clang 23.0.0git
ptrauth.h
Go to the documentation of this file.
1/*===---- ptrauth.h - Pointer authentication -------------------------------===
2 *
3 * Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 * See https://llvm.org/LICENSE.txt for license information.
5 * SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 *
7 *===-----------------------------------------------------------------------===
8 */
9
10#ifndef __PTRAUTH_H
11#define __PTRAUTH_H
12
13typedef enum {
14 ptrauth_key_asia = 0,
15 ptrauth_key_asib = 1,
16 ptrauth_key_asda = 2,
17 ptrauth_key_asdb = 3,
18
19 /* A process-independent key which can be used to sign code pointers. */
20 ptrauth_key_process_independent_code = ptrauth_key_asia,
21
22 /* A process-specific key which can be used to sign code pointers. */
23 ptrauth_key_process_dependent_code = ptrauth_key_asib,
24
25 /* A process-independent key which can be used to sign data pointers. */
26 ptrauth_key_process_independent_data = ptrauth_key_asda,
27
28 /* A process-specific key which can be used to sign data pointers. */
29 ptrauth_key_process_dependent_data = ptrauth_key_asdb,
30
31 /* The key used to sign return addresses on the stack.
32 The extra data is based on the storage address of the return address.
33 On AArch64, that is always the storage address of the return address + 8
34 (or, in other words, the value of the stack pointer on function entry) */
35 ptrauth_key_return_address = ptrauth_key_process_dependent_code,
36
37 /* The key used to sign C function pointers.
38 The extra data is always 0. */
39 ptrauth_key_function_pointer = ptrauth_key_process_independent_code,
40
41 /* The key used to sign C++ v-table pointers.
42 The extra data is always 0. */
43 ptrauth_key_cxx_vtable_pointer = ptrauth_key_process_independent_data,
44
45 /* The key used to sign metadata pointers to Objective-C method-lists. */
46 ptrauth_key_method_list_pointer = ptrauth_key_asda,
47
48 /* The key used to sign Objective-C isa and super pointers. */
49 ptrauth_key_objc_isa_pointer = ptrauth_key_process_independent_data,
50 ptrauth_key_objc_super_pointer = ptrauth_key_process_independent_data,
51
52 /* The key used to sign selector pointers */
53 ptrauth_key_objc_sel_pointer = ptrauth_key_process_dependent_data,
54
55 /* The key used to sign Objective-C class_ro_t pointers. */
56 ptrauth_key_objc_class_ro_pointer = ptrauth_key_process_independent_data,
57
58 /* The key used to sign pointers in ELF .init_array/.fini_array. */
59 ptrauth_key_init_fini_pointer = ptrauth_key_process_independent_code,
60
61 /* Other pointers signed under the ABI use private ABI rules. */
62
63} ptrauth_key;
64
65/* An integer type of the appropriate size for a discriminator argument. */
66typedef __UINTPTR_TYPE__ ptrauth_extra_data_t;
67
68/* An integer type of the appropriate size for a generic signature. */
69typedef __UINTPTR_TYPE__ ptrauth_generic_signature_t;
70
71/* A signed pointer value embeds the original pointer together with
72 a signature that attests to the validity of that pointer. Because
73 this signature must use only "spare" bits of the pointer, a
74 signature's validity is probabilistic in practice: it is unlikely
75 but still plausible that an invalidly-derived signature will
76 somehow equal the correct signature and therefore successfully
77 authenticate. Nonetheless, this scheme provides a strong degree
78 of protection against certain kinds of attacks. */
79
80/* Authenticating a pointer that was not signed with the given key
81 and extra-data value will (likely) fail by trapping. */
82
83/* The null function pointer is always the all-zero bit pattern.
84 Signing an all-zero bit pattern will embed a (likely) non-zero
85 signature in the result, and so the result will not seem to be
86 a null function pointer. Authenticating this value will yield
87 a null function pointer back. However, authenticating an
88 all-zero bit pattern will probably fail, because the
89 authentication will expect a (likely) non-zero signature to
90 embedded in the value.
