arch: arm: support PACBTI with unprivileged mode

To support unprivileged mode (CONFIG_USERSPACE):
- Set unprivileged PAC key registers when system is in unprivileged
  mode.
- Add `bti` after each svc call, to make sure that the indirect jumps on
  `lr` while returning from an `svc` don't result in a usage fault.

Signed-off-by: Sudan Landge <[email protected]>

Author: wearyzen

arch/arm/core/cortex_m/swap_helper.S

@@ -316,6 +316,12 @@ SECTION_FUNC(TEXT, z_arm_pendsv)
 
 #ifdef CONFIG_ARM_PAC_PER_THREAD
     /* Read thread's dedicated PAC key and write them in the privileged PAC key registers.
+     * Note: There is no way to know the _current thread mode after the thread creation since
+     * `_current->arch.mode` for the userspace thread is set in z_arm_userspace_enter() which
+     * runs after z_arm_pendsv is done. So for now, while switching to an unprivileged thread
+     * the same PAC keys are set in both privileged and unprivileged PAC key registers.
+     * TODO: find a way to not set privileged PAC keys if the thread being switched into is an
+     * unprivileged thread.
      */
     add r0, r2, #_thread_offset_to_pac_keys
     ldmia r0!, {r3-r6}

arch/arm/core/irq_offload.c

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2015 Intel corporation
+ * Copyright 2025 Arm Limited and/or its affiliates <[email protected]>
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -34,7 +35,8 @@ void arch_irq_offload(irq_offload_routine_t routine, const void *parameter)
 	offload_routine = routine;
 	offload_param = parameter;
 
-	__asm__ volatile ("svc %[id]"
+	__asm__ volatile ("svc %[id]\n"
+			  IF_ENABLED(CONFIG_ARM_BTI, ("bti"))
 			  :
 			  : [id] "i" (_SVC_CALL_IRQ_OFFLOAD)
 			  : "memory");

arch/arm/core/userspace.S

@@ -273,10 +273,24 @@ SECTION_FUNC(TEXT,z_arm_userspace_enter)
     orrs ip, ip, #1
     /* Store (unprivileged) mode in thread's mode state variable */
     str r1, [r0, #_thread_offset_to_mode]
+
+#ifdef CONFIG_ARM_PAC_PER_THREAD
+    /* Read thread's dedicated PAC key and since we are in unprivileged mode write them in the
+     * unprivileged PAC key registers.
+     * This needs to be done before we switch to unprivileged mode.
+     */
+    add r1, r0, #_thread_offset_to_pac_keys
+    ldmia r1!, {r3-r6}
+    msr  PAC_KEY_U_0, r3
+    msr  PAC_KEY_U_1, r4
+    msr  PAC_KEY_U_2, r5
+    msr  PAC_KEY_U_3, r6
+    clrm {r3-r6}
+#endif
 #endif
     dsb
     msr CONTROL, ip
-#endif
+#endif /* CONFIG_CPU_AARCH32_CORTEX_R */
 
     /* ISB is not strictly necessary here (stack pointer is not being
      * touched), but it's recommended to avoid executing pre-fetched

arch/common/Kconfig

@@ -80,7 +80,6 @@ config ARM_PAC_PER_THREAD
 	bool "Set cryptographically secure PAC key per thread"
 	depends on ARM_PAC
 	depends on ENTROPY_DEVICE_RANDOM_GENERATOR || TIMER_RANDOM_GENERATOR
-	depends on !USERSPACE
 	help
 	  Select this option to generate and use unique keys per thread to generate Pointer
 	  Authentication Code.
@@ -115,48 +114,48 @@ choice ARM_PACBTI
 
 config ARM_PACBTI_STANDARD
 	bool "Standard (PACRET + LEAF + BTI)"
-	select ARM_PAC if !USERSPACE
-	select ARM_BTI if !USERSPACE
+	select ARM_PAC
+	select ARM_BTI
 	help
 	  This option instructs the compiler to generate code with all branch protection features
 	  enabled at their standard level.
 
 config ARM_PACBTI_PACRET
 	bool "PACRET only"
-	select ARM_PAC if !USERSPACE
+	select ARM_PAC
 	help
 	  This option instructs the compiler to generate code with return address signing for
 	  all functions that save the return address to memory.
 
 config ARM_PACBTI_PACRET_LEAF
 	bool "PACRET + Leaf"
-	select ARM_PAC if !USERSPACE
+	select ARM_PAC
 	help
 	  This option instructs the compiler to generate code with return address signing for
 	  all functions that save the return address to memory and,
 	  also sign leaf functions even if they do not write the return address to memory.
 
 config ARM_PACBTI_BTI
 	bool "BTI only"
-	select ARM_BTI if !USERSPACE
+	select ARM_BTI
 	help
 	  This option enables Branch Target Identification (BTI), which inserts special landing
 	  pad instructions at valid indirect branch targets. This option does not enable Pointer
 	  Authentication (PAC).
 
