1. Patchew
  2. QEMU
  3. View series

[PATCH 0/3] target/arm: add support for Cortex-M pointer authentication code

Torbjörn SVENSSON posted 3 patches 1 week, 5 days ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260518-pr-pacbti-v1-0-8932a885b03d@foss.st.com
Maintainers: Peter Maydell <peter.maydell@linaro.org>
There is a newer version of this series
target/arm/cpu-features.h  |   6 ++
target/arm/internals.h     |   2 +
target/arm/tcg/cpu-v7m.c   |  40 +++++++++++++
target/arm/tcg/m_helper.c  |  17 ++++++
target/arm/tcg/t32.decode  |  21 ++++++-
target/arm/tcg/translate.c | 138 +++++++++++++++++++++++++++++++++++++++++++++
6 files changed, 221 insertions(+), 3 deletions(-)
[PATCH 0/3] target/arm: add support for Cortex-M pointer authentication code
Posted by Torbjörn SVENSSON 1 week, 5 days ago 
Testing an arm-none-eabi GCC toolchain using QEMU gives unpredictable
test results for some test cases. In the GCC testsuite function
check_effective_target_arm_pacbti_hw, the testsuite tries to identify
if the target supports PACBTI instructions. The test consists of:

        __attribute__ ((naked)) int
        main (void)
        {
          asm ("pac r12, lr, sp");
          asm ("mov r0, #0");
          asm ("autg r12, lr, sp");
          asm ("bx lr");
        }

Running the above code in QEMU will cause LR to get corrupted.
The reson for the corruption is that AUTG overlaps with the SMMLA
instruction, and SMMLA will write the result to Rn, that for 
`AUTG R12, LR, SP` happens to match `LR`.

The solution to the above problem is to define the following new
Cortex-M instructions in QEMU:

* AUT
* AUTG
* BXAUT
* PAC
* PACBTI
* PACG

This patch series only implements the pointer authentication code part
of PACBTI. The branch target identification part is not implemented.

Signed-off-by: Torbjörn SVENSSON <torbjorn.svensson@foss.st.com>
---
Torbjörn SVENSSON (3):
      target/arm/tcg: define cortex-m85 cpu
      target/arm/tcg: add PAC related instructions
      target/arm: implement v8.1-m PAC support

 target/arm/cpu-features.h  |   6 ++
 target/arm/internals.h     |   2 +
 target/arm/tcg/cpu-v7m.c   |  40 +++++++++++++
 target/arm/tcg/m_helper.c  |  17 ++++++
 target/arm/tcg/t32.decode  |  21 ++++++-
 target/arm/tcg/translate.c | 138 +++++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 221 insertions(+), 3 deletions(-)
---
base-commit: ac6721b88df944ade0048822b2b74210f543d656
change-id: 20260518-pr-pacbti-366d7acbe1be

Best regards,
-- 
Torbjörn SVENSSON <torbjorn.svensson@foss.st.com>
Re: [PATCH 0/3] target/arm: add support for Cortex-M pointer authentication code
Posted by Peter Maydell 2 days, 6 hours ago 
On Mon, 18 May 2026 at 17:16, Torbjörn SVENSSON
<torbjorn.svensson@foss.st.com> wrote:
>
> Testing an arm-none-eabi GCC toolchain using QEMU gives unpredictable
> test results for some test cases. In the GCC testsuite function
> check_effective_target_arm_pacbti_hw, the testsuite tries to identify
> if the target supports PACBTI instructions. The test consists of:
>
>         __attribute__ ((naked)) int
>         main (void)
>         {
>           asm ("pac r12, lr, sp");
>           asm ("mov r0, #0");
>           asm ("autg r12, lr, sp");
>           asm ("bx lr");
>         }
>
> Running the above code in QEMU will cause LR to get corrupted.
> The reson for the corruption is that AUTG overlaps with the SMMLA
> instruction, and SMMLA will write the result to Rn, that for
> `AUTG R12, LR, SP` happens to match `LR`.

If the test case is expecting to be able to run on any M-profile
CPU, this is a bug in the test case. The AUTG instruction is
specified as being UNPREDICTABLE if the DSP extension is implemented
and the PACBTI extension is not (and to UNDEF if neither extension
is implemented).

(We could consider making the QEMU behaviour for these
UNPREDICTABLE cases in SMMLA etc be "UNDEF" rather than
"write to the PC/LR"; we choose to handle this kind of
UNPREDICTABLE decode that way for other insns already.)

> The solution to the above problem is to define the following new
> Cortex-M instructions in QEMU:
>
> * AUT
> * AUTG
> * BXAUT
> * PAC
> * PACBTI
> * PACG
>
> This patch series only implements the pointer authentication code part
> of PACBTI. The branch target identification part is not implemented.

