diff --git a/pkg/arch/arm64/decode_branch.go b/pkg/arch/arm64/decode_branch.go index 3844f72..c0fefec 100644 --- a/pkg/arch/arm64/decode_branch.go +++ b/pkg/arch/arm64/decode_branch.go @@ -157,4 +157,121 @@ var branchPatterns = []InstrPattern{ // ---- Exception generation: HLT/BRK ---- {Name: "HLT", Mask: 0xFFE0001F, Value: 0xD4400000, Op: HLT}, {Name: "BRK", Mask: 0xFFE0001F, Value: 0xD4200000, Op: BRK}, + + // ---- PACIASP - 对 LR 使用 SP 作为修饰符进行签名 ---- + // 编码: 1101_0101_0000_0011_0010_0011_1111_1111 + // 实际上这是 HINT #32 的特殊形式 + { + Name: "PACIASP", + Mask: 0xFFFFFFFF, + Value: 0xD503237F, // HINT #32, 在支持 PAC 的 CPU 上是 PACIASP + Op: PACIASP, + Fields: []FieldDef{}, // 无字段 + Post: func(f map[string]int64, inst *vm.Instruction) { + // PACIASP 不涉及立即数或寄存器操作数 + inst.Imm = 0 + }, + }, + + // ---- AUTIASP - 验证并还原 LR ---- + // 编码: 1101_0101_0000_0011_0010_0011_1011_1111 + { + Name: "AUTIASP", + Mask: 0xFFFFFFFF, + Value: 0xD50323BF, // HINT #46, 在支持 PAC 的 CPU 上是 AUTIASP + Op: AUTIASP, + Fields: []FieldDef{}, + Post: func(f map[string]int64, inst *vm.Instruction) { + inst.Imm = 0 + }, + }, + + // ---- PACIAZ - 使用零作为修饰符对 LR 签名 ---- + { + Name: "PACIAZ", + Mask: 0xFFFFFFFF, + Value: 0xD503233F, // HINT #38 + Op: PACIAZ, + }, + + // ---- AUTIAZ - 使用零作为修饰符验证 LR ---- + { + Name: "AUTIAZ", + Mask: 0xFFFFFFFF, + Value: 0xD50323FF, // HINT #63 + Op: AUTIAZ, + }, + + // ---- PACIBSP - 使用 SP 作为修饰符对 LR 签名 (使用 B 密钥) ---- + { + Name: "PACIBSP", + Mask: 0xFFFFFFFF, + Value: 0xD50327FF, // HINT #31 的某种形式 + Op: PACIBSP, + }, + + // ---- AUTIBSP - 使用 SP 作为修饰符验证 LR (使用 B 密钥) ---- + { + Name: "AUTIBSP", + Mask: 0xFFFFFFFF, + Value: 0xD50327BF, // HINT #47 + Op: AUTIBSP, + }, + + // ---- XPACLRI - 清除 PAC 签名 ---- + { + Name: "XPACLRI", + Mask: 0xFFFFFFFF, + Value: 0xD50320FF, // HINT #7 + Op: XPACLRI, + }, + + // BTI (Branch Target Identification) 指令 + // ---- BTI C - 接受 CALL 类型跳转 ---- + { + Name: "BTI C", + Mask: 0xFFFFFFFF, + Value: 0xD503245F, // HINT #36 + Op: BTI_C, + Fields: []FieldDef{}, + Post: func(f map[string]int64, inst *vm.Instruction) { + inst.Imm = 36 // hint number + }, + }, + + // ---- BTI J - 接受 JUMP 类型跳转 ---- + { + Name: "BTI J", + Mask: 0xFFFFFFFF, + Value: 0xD503255F, // HINT #44 + Op: BTI_J, + Fields: []FieldDef{}, + Post: func(f map[string]int64, inst *vm.Instruction) { + inst.Imm = 44 + }, + }, + + // ---- BTI JC - 接受两者 ---- + { + Name: "BTI JC", + Mask: 0xFFFFFFFF, + Value: 0xD503265F, // HINT #50 + Op: BTI_JC, + Fields: []FieldDef{}, + Post: func(f map[string]int64, inst *vm.Instruction) { + inst.Imm = 50 + }, + }, + + // ---- BTI (默认 = BTI JC) ---- + { + Name: "BTI", + Mask: 0xFFFFFFFF, + Value: 0xD503275F, // HINT #62 + Op: BTI, + Fields: []FieldDef{}, + Post: