Improve the signing authentication scheme.

Added a descriminator to the buffer.
Signed the second part of the PC with the first part.
misc fix:wq use hint instead of xplaclri

Author: DanielKristofKiss

libunwind/src/Registers.hpp

@@ -1829,19 +1829,18 @@ class _LIBUNWIND_HIDDEN Registers_arm64 {
   struct GPRs;
 
 private:
-  /// The program counter is used effectively as a return address
-  /// when the context is restored therefore protect it with PAC.
-  /// The base address of the context is used with the A key for
-  /// authentication and signing. Return address authentication is
-  /// still managed according to the unwind info. In some cases
-  /// the LR contains significant bits in the space for the PAC bits the
-  /// value of the PC is stored in 2 halfs and each signed.
-  inline uint64_t getDiscriminator() const {
-    return reinterpret_cast<uint64_t>(this);
-  }
 #if defined(_LIBUNWIND_AARCH64_PC_PROTECTION)
+  /// The program counter is effectively used as a return address when the
+  /// context is restored; therefore, it should be protected with PAC to prevent
+  /// arbitrary returns. The base address of the context is blended with a
+  /// discriminator using the A key for authentication and signing. Return
+  /// address authentication is still managed according to the unwind
+  /// information. In some cases, the LR contains significant bits in the space
+  /// reserved for PAC bits, so the value of the PC is stored in two halves.
+  ///  The second half is signed using the first half as a discriminator to bind
+  ///  the two halves together.
 #if defined(_LIBUNWIND_PTRAUTH_AVAILABLE)
-/// Use Pointer Authentication Intrinsics when available.
+  /// Use Pointer Authentication Intrinsics when available.
 #define __libunwind_ptrauth_auth_data(__value, __key, __discriminator)         \
   ptrauth_auth_data(__value, __key, __discriminator)
 #define __libunwind_ptrauth_auth_and_resign(pointer, oldKey, oldDiscriminator, \
@@ -1850,6 +1849,8 @@ class _LIBUNWIND_HIDDEN Registers_arm64 {
                           newDiscriminator)
 #define __libunwind_ptrauth_sign_unauthenticated(__value, __key, __data)       \
   ptrauth_sign_unauthenticated(__value, __key, __data)
+#define __libunwind_ptrauth_blend_discriminator(__ptr, __data)                 \
+  ptrauth_blend_discriminator(__ptr, __data)
 #else // !_LIBUNWIND_PTRAUTH_AVAILABLE
   typedef enum {
     ptrauth_key_asia = 0,
@@ -1900,14 +1901,21 @@ class _LIBUNWIND_HIDDEN Registers_arm64 {
         __libunwind_ptrauth_auth_data(pointer, oldKey, oldDiscriminator),
         newKey, newDiscriminator);
   }
+#define __libunwind_ptrauth_blend_discriminator(__ptr, __data)                 \
+  ptrauth_blend_discriminator(__ptr, __data)
 #endif
+  inline uint64_t
+  __libunwind_ptrauth_blend_discriminator(uint64_t __ptr,
+                                          uint16_t __data) const {
+    return (__ptr & (~0 >> 16)) | ((uint64_t)__data << 48);
+  }
   // Authenticate the currently stored PC and return it's raw value.
   inline uint64_t authPC(const struct GPRs *gprs,
                          uint64_t discriminator) const {
+    uint64_t upper = (uint64_t)__libunwind_ptrauth_auth_data(
+        (void *)gprs->__pc2, ptrauth_key_asia, gprs->__pc);
     uint64_t lower = (uint64_t)__libunwind_ptrauth_auth_data(
         (void *)gprs->__pc, ptrauth_key_asia, discriminator);
-    uint64_t upper = (uint64_t)__libunwind_ptrauth_auth_data(
-        (void *)gprs->__pc2, ptrauth_key_asia, discriminator);
     return (upper << 32) | lower;
   }
 
@@ -1917,19 +1925,26 @@ class _LIBUNWIND_HIDDEN Registers_arm64 {
         (void *)(value & (((uint64_t)~0) >> 32)), ptrauth_key_asia,
         getDiscriminator());
     _registers.__pc2 = (uint64_t)__libunwind_ptrauth_sign_unauthenticated(
-        (void *)(value >> 32), ptrauth_key_asia, getDiscriminator());
+        (void *)(value >> 32), ptrauth_key_asia, _registers.__pc);
   }
 
