Skip to content

Commit

Permalink
Require arm_new_za to set ZA to zero
Browse files Browse the repository at this point in the history 
The arm_new_za attribute creates new ZA state.  The initial contents of
this state were previously left unspecified.  In practice, there were
two cases:

1. PSTATE.ZA==0 on entry to the function.  In this case, doing an
   SMSTART ZA would clear ZA, and so the initial contents of the
   ZA state would be zero.

2. PSTATE.ZA==1 on entry to the function, due to an uncommitted
   lazy save.  In this case, the SMSTART ZA (if executed) would
   have no effect, and so without explicit action to the contrary,
   the initial contents of the ZA state could be carried over from
   the lazily-saved contents.

Case 1 is expected to be much more common than case 2.  It would
therefore be easy for code to rely (perhaps accidentally) on ZA
starting out as zero and pass testing, with case 2 only showing
up rarely, and in hard-to-debug ways.

Also, not offering a guarantee might cause code to have a defensive
zvzero_za that is executed unconditionally, even when it isn't
needed.

Finally, carrying over old contents is bad from a data isolation/
leakage point of view.

This patch therefore requires the initial contents of ZA to be zero.
Implementations can ensure this by adding a ZERO { ZA } instruction
on code paths that commit a lazy save.  Since those paths should be
rarely executed, there should be little effect on performance.

I've prototyped this in GCC and it seems to work OK.
  • Loading branch information
@rsandifo-arm
rsandifo-arm committed Aug 3, 2023
1 parent 5cbb4b7 commit 65e0d38
Showing 1 changed file with 11 additions and 3 deletions.
14 changes: 11 additions & 3 deletions main/acle.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -347,6 +347,8 @@ Armv8.4-A [[ARMARMv84]](#ARMARMv84). Support is added for the Dot Product intrin
[CMSE](#CMSE-ACLE)'s Arguments on the stack and floating point handling.
* Corrected description and example in [CMSE](#CMSE-ACLE)'s section about
non-secure function pointers.
* Added a requirement on [`arm_new_za`](#arm_new_za) to set the initial
contents of ZA to zero.

### References

Expand Down Expand Up @@ -8848,9 +8850,15 @@ following:

* The function has [ZA state](#za-state).

* The function's ZA state is created on entry to the function and destroyed
on return from the function. That is, the function does not use ZA
to receive data from callers or to pass data back to callers.
* The function does not use ZA to receive data from callers or to pass
data back to callers.

* Instead, the [abstract machine](#abstract-machine) creates new ZA state
on entry to the function and destroys the state on return from the
function.

* The abstract machine initializes each byte of the function's ZA state
to zero.

This attribute does not change a function's binary interface. If the
function forms part of the object code's ABI, that object code function
Expand Down

0 comments on commit 65e0d38

Please sign in to comment.