Add support for cmse_nonsecure_entry attribute #75810
Conversation
|
Some changes occurred in diagnostic error codes |
|
r? @oli-obk (rust_highfive has picked a reviewer for you, use r? to override) |
|
r? @jonas-schievink can you take this one? (if not, reassign to me) |
There was a problem hiding this comment.
Compiler changes look basically good to me. The whole PR is so small that I think we can add this feature without an RFC/MCP/FCP/whatever, but stabilizing the feature will require more care.
I think a few small things need to be done before this can land:
- The PR needs a rebase to fix the merge conflicts.
- The new feature needs to be added to and documented in the unstable book (
src/doc/unstable-book). - A UI test should be added that ensures that the error you added is emitted.
- A tracking issue needs to be opened.
It would also be good to figure out more about plans for CMSE support in Rust. For example, is this the only thing that needs compiler support to allow writing privileged Rust apps that expose an interface for unprivileged code, or is more needed? If more language features are needed, it would be a good idea to coordinate with the language team to figure out the bigger picture before implementing more things.
|
Great, thanks a lot for the quick and helpful review 👍
As soon as #73526 is merged, I will rebase on top of that as the new LLVM version is needed.
Sure, will add those things!
Should I add it now and use the issue number in this PR? With the title: "Tracking issue for the cmse_nonsecure_entry attribute"?
For the Secure code to expose the Non-Secure Entry functions, only this attribute is needed. The rest of the work is done by the linker. It is worth to note that as far as I know LLD currently does not support CMSE so that one must use There is also another attribute to be implemented, fn non_secure_callback(callback: fn(i32) -> i32) {
let val = (#[cmse_nonsecure_call] callback)(42);
}This would need a new Rust feature to be able to add call site attributes. This is also gated by the The other things needed to build a TrustZone-M application are mostly in |
|
Sounds good!
This is getting somewhat off-topic, but this sounds like something that belongs in the function's ABI instead of each call site, which would make it way simpler to implement. Maybe we should discuss this on Zulip? |
938bc98 to
55c47cc
Compare
|
I should have adressed all of your comments and created #75835 as a tracking issue. |
src/doc/unstable-book/src/language-features/cmse-nonsecure-entry.md
Outdated
Show resolved
Hide resolved
| 5.4](https://developer.arm.com/documentation/ecm0359818/latest/) for details). | ||
| With this attribute, the compiler will do the following: | ||
| * add a special symbol on the function which is the `__acle_se_` prefix and the | ||
| standard function name |
There was a problem hiding this comment.
Does that mean the function's name will be mangled differently or is this an aliased or additional symbol?
There was a problem hiding this comment.
I believe this is an additional symbol. So that if you set this attribute on a function named toto, the compiler will generate the following assembly:
toto:
__acle_se_toto:
INSTRUCTIONS
and the toto symbol will be set as weak. That way the linker can create the veneer like so:
toto:
SG
B.W __acle_se_toto
and the symbol toto and its address is passed to NS.
This is explained section 3.4.4 in here.
I don't think it modifies the mangling. However, as you can see in the examples in this PR, I believe you would always use the no_mangle and extern "C" ABI on the entry functions as they go through FFI.
There was a problem hiding this comment.
Ah, I think we should definitely forbid using this attribute with non-"C" ABI functions then. Since the Rust ABI is unstable, it can pass arguments either directly in registers, or in memory, and that would be a problem here.
There was a problem hiding this comment.
Yes that makes sense, I am looking if there is a way to check what the ABI of the function compiled is.
[edit]: and add tests with and without the C ABI as well!
There was a problem hiding this comment.
It was easier than anticipated 😃 Added a new error code for that.