I think that overall we need the full PACBTI implemented -- we
can't advertise it in the CPU ID registers but only implement
part of it, or only implement it for user-mode and not for
system mode.

thanks
-- PMM
[PING] [PATCH 0/3] target/arm: add support for Cortex-M pointer authentication code
Posted by Torbjorn SVENSSON 3 days, 10 hours ago 
Gentle ping! :)

There is apparently also a ticket for this work (that I did not see before I sent the patches): https://linaro.atlassian.net/browse/QEMU-444


On 2026-05-18 18:13, Torbjörn SVENSSON wrote:
> Testing an arm-none-eabi GCC toolchain using QEMU gives unpredictable
> test results for some test cases. In the GCC testsuite function
> check_effective_target_arm_pacbti_hw, the testsuite tries to identify
> if the target supports PACBTI instructions. The test consists of:
> 
>          __attribute__ ((naked)) int
>          main (void)
>          {
>            asm ("pac r12, lr, sp");
>            asm ("mov r0, #0");
>            asm ("autg r12, lr, sp");
>            asm ("bx lr");
>          }
> 
> Running the above code in QEMU will cause LR to get corrupted.
> The reson for the corruption is that AUTG overlaps with the SMMLA
> instruction, and SMMLA will write the result to Rn, that for
> `AUTG R12, LR, SP` happens to match `LR`.

The above statement is not entirely true.
SMMLA is writing the result to Rd and that happens to match PC, not Rn and LR.
Sorry for the confusion this might have caused.

Kind regards,
Torbjörn

> The solution to the above problem is to define the following new
> Cortex-M instructions in QEMU:
> 
> * AUT
> * AUTG
> * BXAUT
> * PAC
> * PACBTI
> * PACG
> 
> This patch series only implements the pointer authentication code part
> of PACBTI. The branch target identification part is not implemented.
> 
> Signed-off-by: Torbjörn SVENSSON <torbjorn.svensson@foss.st.com>
> ---
> Torbjörn SVENSSON (3):
>        target/arm/tcg: define cortex-m85 cpu
>        target/arm/tcg: add PAC related instructions
>        target/arm: implement v8.1-m PAC support
> 
>   target/arm/cpu-features.h  |   6 ++
>   target/arm/internals.h     |   2 +
>   target/arm/tcg/cpu-v7m.c   |  40 +++++++++++++
>   target/arm/tcg/m_helper.c  |  17 ++++++
>   target/arm/tcg/t32.decode  |  21 ++++++-
>   target/arm/tcg/translate.c | 138 +++++++++++++++++++++++++++++++++++++++++++++
>   6 files changed, 221 insertions(+), 3 deletions(-)
> ---
> base-commit: ac6721b88df944ade0048822b2b74210f543d656
> change-id: 20260518-pr-pacbti-366d7acbe1be
> 
> Best regards,
Re: [PING] [PATCH 0/3] target/arm: add support for Cortex-M pointer authentication code
Posted by Alex Bennée 3 days, 4 hours ago 
Torbjorn SVENSSON <torbjorn.svensson@foss.st.com> writes:

> Gentle ping! :)
>
> There is apparently also a ticket for this work (that I did not see before I sent the patches): https://linaro.atlassian.net/browse/QEMU-444
>

The Linaro tickets are public (because we work directly upstream)
although the existence of a ticket should not imply that we plan to work
on it. We create tickets for most of the Arm CPU features so we can
track dependencies, what is left to do and when others have patches that
need review.

Our actual planned roadmap can be seen here: https://linaro.atlassian.net/wiki/spaces/QEMU/overview

>
> On 2026-05-18 18:13, Torbjörn SVENSSON wrote:
>> Testing an arm-none-eabi GCC toolchain using QEMU gives unpredictable
>> test results for some test cases. In the GCC testsuite function
>> check_effective_target_arm_pacbti_hw, the testsuite tries to identify
>> if the target supports PACBTI instructions. The test consists of:
>>          __attribute__ ((naked)) int
>>          main (void)
>>          {
>>            asm ("pac r12, lr, sp");
>>            asm ("mov r0, #0");
>>            asm ("autg r12, lr, sp");
>>            asm ("bx lr");
>>          }
>> Running the above code in QEMU will cause LR to get corrupted.
>> The reson for the corruption is that AUTG overlaps with the SMMLA
>> instruction, and SMMLA will write the result to Rn, that for
>> `AUTG R12, LR, SP` happens to match `LR`.
>
> The above statement is not entirely true.
> SMMLA is writing the result to Rd and that happens to match PC, not Rn and LR.
> Sorry for the confusion this might have caused.
>
> Kind regards,
> Torbjörn
>
>> The solution to the above problem is to define the following new
>> Cortex-M instructions in QEMU:
>> * AUT
>> * AUTG
>> * BXAUT
>> * PAC
>> * PACBTI
>> * PACG
>> This patch series only implements the pointer authentication code
>> part
>> of PACBTI. The branch target identification part is not implemented.
>> Signed-off-by: Torbjörn SVENSSON <torbjorn.svensson@foss.st.com>
>> ---
>> Torbjörn SVENSSON (3):
>>        target/arm/tcg: define cortex-m85 cpu
>>        target/arm/tcg: add PAC related instructions
>>        target/arm: implement v8.1-m PAC support
>>   target/arm/cpu-features.h  |   6 ++
>>   target/arm/internals.h     |   2 +
>>   target/arm/tcg/cpu-v7m.c   |  40 +++++++++++++
>>   target/arm/tcg/m_helper.c  |  17 ++++++
>>   target/arm/tcg/t32.decode  |  21 ++++++-
>>   target/arm/tcg/translate.c | 138 +++++++++++++++++++++++++++++++++++++++++++++
>>   6 files changed, 221 insertions(+), 3 deletions(-)
>> ---
>> base-commit: ac6721b88df944ade0048822b2b74210f543d656
>> change-id: 20260518-pr-pacbti-366d7acbe1be
>> Best regards,

-- 
Alex Bennée
Virtualisation Tech Lead @ Linaro

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.