func(f map[string]int64, inst *vm.Instruction) { + inst.Imm = 62 + }, + }, } diff --git a/pkg/arch/arm64/decoder.go b/pkg/arch/arm64/decoder.go index c3c503c..233a1b1 100644 --- a/pkg/arch/arm64/decoder.go +++ b/pkg/arch/arm64/decoder.go @@ -151,6 +151,17 @@ const ( LDPSW LDADD CAS + PACIASP + AUTIASP + PACIAZ + AUTIAZ + PACIBSP + AUTIBSP + XPACLRI + BTI_C + BTI_J + BTI_JC + BTI UNSUPPORTED ) @@ -318,6 +329,8 @@ func OpName(op Op) string { MSR_WRITE: "MSR", PRFM: "PRFM", LDAR: "LDAR", STLR: "STLR", LDAXR: "LDAXR", STLXR: "STLXR", LDPSW: "LDPSW", LDADD: "LDADD", CAS: "CAS", + PACIASP: "PACIASP", AUTIASP: "AUTIASP", PACIAZ: "PACIAZ", AUTIAZ: "AUTIAZ", PACIBSP: "PACIBSP", AUTIBSP: "AUTIBSP", XPACLRI: "XPACLRI", + BTI_C: "BTI c", BTI_J: "BTI j", BTI_JC: "BTI jc", BTI: "BTI", } if n, ok := names[op]; ok { return n diff --git a/pkg/arch/arm64/translator.go b/pkg/arch/arm64/translator.go index 2caaf26..b54e700 100644 --- a/pkg/arch/arm64/translator.go +++ b/pkg/arch/arm64/translator.go @@ -602,6 +602,13 @@ func (t *Translator) translateOne(instructions []vm.Instruction, idx int) (int, return 0, t.trStackLdadd(inst) case CAS: return 0, t.trStackCas(inst) + // ========== PAC/BTI NOP化 ========== + case PACIASP, AUTIASP, PACIAZ, AUTIAZ, PACIBSP, AUTIBSP, XPACLRI: + t.emit(vm.OpNop) + return 0, nil + case BTI_C, BTI_J, BTI_JC, BTI: + t.emit(vm.OpNop) + return 0, nil default: return 0, fmt.Errorf("不支持的指令类型") diff --git a/stub/linux/arm64/vm_handlers/h_system.h b/stub/linux/arm64/vm_handlers/h_system.h index d4ea481..a6a26b4 100644 --- a/stub/linux/arm64/vm_handlers/h_system.h +++ b/stub/linux/arm64/vm_handlers/h_system.h @@ -118,6 +118,9 @@ static inline u32 h_svc(vm_ctx_t *vm) { * 支持的系统寄存器: * 0x5F02 = cntvct_el0 (timer count) * 0x5F00 = cntfrq_el0 (timer frequency) + * 0x5E82 = TPIDR_EL0 (Software Thread ID) + * 0x5E83 = TPIDRRO_EL0 (Read-only Software Thread ID) + * 0x5A10 = NZCV (标志位寄存器) */ static inline u32 h_mrs(vm_ctx_t *vm) { u8 d = vm->bc[vm->pc + 1]; @@ -130,6 +133,18 @@ static inline u32 h_mrs(vm_ctx_t *vm) { case 0x5F00: /* cntfrq_el0 */ __asm__ volatile("mrs %0, cntfrq_el0" : "=r"(val)); break; + case 0x5E82: /* TPIDR_EL0 - Software Thread ID */ + __asm__ volatile("mrs %0, tpidr_el0" : "=r"(val)); + break; + case 0x5E83: /* TPIDRRO_EL0 - Read-only Software Thread ID */ + __asm__ volatile("mrs %0, tpidrro_el0" : "=r"(val)); + break; + case 0x5A10: /* NZCV - flags */ + val = ((vm->FL & FL_ZERO) ? 0x4 : 0) /* Z bit (bit 2) */ + | ((vm->FL & FL_SIGN) ? 0x8 : 0) /* N bit (bit 3) */ + | (!(vm->FL & FL_CARRY) ? 0x2 : 0); /* C bit (bit 1), 注意: 我们的 FL_CARRY = 无符号小于, ARM C 是反向的 */ + val = val << 28; /* NZCV 在高 4 位 */ + break; default: /* 不支持的系统寄存器,返回 0 */ break;