src/doc/unstable-book/src/language-features/cmse-nonsecure-entry.md
Outdated
Show resolved
Hide resolved
|
☔ The latest upstream changes (presumably #74862) made this pull request unmergeable. Please resolve the merge conflicts. |
|
Thought this may be useful to folks interested in the PR. I published a small medium post, summarizing TZ for ARMv8-M (as a future reference to myself). |
88e3916 to
2411cd4
Compare
Secure entry functions do not support if arguments are passed on the stack. An "unsupported" diagnostic will be emitted by LLVM if that is the case. This commits adds support in Rust for that diagnostic so that an error will be output if that is the case! Signed-off-by: Hugues de Valon <hugues.devalon@arm.com>
2411cd4 to
cbe57a8
Compare
|
Hey @jonas-schievink 👋 ! Sorry for the force-push but since when rebasing I realised that everything changed under the feet of this PR, I gathered I might as well 😅 I added a first commit that updates the LLVM submodule to the one that includes the bug fix. The bug fix is there but when creating an entry function which requires arguments being passed on stack, it throws an "unsupported" diagnostic which was not supported in Rust ABI. I added support for it in the first commit as well. Also added a test for that case, the error message: weirdly lacks location information but at least you have the function name so I thought it was enough for now. I don't know how to pass that UI test locally though so I am sure it will fail on the CI 😢 |
This patch adds support for the LLVM cmse_nonsecure_entry attribute. This is a target-dependent attribute that only has sense for the thumbv8m Rust targets. You can find more information about this attribute here: https://developer.arm.com/documentation/ecm0359818/latest/ Signed-off-by: Hugues de Valon <hugues.devalon@arm.com>
cbe57a8 to
1aaafac
Compare
Signed-off-by: Hugues de Valon <hugues.devalon@arm.com>
|
@bors r+ |
|
📌 Commit 2588287 has been approved by |
|
☀️ Test successful - checks-actions, checks-azure |
Hi @hug-dev - so, I've been experimenting with this PR in nightly over the weekend and firstly thank you so much for the work 👍. Just a quick question or rather clarification - From the above comments, I understand we still need to wait for support to be added for If my understanding is correct - would you happen to know if anyone in the Rust community/team is working on call-site attributes support? or if we can put in a PR for this without duplication. |
|
Thank you 😄 I am glad this is useful.
You are right that you could use the unsafe {
// The beginning of the flash memory for the Non-Secure application
let ns_vector_table = 0x00200000u32 as *const u32;
// Set the last bit to zero to show a transition from Secure to Non-Secure
let ns_reset_vector = *(0x00200004u32 as *const u32) & !1u32;
// Switch the stack pointer to the Main Stack Pointer from Non-Secure world
cortex_m::register::msp::write_ns(*ns_vector_table);
// Branch to the Non-Secure reset vector
cortex_m::asm::bx_ns(ns_reset_vector);
}I added unsafe {
// The beginning of the flash memory for the Non-Secure application
let ns_vector_table = 0x00200000u32 as *const u32;
cortex_m::register::msp::write_ns(*ns_vector_table);
let ns_entry: extern "C" fn() = unsafe { std::mem::transmute(*(0x00200004u32 as *const u32)) };
(#[cmse_nonsecure_call] ns_entry)()
}I don't think anyone is currently working on call site attributes, and I was meant to start a "design proposal" of how to implement this attribute. There was also a suggestion to encode it as a different ABI. If you are definitely interested in this one, I can get to it sooner than later! |
That would be great.... definitely
So, yep I'm most interested and would also love to help in any way I can. {although full disclosure - my knowledge on compilers is |
|
Nice! Well I can start by making a proposal on Zulip that I will post here when ready. Then you can help reviewing it 😃 |
|
@hug-dev Hi, just checking in to see if there are any new updates. |
|
Hey @nihalpasham! |
|
Oh, that's alright. I kind of lost track of this too. PS - Wish you a merry Christmas and happy holidays! |
|
Hey @hug-dev, Just thought I'd check-in to see if you're back. |
|
Hello! I am 😄 Ok, I will take some time this week or the next to think about this again and start a discussion on Zulip 👍 |
|
Discussion about how to add the remaining |
…chievink Add a new ABI to support cmse_nonsecure_call This adds support for the `cmse_nonsecure_call` feature to be able to perform non-secure function call. See the discussion on Zulip [here](https://rust-lang.zulipchat.com/#narrow/stream/131828-t-compiler/topic/Support.20for.20callsite.20attributes/near/223054928). This is a followup to rust-lang#75810 which added `cmse_nonsecure_entry`. As for that PR, I assume that the changes are small enough to not have to go through a RFC but I don't mind doing one if needed 😃 I did not yet create a tracking issue, but if most of it is fine, I can create one and update the various files accordingly (they refer to the other tracking issue now). On the Zulip chat, I believe `@jonas-schievink` volunteered to be a reviewer 💯
This pull request adds the
cmse_nonsecure_entryattribute under an unstable feature.I was not sure if it was fine for me to send directly the pull-request or if I should submit a RFC first. I was told on Zulip that it was fine to do so but please close it if I need first submit a RFC or follow another process instead.
The
cmse_nonsecure_entryattribute is a LLVM attribute that will be available in LLVM 11. I plan to rebase on the upgrade PR once merged to make this one compile.This attribute modifies code generation of the function as explained here to make it work with the TrustZone-M hardware feature. This feature is only available on
thumbv8mtargets so I created an error for that if one tries to use this attribute for another target.I added this attribute in Rust as any other LLVM attribute are added but since this one is target-dependent I am not sure if it was the best thing to do. Please indicate me if you think of other ways, like isolating target-dependent attributes together.
Tracking issue: #75835