91
92 Because of this, if a pointer may validly be null, you should
93 check for null before attempting to authenticate it with one
94 of these intrinsics. This is not necessary when using the
95 __ptrauth qualifier; the compiler will perform this check
96 automatically. */
97
98#if __has_feature(ptrauth_intrinsics) || defined(__PTRAUTH__)
99
100/* Strip the signature from a value without authenticating it.
101
102 If the value is a function pointer, the result will not be a
103 legal function pointer because of the missing signature, and
104 attempting to call it will result in an authentication failure.
105
106 The value must be an expression of pointer type.
107 The key must be a constant expression of type ptrauth_key.
108 The result will have the same type as the original value. */
109#define ptrauth_strip(__value, __key) __builtin_ptrauth_strip(__value, __key)
110
111/* Blend a constant discriminator into the given pointer-like value
112 to form a new discriminator. Not all bits of the inputs are
113 guaranteed to contribute to the result.
114
115 On arm64e, the integer must fall within the range of a uint16_t;
116 other bits may be ignored.
117
118 For the purposes of ptrauth_sign_constant, the result of calling
119 this function is considered a constant expression if the arguments
120 are constant. Some restrictions may be imposed on the pointer.
121
122 The first argument must be an expression of pointer type.
123 The second argument must be an expression of integer type.
124 The result will have type uintptr_t. */
125#define ptrauth_blend_discriminator(__pointer, __integer) \
126 __builtin_ptrauth_blend_discriminator(__pointer, __integer)
127
128/* Return a signed pointer for a constant address in a manner which guarantees
129 a non-attackable sequence.
130
131 The value must be a constant expression of pointer type which evaluates to
132 a non-null pointer.
133 The key must be a constant expression of type ptrauth_key.
134 The extra data must be a constant expression of pointer or integer type;
135 if an integer, it will be coerced to ptrauth_extra_data_t.
136 The result will have the same type as the original value.
137
138 This can be used in constant expressions. */
139#define ptrauth_sign_constant(__value, __key, __data) \
140 __builtin_ptrauth_sign_constant(__value, __key, __data)
141
142/* Add a signature to the given pointer value using a specific key,
143 using the given extra data as a salt to the signing process.
144
145 This operation does not authenticate the original value and is
146 therefore potentially insecure if an attacker could possibly
147 control that value.
148
149 The value must be an expression of pointer type.
150 The key must be a constant expression of type ptrauth_key.
151 The extra data must be an expression of pointer or integer type;
152 if an integer, it will be coerced to ptrauth_extra_data_t.
153 The result will have the same type as the original value. */
154#define ptrauth_sign_unauthenticated(__value, __key, __data) \
155 __builtin_ptrauth_sign_unauthenticated(__value, __key, __data)
156
157/* Authenticate a pointer using one scheme and resign it using another.
158
159 If the result is subsequently authenticated using the new scheme, that
160 authentication is guaranteed to fail if and only if the initial
161 authentication failed.
162
163 The value must be an expression of pointer type.
164 The key must be a constant expression of type ptrauth_key.
165 The extra data must be an expression of pointer or integer type;
166 if an integer, it will be coerced to ptrauth_extra_data_t.
167 The result will have the same type as the original value.
168
169 This operation is guaranteed to not leave the intermediate value
170 available for attack before it is re-signed.
171
172 Do not pass a null pointer to this function. A null pointer
173 will not successfully authenticate.
174
175 This operation traps if the authentication fails. */
176#define ptrauth_auth_and_resign(__value, __old_key, __old_data, __new_key, \
177 __new_data) \
178 __builtin_ptrauth_auth_and_resign(__value, __old_key, __old_data, __new_key, \
179 __new_data)
180
181/* Authenticate a pointer using one scheme, load 32bit value at offset addend
182 from the pointer, and add this value to the pointer, sign using specified
183 scheme.
184
185 If the result is subsequently authenticated using the new scheme, that
186 authentication is guaranteed to fail if and only if the initial
187 authentication failed.
188
189 The value must be an expression of pointer type.
190 The key must be a constant expression of type ptrauth_key.
191 The extra data must be an expression of pointer or integer type;
192 if an integer, it will be coerced to ptrauth_extra_data_t.