 config ARM_PACBTI_PACRET_BTI
 	bool "PACRET + BTI"
-	select ARM_PAC if !USERSPACE
-	select ARM_BTI if !USERSPACE
+	select ARM_PAC
+	select ARM_BTI
 	help
 	  This option instructs the compiler to generate code with return address signing for
 	  all functions that save the return address to memory and,
 	  add landing-pad instructions at the permitted targets of indirect branch instructions
 
 config ARM_PACBTI_PACRET_LEAF_BTI
 	bool "PACRET + Leaf + BTI"
-	select ARM_PAC if !USERSPACE
-	select ARM_BTI if !USERSPACE
+	select ARM_PAC
+	select ARM_BTI
 	help
 	  This option instructs the compiler to generate code with return address signing for
 	  all functions that save the return address to memory and,

include/zephyr/arch/arm/error.h

@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2013-2014 Wind River Systems, Inc.
- * Copyright (c) 2023 Arm Limited
+ * Copyright 2023, 2025 Arm Limited and/or its affiliates <[email protected]>
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -39,6 +39,7 @@ do {\
 	__asm__ volatile( \
 		"mov r0, %[_reason]\n" \
 		"svc %[id]\n" \
+		IF_ENABLED(CONFIG_ARM_BTI, ("bti\n")) \
 		:: [_reason] "r" (reason_p), [id] "i" (_SVC_CALL_RUNTIME_EXCEPT) \
 		: "r0", "memory"); \
 } while (false)
@@ -59,6 +60,7 @@ do { \
 		"push {lr}\n\t" \
 		"cpsie i\n\t" \
 		"svc %[id]\n\t" \
+		IF_ENABLED(CONFIG_ARM_BTI, ("bti\n\t")) \
 		"pop {lr}\n\t" \
 		: \
 		: "r" (r0), [id] "i" (_SVC_CALL_RUNTIME_EXCEPT) \

include/zephyr/arch/arm/syscall.h

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2018 Linaro Limited.
+ * Copyright 2025 Arm Limited and/or its affiliates <[email protected]>
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -27,6 +28,7 @@
 #include <zephyr/types.h>
 #include <stdbool.h>
 #include <zephyr/arch/arm/misc.h>
+#include <zephyr/sys/util_macro.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -50,6 +52,7 @@ static inline uintptr_t arch_syscall_invoke6(uintptr_t arg1, uintptr_t arg2,
 	register uint32_t r6 __asm__("r6") = call_id;
 
 	__asm__ volatile("svc %[svid]\n"
+			 IF_ENABLED(CONFIG_ARM_BTI, ("bti\n"))
 			 : "=r"(ret), "=r"(r1), "=r"(r2), "=r"(r3)
 			 : [svid] "i" (_SVC_CALL_SYSTEM_CALL),
 			   "r" (ret), "r" (r1), "r" (r2), "r" (r3),
@@ -72,6 +75,7 @@ static inline uintptr_t arch_syscall_invoke5(uintptr_t arg1, uintptr_t arg2,
 	register uint32_t r6 __asm__("r6") = call_id;
 
 	__asm__ volatile("svc %[svid]\n"
+			 IF_ENABLED(CONFIG_ARM_BTI, ("bti\n"))
 			 : "=r"(ret), "=r"(r1), "=r"(r2), "=r"(r3)
 			 : [svid] "i" (_SVC_CALL_SYSTEM_CALL),
 			   "r" (ret), "r" (r1), "r" (r2), "r" (r3),
@@ -92,6 +96,7 @@ static inline uintptr_t arch_syscall_invoke4(uintptr_t arg1, uintptr_t arg2,
 	register uint32_t r6 __asm__("r6") = call_id;
 
 	__asm__ volatile("svc %[svid]\n"
+			 IF_ENABLED(CONFIG_ARM_BTI, ("bti\n"))
 			 : "=r"(ret), "=r"(r1), "=r"(r2), "=r"(r3)
 			 : [svid] "i" (_SVC_CALL_SYSTEM_CALL),
 			   "r" (ret), "r" (r1), "r" (r2), "r" (r3),
@@ -111,6 +116,7 @@ static inline uintptr_t arch_syscall_invoke3(uintptr_t arg1, uintptr_t arg2,
 	register uint32_t r6 __asm__("r6") = call_id;
 
 	__asm__ volatile("svc %[svid]\n"
+			 IF_ENABLED(CONFIG_ARM_BTI, ("bti\n"))
 			 : "=r"(ret), "=r"(r1), "=r"(r2)
 			 : [svid] "i" (_SVC_CALL_SYSTEM_CALL),
 			   "r" (ret), "r" (r1), "r" (r2), "r" (r6)
@@ -127,6 +133,7 @@ static inline uintptr_t arch_syscall_invoke2(uintptr_t arg1, uintptr_t arg2,
 	register uint32_t r6 __asm__("r6") = call_id;
 
 	__asm__ volatile("svc %[svid]\n"
+			 IF_ENABLED(CONFIG_ARM_BTI, ("bti\n"))
 			 : "=r"(ret), "=r"(r1)
 			 : [svid] "i" (_SVC_CALL_SYSTEM_CALL),
 			   "r" (ret), "r" (r1), "r" (r6)
@@ -142,6 +149,7 @@ static inline uintptr_t arch_syscall_invoke1(uintptr_t arg1,
 	register uint32_t r6 __asm__("r6") = call_id;
 
 	__asm__ volatile("svc %[svid]\n"
+			 IF_ENABLED(CONFIG_ARM_BTI, ("bti\n"))
 			 : "=r"(ret)
 			 : [svid] "i" (_SVC_CALL_SYSTEM_CALL),
 			   "r" (ret), "r" (r6)
@@ -155,6 +163,7 @@ static inline uintptr_t arch_syscall_invoke0(uintptr_t call_id)
 	register uint32_t r6 __asm__("r6") = call_id;
 
 	__asm__ volatile("svc %[svid]\n"
+			 IF_ENABLED(CONFIG_ARM_BTI, ("bti\n"))
 			 : "=r"(ret)
 			 : [svid] "i" (_SVC_CALL_SYSTEM_CALL),
 			   "r" (ret), "r" (r6)