LeoChen-CoreMind · LeoChen-CoreMind · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/pkg/arch/arm64/decode_branch.go b/pkg/arch/arm64/decode_branch.go
@@ -157,4 +157,121 @@ var branchPatterns = []InstrPattern{
 	// ---- Exception generation: HLT/BRK ----
 	{Name: "HLT", Mask: 0xFFE0001F, Value: 0xD4400000, Op: HLT},
 	{Name: "BRK", Mask: 0xFFE0001F, Value: 0xD4200000, Op: BRK},
+
+	// ---- PACIASP - 对 LR 使用 SP 作为修饰符进行签名 ----
+	// 编码: 1101_0101_0000_0011_0010_0011_1111_1111
+	// 实际上这是 HINT #32 的特殊形式
+	{
+		Name:   "PACIASP",
+		Mask:   0xFFFFFFFF,
+		Value:  0xD503237F, // HINT #32, 在支持 PAC 的 CPU 上是 PACIASP
+		Op:     PACIASP,
+		Fields: []FieldDef{}, // 无字段
+		Post: func(f map[string]int64, inst *vm.Instruction) {
+			// PACIASP 不涉及立即数或寄存器操作数
+			inst.Imm = 0
+		},
+	},
+
+	// ---- AUTIASP - 验证并还原 LR ----
+	// 编码: 1101_0101_0000_0011_0010_0011_1011_1111
+	{
+		Name:   "AUTIASP",
+		Mask:   0xFFFFFFFF,
+		Value:  0xD50323BF, // HINT #46, 在支持 PAC 的 CPU 上是 AUTIASP
+		Op:     AUTIASP,
+		Fields: []FieldDef{},
+		Post: func(f map[string]int64, inst *vm.Instruction) {
+			inst.Imm = 0
+		},
+	},
+
+	// ---- PACIAZ - 使用零作为修饰符对 LR 签名 ----
+	{
+		Name:  "PACIAZ",
+		Mask:  0xFFFFFFFF,
+		Value: 0xD503233F, // HINT #38
+		Op:    PACIAZ,
+	},
+
+	// ---- AUTIAZ - 使用零作为修饰符验证 LR ----
+	{
+		Name:  "AUTIAZ",
+		Mask:  0xFFFFFFFF,
+		Value: 0xD50323FF, // HINT #63
+		Op:    AUTIAZ,
+	},
+
+	// ---- PACIBSP - 使用 SP 作为修饰符对 LR 签名 (使用 B 密钥) ----
+	{
+		Name:  "PACIBSP",
+		Mask:  0xFFFFFFFF,
+		Value: 0xD50327FF, // HINT #31 的某种形式
+		Op:    PACIBSP,
+	},
+
+	// ---- AUTIBSP - 使用 SP 作为修饰符验证 LR (使用 B 密钥) ----
+	{
+		Name:  "AUTIBSP",
+		Mask:  0xFFFFFFFF,
+		Value: 0xD50327BF, // HINT #47
+		Op:    AUTIBSP,
+	},
+
+	// ---- XPACLRI - 清除 PAC 签名 ----
+	{
+		Name:  "XPACLRI",
+		Mask:  0xFFFFFFFF,
+		Value: 0xD50320FF, // HINT #7
+		Op:    XPACLRI,
+	},
+
+	// BTI (Branch Target Identification) 指令
+	// ---- BTI C - 接受 CALL 类型跳转 ----
+	{
+		Name:   "BTI C",
+		Mask:   0xFFFFFFFF,
+		Value:  0xD503245F, // HINT #36
+		Op:     BTI_C,
+		Fields: []FieldDef{},
+		Post: func(f map[string]int64, inst *vm.Instruction) {
+			inst.Imm = 36 // hint number
+		},
+	},
+
+	// ---- BTI J - 接受 JUMP 类型跳转 ----
+	{
+		Name:   "BTI J",
+		Mask:   0xFFFFFFFF,
+		Value:  0xD503255F, // HINT #44
+		Op:     BTI_J,
+		Fields: []FieldDef{},
+		Post: func(f map[string]int64, inst *vm.Instruction) {
+			inst.Imm = 44
+		},
+	},
+
+	// ---- BTI JC - 接受两者 ----
+	{
+		Name:   "BTI JC",
+		Mask:   0xFFFFFFFF,
+		Value:  0xD503265F, // HINT #50
+		Op:     BTI_JC,
+		Fields: []FieldDef{},
+		Post: func(f map[string]int64, inst *vm.Instruction) {
+			inst.Imm = 50
+		},
+	},
+
+	// ---- BTI (默认 = BTI JC) ----
+	{
+		Name:   "BTI",
+		Mask:   0xFFFFFFFF,
+		Value:  0xD503275F, // HINT #62
+		Op:     BTI,
+		Fields: []FieldDef{},
+		Post: func(f map[string]int64, inst *vm.Instruction) {
+			inst.Imm = 62
+		},
+	},
 }
diff --git a/pkg/arch/arm64/decoder.go b/pkg/arch/arm64/decoder.go
@@ -151,6 +151,17 @@ const (
 	LDPSW
 	LDADD
 	CAS
+	PACIASP
+	AUTIASP
+	PACIAZ
+	AUTIAZ
+	PACIBSP
+	AUTIBSP
+	XPACLRI
+	BTI_C
+	BTI_J
+	BTI_JC
+	BTI
 	UNSUPPORTED
 )
 