193 The addend must be an immediate ptrdiff_t value.
194 The result will have the same type as the original value.
195
196 This operation is guaranteed to not leave the intermediate value
197 available for attack before it is re-signed.
198
199 Do not pass a null pointer to this function. A null pointer
200 will not successfully authenticate. */
201#define ptrauth_auth_load_relative_and_sign(__value, __old_key, __old_data, \
202 __new_key, __new_data, __offset) \
203 __builtin_ptrauth_auth_load_relative_and_sign( \
204 __value, __old_key, __old_data, __new_key, __new_data, __offset)
205
206/* Authenticate a pointer using one scheme and resign it as a C
207 function pointer.
208
209 If the result is subsequently authenticated using the new scheme, that
210 authentication is guaranteed to fail if and only if the initial
211 authentication failed.
212
213 The value must be an expression of function pointer type.
214 The key must be a constant expression of type ptrauth_key.
215 The extra data must be an expression of pointer or integer type;
216 if an integer, it will be coerced to ptrauth_extra_data_t.
217 The result will have the same type as the original value.
218
219 This operation is guaranteed to not leave the intermediate value
220 available for attack before it is re-signed. Additionally, if this
221 expression is used syntactically as the function expression in a
222 call, only a single authentication will be performed. */
223#define ptrauth_auth_function(__value, __old_key, __old_data) \
224 ptrauth_auth_and_resign(__value, __old_key, __old_data, \
225 ptrauth_key_function_pointer, 0)
226
227/* Authenticate a data pointer.
228
229 The value must be an expression of non-function pointer type.
230 The key must be a constant expression of type ptrauth_key.
231 The extra data must be an expression of pointer or integer type;
232 if an integer, it will be coerced to ptrauth_extra_data_t.
233 The result will have the same type as the original value.
234
235 This operation traps if the authentication fails. */
236#define ptrauth_auth_data(__value, __old_key, __old_data) \
237 __builtin_ptrauth_auth(__value, __old_key, __old_data)
238
239/* Compute a constant discriminator from the given string.
240
241 The argument must be a string literal of char character type. The result
242 has type ptrauth_extra_data_t.
243
244 The result value is never zero and always within range for both the
245 __ptrauth qualifier and ptrauth_blend_discriminator.
246
247 This can be used in constant expressions.
248*/
249#define ptrauth_string_discriminator(__string) \
250 __builtin_ptrauth_string_discriminator(__string)
251
252/* Compute a constant discriminator from the given type.
253
254 The result can be used as the second argument to
255 ptrauth_blend_discriminator or the third argument to the
256 __ptrauth qualifier. It has type size_t.
257
258 If the type is a C++ member function pointer type, the result is
259 the discriminator used to signed member function pointers of that
260 type. If the type is a function, function pointer, or function
261 reference type, the result is the discriminator used to sign
262 functions of that type. It is ill-formed to use this macro with any
263 other type.
264
265 A call to this function is an integer constant expression. */
266#define ptrauth_type_discriminator(__type) \
267 __builtin_ptrauth_type_discriminator(__type)
268
269/* Compute the constant discriminator used by Clang to sign pointers with the
270 given C function pointer type.
271
272 A call to this function is an integer constant expression. */
273#if __has_feature(ptrauth_function_pointer_type_discrimination)
274#define ptrauth_function_pointer_type_discriminator(__type) \
275 __builtin_ptrauth_type_discriminator(__type)
276#else
277#define ptrauth_function_pointer_type_discriminator(__type) \
278 ((ptrauth_extra_data_t)0)
279#endif
280
281/* Compute a signature for the given pair of pointer-sized values.
282 The order of the arguments is significant.
283
284 Like a pointer signature, the resulting signature depends on
285 private key data and therefore should not be reliably reproducible
286 by attackers. That means that this can be used to validate the
287 integrity of arbitrary data by storing a signature for that data
288 alongside it, then checking that the signature is still valid later.
289 Data which exceeds two pointers in size can be signed by either
290 computing a tree of generic signatures or just signing an ordinary
291 cryptographic hash of the data.