   // Update the signature on the current PC.
   inline void resignPC(uint64_t oldDiscriminator) {
+    uint64_t old_signed_pc = _registers.__pc;
     _registers.__pc = (uint64_t)__libunwind_ptrauth_auth_and_resign(
         (void *)_registers.__pc, ptrauth_key_asia, oldDiscriminator,
         ptrauth_key_asia, getDiscriminator());
     _registers.__pc2 = (uint64_t)__libunwind_ptrauth_auth_and_resign(
-        (void *)_registers.__pc2, ptrauth_key_asia, oldDiscriminator,
-        ptrauth_key_asia, getDiscriminator());
+        (void *)_registers.__pc2, ptrauth_key_asia, old_signed_pc,
+        ptrauth_key_asia, _registers.__pc);
   }
 #else //! defined(_LIBUNWIND_AARCH64_PC_PROTECTION))
+  inline uint64_t
+  __libunwind_ptrauth_blend_discriminator(uint64_t __ptr,
+                                          uint16_t __data) const {
+    (void)__data;
+    return __ptr;
+  }
   // Remote unwinding is not supported by this protection.
   inline uint64_t authPC(const struct GPRs *gprs,
                          const uint64_t discriminator) const {
@@ -1940,6 +1955,11 @@ class _LIBUNWIND_HIDDEN Registers_arm64 {
   inline void resignPC(uint64_t oldDiscriminator) { (void)oldDiscriminator; }
 #endif
 
+  inline uint64_t getDiscriminator() const {
+    return __libunwind_ptrauth_blend_discriminator(
+        reinterpret_cast<uint64_t>(this), 0xface);
+  }
+
 public:
   Registers_arm64();
   Registers_arm64(const void *registers);
@@ -2010,7 +2030,8 @@ inline Registers_arm64::Registers_arm64(const void *registers) {
                 "expected VFP registers to be at offset 272");
 #endif
   // getcontext signs the PC with the base address of the context.
-  resignPC(reinterpret_cast<uint64_t>(registers));
+  resignPC(__libunwind_ptrauth_blend_discriminator(
+      reinterpret_cast<uint64_t>(registers), 0xface));
   memcpy(_vectorHalfRegisters,
          static_cast<const uint8_t *>(registers) + sizeof(GPRs),
          sizeof(_vectorHalfRegisters));

libunwind/src/UnwindRegistersRestore.S

@@ -659,24 +659,26 @@ DEFINE_LIBUNWIND_FUNCTION(__libunwind_Registers_arm64_jumpto)
   ldp    x28,x29, [x0, #0x0E0]
 #if defined(_LIBUNWIND_AARCH64_PC_PROTECTION)
 #define __VOFFSET 0x118
-  // Authenticate return address with the address of the context.
-  ldr    x30,     [x0, #0x100]  // __pc
+  // See the description in Registers_arm64
+  ldr    x30,     [x0, #0x100]    // __pc
   mov    x17, x30
-  mov    x16,  x0
-  hint   0xc      // autia1716
-  xpaclri
-  cmp    x17, x30
+  mov    x16,  x0                 // auth with the buffer's address
+  movk   x16, #0xface, lsl #48    // blinded with a constant
+  hint   0xc                      // autia1716
+  hint   0x7                      // xpaclri
+  cmp    x17, x30                 // check if the auth failed
   b.ne   LauthError
   mov    x1, x17
-  ldr    x30,     [x0, #0x110]  // __pc2
+  ldr    x30,     [x0, #0x110]    // __pc2
   mov    x17, x30
-  hint   0xc // autia1716
-  xpaclri
-  cmp    x17, x30
+  ldr    x16,     [x0, #0x100]    // Auth the second part with the signed first part
+  hint   0xc                      // autia1716
+  hint   0x7                      // xpaclri
+  cmp    x17, x30                 // check if the auth failed
   b.ne   LauthError
   lsl    x17, x17, 32
   orr    x30, x17, x1
-  mov    x16, xzr
+  mov    x16, xzr                 // clearup registers
   mov    x17, xzr
 #else
 #define __VOFFSET 0x110

libunwind/src/UnwindRegistersSave.S

@@ -746,11 +746,12 @@ DEFINE_LIBUNWIND_FUNCTION(__unw_getcontext)
   str    x1,      [x0, #0x0F8]
 #if defined(_LIBUNWIND_AARCH64_PC_PROTECTION)
 #define __VOFFSET 0x118
-  // Sign the return address as pc with the address of the context
-  // buttom and the top word signed and stored sepearetly.
+  // See the description in Registers_arm64
   mov    w17, w30                 // lower part of the PC
   mov    x16, x0                  // sign with the address of the context
+  movk   x16, #0xface, lsl #48    // blinded with a constant
   hint   0x8                      // pacia1716
+  mov    x16, x17                 // sign the second part with the first part
   str    x17,     [x0, #0x100]    // store to __pc
   mov    x17, x30                 // upper part of the PC
   lsr    x17, x17, 32