@@ -318,6 +329,8 @@ func OpName(op Op) string {
 		MSR_WRITE: "MSR", PRFM: "PRFM",
 		LDAR: "LDAR", STLR: "STLR", LDAXR: "LDAXR", STLXR: "STLXR",
 		LDPSW: "LDPSW", LDADD: "LDADD", CAS: "CAS",
+		PACIASP: "PACIASP", AUTIASP: "AUTIASP", PACIAZ: "PACIAZ", AUTIAZ: "AUTIAZ", PACIBSP: "PACIBSP", AUTIBSP: "AUTIBSP", XPACLRI: "XPACLRI",
+		BTI_C: "BTI c", BTI_J: "BTI j", BTI_JC: "BTI jc", BTI: "BTI",
 	}
 	if n, ok := names[op]; ok {
 		return n

diff --git a/pkg/arch/arm64/translator.go b/pkg/arch/arm64/translator.go
@@ -602,6 +602,13 @@ func (t *Translator) translateOne(instructions []vm.Instruction, idx int) (int,
 		return 0, t.trStackLdadd(inst)
 	case CAS:
 		return 0, t.trStackCas(inst)
+	// ========== PAC/BTI NOP化 ==========
+	case PACIASP, AUTIASP, PACIAZ, AUTIAZ, PACIBSP, AUTIBSP, XPACLRI:
+		t.emit(vm.OpNop)
+		return 0, nil
+	case BTI_C, BTI_J, BTI_JC, BTI:
+		t.emit(vm.OpNop)
+		return 0, nil
 
 	default:
 		return 0, fmt.Errorf("不支持的指令类型")

diff --git a/stub/linux/arm64/vm_handlers/h_system.h b/stub/linux/arm64/vm_handlers/h_system.h
@@ -118,6 +118,9 @@ static inline u32 h_svc(vm_ctx_t *vm) {
  * 支持的系统寄存器:
  *   0x5F02 = cntvct_el0 (timer count)
  *   0x5F00 = cntfrq_el0 (timer frequency)
+ *   0x5E82 = TPIDR_EL0   (Software Thread ID)
+ *   0x5E83 = TPIDRRO_EL0 (Read-only Software Thread ID)
+ *   0x5A10 = NZCV        (标志位寄存器)
  */
 static inline u32 h_mrs(vm_ctx_t *vm) {
   u8 d = vm->bc[vm->pc + 1];
@@ -130,6 +133,18 @@ static inline u32 h_mrs(vm_ctx_t *vm) {
   case 0x5F00: /* cntfrq_el0 */
     __asm__ volatile("mrs %0, cntfrq_el0" : "=r"(val));
     break;
+  case 0x5E82: /* TPIDR_EL0 - Software Thread ID */
+    __asm__ volatile("mrs %0, tpidr_el0" : "=r"(val));
+    break;  
+  case 0x5E83: /* TPIDRRO_EL0 - Read-only Software Thread ID */
+    __asm__ volatile("mrs %0, tpidrro_el0" : "=r"(val));
+    break;
+  case 0x5A10: /* NZCV - flags */
+      val = ((vm->FL & FL_ZERO) ? 0x4 : 0)   /* Z bit (bit 2) */
+          | ((vm->FL & FL_SIGN) ? 0x8 : 0)   /* N bit (bit 3) */
+          | (!(vm->FL & FL_CARRY) ? 0x2 : 0); /* C bit (bit 1), 注意: 我们的 FL_CARRY = 无符号小于, ARM C 是反向的 */
+      val = val << 28; /* NZCV 在高 4 位 */
+    break;
   default:
     /* 不支持的系统寄存器，返回 0 */
     break;