292
293 The result has type ptrauth_generic_signature_t. However, it may
294 not have as many bits of entropy as that type's width would suggest;
295 some implementations are known to compute a compressed signature as
296 if the arguments were a pointer and a discriminator.
297
298 The arguments must be either pointers or integers; if integers, they
299 will be coerce to uintptr_t. */
300#define ptrauth_sign_generic_data(__value, __data) \
301 __builtin_ptrauth_sign_generic_data(__value, __data)
302
303/* C++ vtable pointer signing class attribute */
304#define ptrauth_cxx_vtable_pointer(key, address_discrimination, \
305 extra_discrimination...) \
306 [[clang::ptrauth_vtable_pointer(key, address_discrimination, \
307 extra_discrimination)]]
308
309/* The value is ptrauth_string_discriminator("init_fini") */
310#define __ptrauth_init_fini_discriminator 0xd9d4
311
312/* Objective-C pointer auth ABI qualifiers */
313#define __ptrauth_objc_method_list_imp \
314 __ptrauth(ptrauth_key_function_pointer, 1, 0)
315
316#if __has_feature(ptrauth_objc_method_list_pointer)
317#define __ptrauth_objc_method_list_pointer \
318 __ptrauth(ptrauth_key_method_list_pointer, 1, 0xC310)
319#else
320#define __ptrauth_objc_method_list_pointer
321#endif
322
323#define __ptrauth_isa_discriminator 0x6AE1
324#define __ptrauth_super_discriminator 0xB5AB
325#define __ptrauth_objc_isa_pointer \
326 __ptrauth(ptrauth_key_objc_isa_pointer, 1, __ptrauth_isa_discriminator)
327#if __has_feature(ptrauth_restricted_intptr_qualifier)
328#define __ptrauth_objc_isa_uintptr \
329 __ptrauth_restricted_intptr(ptrauth_key_objc_isa_pointer, 1, \
330 __ptrauth_isa_discriminator)
331#else
332#define __ptrauth_objc_isa_uintptr \
333 __ptrauth(ptrauth_key_objc_isa_pointer, 1, __ptrauth_isa_discriminator)
334#endif
335
336#define __ptrauth_objc_super_pointer \
337 __ptrauth(ptrauth_key_objc_super_pointer, 1, __ptrauth_super_discriminator)
338
339#define __ptrauth_objc_sel_discriminator 0x57c2
340#if __has_feature(ptrauth_objc_interface_sel)
341#define __ptrauth_objc_sel \
342 __ptrauth(ptrauth_key_objc_sel_pointer, 1, __ptrauth_objc_sel_discriminator)
343#else
344#define __ptrauth_objc_sel
345#endif
346
347#define __ptrauth_objc_class_ro_discriminator 0x61f8
348#define __ptrauth_objc_class_ro \
349 __ptrauth(ptrauth_key_objc_class_ro_pointer, 1, \
350 __ptrauth_objc_class_ro_discriminator)
351
352#else
353
354#define ptrauth_strip(__value, __key) \
355 __extension__({ \
356 (void)__key; \
357 __value; \
358 })
359
360#define ptrauth_blend_discriminator(__pointer, __integer) \
361 __extension__({ \
362 (void)__pointer; \
363 (void)__integer; \
364 ((ptrauth_extra_data_t)0); \
365 })
366
367#define ptrauth_sign_constant(__value, __key, __data) \
368 __extension__({ \
369 (void)__key; \
370 (void)__data; \
371 __value; \
372 })
373
374#define ptrauth_sign_unauthenticated(__value, __key, __data) \
375 __extension__({ \
376 (void)__key; \
377 (void)__data; \
378 __value; \
379 })
380
381#define ptrauth_auth_and_resign(__value, __old_key, __old_data, __new_key, \
382 __new_data) \
383 __extension__({ \
384 (void)__old_key; \
385 (void)__old_data; \
386 (void)__new_key; \
387 (void)__new_data; \
388 __value; \
389 })
390
391#define ptrauth_auth_load_relative_and_sign(__value, __old_key, __old_data, \
392 __new_key, __new_data, __offset) \
393 __extension__({ \
394 (void)__old_key; \
395 (void)__old_data; \
396 (void)__new_key; \
397 (void)__new_data; \
398 const char *__value_tmp = (const char *)(__value); \
399 (void *)(__value_tmp + *(const int *)(__value_tmp + (__offset))); \
400 })
401
402#define ptrauth_auth_function(__value, __old_key, __old_data) \
403 __extension__({ \
404 (void)__old_key; \
405 (void)__old_data; \
406 __value; \
407 })
408
409#define ptrauth_auth_data(__value, __old_key, __old_data) \
410 __extension__({ \
411 (void)__old_key; \
412 (void)__old_data; \
413 __value; \
414 })
415
416#define ptrauth_string_discriminator(__string) \
417 __extension__({ \
418 (void)__string; \
419 ((ptrauth_extra_data_t)0); \
420 })
421
422#define ptrauth_type_discriminator(__type) ((ptrauth_extra_data_t)0)
423#define ptrauth_function_pointer_type_discriminator(__type) \
424 ((ptrauth_extra_data_t)0)
425
426#define ptrauth_sign_generic_data(__value, __data) \
427 __extension__({ \
428 (void)__value; \
429 (void)__data; \
430 ((ptrauth_generic_signature_t)0); \
431 })
432
433#define ptrauth_cxx_vtable_pointer(key, address_discrimination, \
434 extra_discrimination...)
435
436#define __ptrauth_objc_isa_pointer
437#define __ptrauth_objc_isa_uintptr
438#define __ptrauth_objc_super_pointer
439
440#endif /* __has_feature(ptrauth_intrinsics) || defined(__PTRAUTH__) */
441
442#endif /* __PTRAUTH_H */
ptrauth_extra_data_t
__UINTPTR_TYPE__ ptrauth_extra_data_t
Definition ptrauth.h:66
ptrauth_generic_signature_t
__UINTPTR_TYPE__ ptrauth_generic_signature_t
Definition ptrauth.h:69
ptrauth_key
ptrauth_key
Definition ptrauth.h:13
ptrauth_key_method_list_pointer
@ ptrauth_key_method_list_pointer
Definition ptrauth.h:46
ptrauth_key_return_address
@ ptrauth_key_return_address
Definition ptrauth.h:35
ptrauth_key_process_independent_code
@ ptrauth_key_process_independent_code
Definition ptrauth.h:20
ptrauth_key_process_dependent_code
@ ptrauth_key_process_dependent_code
Definition ptrauth.h:23
ptrauth_key_process_independent_data
@ ptrauth_key_process_independent_data
Definition ptrauth.h:26
ptrauth_key_cxx_vtable_pointer
@ ptrauth_key_cxx_vtable_pointer
Definition ptrauth.h:43
ptrauth_key_objc_super_pointer
@ ptrauth_key_objc_super_pointer
Definition ptrauth.h:50
ptrauth_key_asia
@ ptrauth_key_asia
Definition ptrauth.h:14
ptrauth_key_init_fini_pointer
@ ptrauth_key_init_fini_pointer
Definition ptrauth.h:59
ptrauth_key_objc_isa_pointer
@ ptrauth_key_objc_isa_pointer
Definition ptrauth.h:49
ptrauth_key_objc_sel_pointer
@ ptrauth_key_objc_sel_pointer
Definition ptrauth.h:53
ptrauth_key_asda
@ ptrauth_key_asda
Definition ptrauth.h:16
ptrauth_key_objc_class_ro_pointer
@ ptrauth_key_objc_class_ro_pointer
Definition ptrauth.h:56
ptrauth_key_asib
@ ptrauth_key_asib
Definition ptrauth.h:15
ptrauth_key_process_dependent_data
@ ptrauth_key_process_dependent_data
Definition ptrauth.h:29
ptrauth_key_function_pointer
@ ptrauth_key_function_pointer
Definition ptrauth.h:39
ptrauth_key_asdb
@ ptrauth_key_asdb
Definition ptrauth.h:17
Generated on for clang by doxygen 1.14.0