fixes rust-lang#81347 tracking issue: rust-lang#75835 brings error messages and testing for `C-cmse-nonsecure-entry` in line with `C-cmse-nonsecure-call`. r? `@compiler-errors`
Rollup merge of rust-lang#130747 - folkertdev:c-cmse-nonsecure-entry-error-messages, r=compiler-errors improve error messages for `C-cmse-nonsecure-entry` functions fixes rust-lang#81347 tracking issue: rust-lang#75835 brings error messages and testing for `C-cmse-nonsecure-entry` in line with `C-cmse-nonsecure-call`. r? `@compiler-errors`
I think that some random target feature putting something in the global attribute namespace is a bad precedent. To me, this should be namespaced in some way -- I don't know if that means |
This is a tracking issue for the PR #75810. It was deemed in that PR that a RFC was not necessary because the changes were small.
The feature gate for the issue is
#![feature(cmse_nonsecure_entry)]
.Description
The
cmse_nonsecure_entry
attribute is a target-dependent attribute available forthumbv8m
targets. It directly maps to the attribute of the same name in LLVM.It is to be used under the TrustZone-M technology for Armv8-M architecture.
It will modify code generation of Secure entry functions:
__acle_se_
prefix and thestandard function name
information
BXNS
instruction to returnSee section 5.4 of ARMv8-M Security Extensions: Requirements on Development Tools - Engineering Specification for more details.
Example
Having a Secure entry function named
entry_function
:With those commands:
it will emit the following assembly:
You can see from
1c
to24
the clearing of the registers and theBXNS
instruction used on28
.Steps
The text was updated successfully, but these errors were encountered: