[WIP] Introduce aarch64-unknown-linux-pauthtest target#154759
Closed
jchlanda wants to merge 10 commits into
Closed
[WIP] Introduce aarch64-unknown-linux-pauthtest target#154759jchlanda wants to merge 10 commits into
jchlanda wants to merge 10 commits into
Conversation
rustbot
added
A-compiletest
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pauthtest
branch
from
88b623e to
3b3fcce
Compare
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pauthtest
branch
from
3b3fcce to
e33dbf3
Compare
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pauthtest
branch
from
e33dbf3 to
9e48aaa
Compare
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pauthtest
branch
from
9e48aaa to
4468c36
Compare
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pauthtest
branch
from
4468c36 to
c9fe7d6
Compare
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pauthtest
branch
from
c9fe7d6 to
7ecdaa6
Compare
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pauthtest
branch
from
7ecdaa6 to
65007e0
Compare
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pauthtest
branch
from
65007e0 to
566b1b6
Compare
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pauthtest
branch
3 times, most recently
from
0db30a1 to
5bc3e48
Compare
kovdan01
reviewed
Apr 15, 2026
| // authentication features is currently supported. By default, the absence of this | ||
| // info is treated as compatible with any binary. | ||
| // | ||
| // Please note, that this would cause compatibility issues when linking against |
There was a problem hiding this comment.
// (for example member function pointers, virtual function pointers, virtual table
// pointers).
Probably "for example, signing of C++ member ..."
asl
reviewed
Apr 15, 2026
|
|
||
| #[inline] | ||
| pub(crate) fn pauth_fn_attrs() -> &'static [&'static str] { | ||
| // FIXME(jchlanda) This is not an exhaustive list of all `pauthtest`-related attributes, but |
There was a problem hiding this comment.
Suggested change
| // FIXME(jchlanda) This is not an exhaustive list of all `pauthtest`-related attributes, but | |
| // FIXME(jchlanda) This is not an exhaustive list of all `ptrauth`-related attributes, but |
asl
reviewed
Apr 15, 2026
| let address_space = cx.tcx.global_alloc(prov.alloc_id()).address_space(cx); | ||
|
|
||
| llvals.push(cx.scalar_to_backend( | ||
| // For aarch64-unknown-linux-pauthtest function pointers stored in init/fini arrays need |
There was a problem hiding this comment.
I'd rather say something like "Under pointer authentication function pointers stored in init/fini arrays need special handling"
This comment has been minimized.
This comment has been minimized.
kovdan01
reviewed
Apr 17, 2026
There was a problem hiding this comment.
@asl I would appreciate if you could continue review so we can get the internal review phase done in this PR sooner than later and re-submit it as a new clean PR.
As for my comments, I consider them mostly fixed, but I'd like a second pair of eyes to have a look at the changes
| * UI error reporting (pauthtest does not support `+crt-static`) | ||
| * crt-static-pauthtest.rs | ||
|
|
||
| All tests from `assembly-llvm`, `codegen-llvm`, `codegen-units`, `coverage`, |
There was a problem hiding this comment.
Maybe worth adding in the textual explanation as well? Looks like it's now only present in the invocation command
jchlanda
force-pushed
the
jakub/pauthtest
branch
from
7b438ad to
0fb92bd
Compare
`const_ptr_auth` wraps aroudn `LLVMRustConstPtrAuth`, which provides a way to decorate a function pointer in `ConstPtrAuth`.
Allow PAC metadata to be passed to `get_fn_addr` and related API changes.
The set of supported attributes is: function * "aarch64-jump-table-hardening" * "ptrauth-auth-traps" * "ptrauth-calls" * "ptrauth-indirect-gotos" * "ptrauth-returns" module * "ptrauth-elf-got" * "ptrauth-sign-personality"
Also add flag for ELF-GOT signing.
Also: * update tests to force dynamic library when targetting pauthtest * various test fixes * introduce end-to-end tests for pauthtest (in run-make)
jchlanda
force-pushed
the
jakub/pauthtest
branch
from
a63791c to
e2a6ac3
Compare
asl
reviewed
Apr 20, 2026
| { | ||
| let attrs = attributes::sanitize_attrs(&cx, tcx, SanitizerFnAttrs::default()); | ||
| let mut attrs = attributes::sanitize_attrs(&cx, tcx, SanitizerFnAttrs::default()); | ||
| // For pauthtest make sure that the ptrauth-* attributes are also attached to the |
There was a problem hiding this comment.
This is not pauthtest-specific. This is generic pointer authentication code. I would rephrase the comment
| if self.sess().target.env != Env::Pauthtest { | ||
| return None; | ||
| } | ||
| // Pauthtest only supports extern "C" calls, filter out other ABIs. |
|
|
||
| #[derive(Diagnostic)] | ||
| #[diag( | ||
| "pauthtest ABI is incompatible with statically linked libc, disable it using `-C target-feature=-crt-static`" |
Comment on lines
+149
to
+150
| pub(crate) struct CannotEnableCrtStaticPauthtest; | ||
|
|
There was a problem hiding this comment.
I would not use Pauthtest in the name here
Author
There was a problem hiding this comment.
Changed to CannotEnableCrtStaticPointerAuth
| **Tier: 3** | ||
|
|
||
| The target enables Pointer Authentication Code (PAC) support in Rust on AArch64 | ||
| ELF based Linux systems using a pauthtest ABI (provided by LLVM) and |
There was a problem hiding this comment.
LLVM does not provide pauthtest ABI. This is C/C++ pointer authentication ABI. You may want to cross-ref to https://clang.llvm.org/docs/PointerAuthentication.html
|
|
||
| The target enables Pointer Authentication Code (PAC) support in Rust on AArch64 | ||
| ELF based Linux systems using a pauthtest ABI (provided by LLVM) and | ||
| pauthtest-enabled sysroot with custom musl, serving as a reference libc |
There was a problem hiding this comment.
ditto. And similar on other places in this document
|
|
||
| ## Cross-compilation toolchains and C code | ||
|
|
||
| This target supports interoperability with C code. Use the pauthtest-enabled |
There was a problem hiding this comment.
Do not use pautest-enabled and similar things here...
This comment has been minimized.
This comment has been minimized.
jchlanda
force-pushed
the
jakub/pauthtest
branch
from
2077515 to
e4537ba
Compare
tgross35
reviewed
Apr 24, 2026
Contributor
There was a problem hiding this comment.
Mentioned this elsewhere but the target should land as no-std first. The initial support should only be the bare minimum to get core building via --target, everything else can come as a followup.
(Fine to keep this PR around as a WIP of course)
tgross35
reviewed
Apr 24, 2026
Contributor
There was a problem hiding this comment.
Probably worth a directory for pauth
tgross35
reviewed
Apr 24, 2026
Contributor
There was a problem hiding this comment.
Could pauth-quicksort-*-driver be combined into one run-make test that builds/runs two different things in main? Since they can probably share some docs or reuse some code, and it saves the per-test overhead.
Author
|
Upstream PR submitted, closing this one. |
rustbot
removed
the
S-waiting-on-author
JonathanBrouwer
added a commit
to JonathanBrouwer/rust
that referenced
this pull request
Jun 29, 2026
Introduce aarch64-unknown-linux-pauthtest target This target enables Pointer Authentication Code (PAC) support in Rust on AArch64 ELF-based Linux systems. It uses the `aarch64-unknown-linux-pauthtest` LLVM target and a pointer-authentication-enabled sysroot with a custom musl as a reference libc implementation. Dynamic linking is required, with a dynamic linker acting as the ELF interpreter that can resolve pauth relocations and enforce pointer authentication constraints. ### Supported features include: * authentication of signed function pointers for extern "C" calls (corresponds to LLVM's `-fptrauth-calls`) * signing of return addresses before spilling to the stack and authentication after restoring for non-leaf functions (corresponds to `-fptrauth-returns`) * trapping on authentication failure when the FPAC feature is not present (corresponds to `-fptrauth-auth-traps`) * signing of init/fini array entries using the LLVM-defined pointer authentication scheme (corresponds to `-fptrauth-init-fini` and `-fptrauth-init-fini-address-discrimination`) * non-ABI-affecting indirect control-flow hardening features as implemented in LLVM (corresponds to `-faarch64-jump-table-hardening` and `-fptrauth-indirect-gotos`) * signed ELF GOT entries (gated behind `-Z ptrauth-elf-got`, off by default) Existing compiler support, such as enabling branch authentication instructions (i.e.: `-Z branch-protection`) provide limited functionality, mainly signing return addresses (`pac-ret`). The new target goes further by enabling ABI-level pointer authentication support. This target does not define a new ABI; it builds on the existing C/C++ language ABI with pointer authentication support added. However, different authentication features, encoded in the signing schema, are not ABI-compatible with one another. ### Useful links: * Earlier PR: rust-lang#154759 * Part of: rust-lang#148640 * Project goal: https://rust-lang.github.io/rust-project-goals/2026/aarch64_pointer_authentication_pauthtest.html * Clang pointer authentication documentation: https://clang.llvm.org/docs/PointerAuthentication.html * LLVM pointer authentication documentation: https://llvm.org/docs/PointerAuth.html * PAuth ABI Extension to ELF for the AArch64 architecture: https://github.com/ARM-software/abi-aa/blob/main/pauthabielf64/pauthabielf64.rst ### Tier 3 check list > - A tier 3 target must have a designated developer or developers (the "target > maintainers") on record to be CCed when issues arise regarding the target. > (The mechanism to track and CC such developers may evolve over time.) I pledge to do my best maintaining it. > - Targets must use naming consistent with any existing targets; for instance, a > target for the same CPU or OS as an existing Rust target should use the same > name for that CPU or OS. Targets should normally use the same names and > naming conventions as used elsewhere in the broader ecosystem beyond Rust > (such as in other toolchains), unless they have a very good reason to > diverge. Changing the name of a target can be highly disruptive, especially > once the target reaches a higher tier, so getting the name right is important > even for a tier 3 target. The name chosen for the target is `aarch64-unknown-linux-pauthtest` which mirrors the [LLVM target naming](https://github.com/llvm/llvm-project/blob/main/llvm/unittests/TargetParser/TripleTest.cpp#L1407). > - Target names should not introduce undue confusion or ambiguity unless > absolutely necessary to maintain ecosystem compatibility. For example, if > the name of the target makes people extremely likely to form incorrect > beliefs about what it targets, the name should be changed or augmented to > disambiguate it. There should be no confusion, the name follows naming convention and is descriptive. > - If possible, use only letters, numbers, dashes and underscores for the name. > Periods (`.`) are known to cause issues in Cargo. Letters, numbers and dashes only. > - Tier 3 targets may have unusual requirements to build or use, but must not > create legal issues or impose onerous legal terms for the Rust project or for > Rust developers or users. The target requires system `clang` and `lld` available as well as custom libc ([musl](https://github.com/access-softek/musl) based) and sysroot, provided [through the build scripts](https://github.com/access-softek/pauth-toolchain-build-scripts/tree/master). > - The target must not introduce license incompatibilities. There are no license implications. > - Anything added to the Rust repository must be under the standard Rust > license (`MIT OR Apache-2.0`). Understood. > - The target must not cause the Rust tools or libraries built for any other > host (even when supporting cross-compilation to the target) to depend > on any new dependency less permissive than the Rust licensing policy. This > applies whether the dependency is a Rust crate that would require adding > new license exceptions (as specified by the `tidy` tool in the > rust-lang/rust repository), or whether the dependency is a native library > or binary. In other words, the introduction of the target must not cause a > user installing or running a version of Rust or the Rust tools to be > subject to any new license requirements. There are no new dependencies or requirements. > - Compiling, linking, and emitting functional binaries, libraries, or other > code for the target (whether hosted on the target itself or cross-compiling > from another target) must not depend on proprietary (non-FOSS) libraries. > Host tools built for the target itself may depend on the ordinary runtime > libraries supplied by the platform and commonly used by other applications > built for the target, but those libraries must not be required for code > generation for the target; cross-compilation to the target must not require > such libraries at all. For instance, `rustc` built for the target may > depend on a common proprietary C runtime library or console output library, > but must not depend on a proprietary code generation library or code > optimization library. Rust's license permits such combinations, but the > Rust project has no interest in maintaining such combinations within the > scope of Rust itself, even at tier 3. The target only relies on open source tools. > - "onerous" here is an intentionally subjective term. At a minimum, "onerous" > legal/licensing terms include but are *not* limited to: non-disclosure > requirements, non-compete requirements, contributor license agreements > (CLAs) or equivalent, "non-commercial"/"research-only"/etc terms, > requirements conditional on the employer or employment of any particular > Rust developers, revocable terms, any requirements that create liability > for the Rust project or its developers or users, or any requirements that > adversely affect the livelihood or prospects of the Rust project or its > developers or users. No such terms present. > - Neither this policy nor any decisions made regarding targets shall create any > binding agreement or estoppel by any party. If any member of an approving > Rust team serves as one of the maintainers of a target, or has any legal or > employment requirement (explicit or implicit) that might affect their > decisions regarding a target, they must recuse themselves from any approval > decisions regarding the target's tier status, though they may otherwise > participate in discussions. Understood. > - This requirement does not prevent part or all of this policy from being > cited in an explicit contract or work agreement (e.g. to implement or > maintain support for a target). This requirement exists to ensure that a > developer or team responsible for reviewing and approving a target does not > face any legal threats or obligations that would prevent them from freely > exercising their judgment in such approval, even if such judgment involves > subjective matters or goes beyond the letter of these requirements. Understood. > - Tier 3 targets should attempt to implement as much of the standard libraries > as possible and appropriate (`core` for most targets, `alloc` for targets > that can support dynamic memory allocation, `std` for targets with an > operating system or equivalent layer of system-provided functionality), but > may leave some code unimplemented (either unavailable or stubbed out as > appropriate), whether because the target makes it impossible to implement or > challenging to implement. The authors of pull requests are not obligated to > avoid calling any portions of the standard library on the basis of a tier 3 > target not implementing those portions. `aarch64-unknown-linux-pauthtest target` has std library support, moreover all `library` tests pass for the target. > - The target must provide documentation for the Rust community explaining how > to build for the target, using cross-compilation if possible. If the target > supports running binaries, or running tests (even if they do not pass), the > documentation must explain how to run such binaries or tests for the target, > using emulation if possible or dedicated hardware if necessary. Platform support document covers building instructions. > - Tier 3 targets must not impose burden on the authors of pull requests, or > other developers in the community, to maintain the target. In particular, > do not post comments (automated or manual) on a PR that derail or suggest a > block on the PR based on a tier 3 target. Do not send automated messages or > notifications (via any medium, including via `@`) to a PR author or others > involved with a PR regarding a tier 3 target, unless they have opted into > such messages. Understood. > - Backlinks such as those generated by the issue/PR tracker when linking to > an issue or PR are not considered a violation of this policy, within > reason. However, such messages (even on a separate repository) must not > generate notifications to anyone involved with a PR who has not requested > such notifications. Understood. > - Patches adding or updating tier 3 targets must not break any existing tier 2 > or tier 1 target, and must not knowingly break another tier 3 target without > approval of either the compiler team or the maintainers of the other tier 3 > target. Understood. > - In particular, this may come up when working on closely related targets, > such as variations of the same architecture with different features. Avoid > introducing unconditional uses of features that another variation of the > target may not have; use conditional compilation or runtime detection, as > appropriate, to let each target run code supported by that target. Understood. > - Tier 3 targets must be able to produce assembly using at least one of > rustc's supported backends from any host target. (Having support in a fork > of the backend is not sufficient, it must be upstream.) It is expected that the target should be able to compile binaries on any systems that are capable of compiling `aarch64` code.
JonathanBrouwer
added a commit
to JonathanBrouwer/rust
that referenced
this pull request
Jun 29, 2026
Introduce aarch64-unknown-linux-pauthtest target This target enables Pointer Authentication Code (PAC) support in Rust on AArch64 ELF-based Linux systems. It uses the `aarch64-unknown-linux-pauthtest` LLVM target and a pointer-authentication-enabled sysroot with a custom musl as a reference libc implementation. Dynamic linking is required, with a dynamic linker acting as the ELF interpreter that can resolve pauth relocations and enforce pointer authentication constraints. ### Supported features include: * authentication of signed function pointers for extern "C" calls (corresponds to LLVM's `-fptrauth-calls`) * signing of return addresses before spilling to the stack and authentication after restoring for non-leaf functions (corresponds to `-fptrauth-returns`) * trapping on authentication failure when the FPAC feature is not present (corresponds to `-fptrauth-auth-traps`) * signing of init/fini array entries using the LLVM-defined pointer authentication scheme (corresponds to `-fptrauth-init-fini` and `-fptrauth-init-fini-address-discrimination`) * non-ABI-affecting indirect control-flow hardening features as implemented in LLVM (corresponds to `-faarch64-jump-table-hardening` and `-fptrauth-indirect-gotos`) * signed ELF GOT entries (gated behind `-Z ptrauth-elf-got`, off by default) Existing compiler support, such as enabling branch authentication instructions (i.e.: `-Z branch-protection`) provide limited functionality, mainly signing return addresses (`pac-ret`). The new target goes further by enabling ABI-level pointer authentication support. This target does not define a new ABI; it builds on the existing C/C++ language ABI with pointer authentication support added. However, different authentication features, encoded in the signing schema, are not ABI-compatible with one another. ### Useful links: * Earlier PR: rust-lang#154759 * Part of: rust-lang#148640 * Project goal: https://rust-lang.github.io/rust-project-goals/2026/aarch64_pointer_authentication_pauthtest.html * Clang pointer authentication documentation: https://clang.llvm.org/docs/PointerAuthentication.html * LLVM pointer authentication documentation: https://llvm.org/docs/PointerAuth.html * PAuth ABI Extension to ELF for the AArch64 architecture: https://github.com/ARM-software/abi-aa/blob/main/pauthabielf64/pauthabielf64.rst ### Tier 3 check list > - A tier 3 target must have a designated developer or developers (the "target > maintainers") on record to be CCed when issues arise regarding the target. > (The mechanism to track and CC such developers may evolve over time.) I pledge to do my best maintaining it. > - Targets must use naming consistent with any existing targets; for instance, a > target for the same CPU or OS as an existing Rust target should use the same > name for that CPU or OS. Targets should normally use the same names and > naming conventions as used elsewhere in the broader ecosystem beyond Rust > (such as in other toolchains), unless they have a very good reason to > diverge. Changing the name of a target can be highly disruptive, especially > once the target reaches a higher tier, so getting the name right is important > even for a tier 3 target. The name chosen for the target is `aarch64-unknown-linux-pauthtest` which mirrors the [LLVM target naming](https://github.com/llvm/llvm-project/blob/main/llvm/unittests/TargetParser/TripleTest.cpp#L1407). > - Target names should not introduce undue confusion or ambiguity unless > absolutely necessary to maintain ecosystem compatibility. For example, if > the name of the target makes people extremely likely to form incorrect > beliefs about what it targets, the name should be changed or augmented to > disambiguate it. There should be no confusion, the name follows naming convention and is descriptive. > - If possible, use only letters, numbers, dashes and underscores for the name. > Periods (`.`) are known to cause issues in Cargo. Letters, numbers and dashes only. > - Tier 3 targets may have unusual requirements to build or use, but must not > create legal issues or impose onerous legal terms for the Rust project or for > Rust developers or users. The target requires system `clang` and `lld` available as well as custom libc ([musl](https://github.com/access-softek/musl) based) and sysroot, provided [through the build scripts](https://github.com/access-softek/pauth-toolchain-build-scripts/tree/master). > - The target must not introduce license incompatibilities. There are no license implications. > - Anything added to the Rust repository must be under the standard Rust > license (`MIT OR Apache-2.0`). Understood. > - The target must not cause the Rust tools or libraries built for any other > host (even when supporting cross-compilation to the target) to depend > on any new dependency less permissive than the Rust licensing policy. This > applies whether the dependency is a Rust crate that would require adding > new license exceptions (as specified by the `tidy` tool in the > rust-lang/rust repository), or whether the dependency is a native library > or binary. In other words, the introduction of the target must not cause a > user installing or running a version of Rust or the Rust tools to be > subject to any new license requirements. There are no new dependencies or requirements. > - Compiling, linking, and emitting functional binaries, libraries, or other > code for the target (whether hosted on the target itself or cross-compiling > from another target) must not depend on proprietary (non-FOSS) libraries. > Host tools built for the target itself may depend on the ordinary runtime > libraries supplied by the platform and commonly used by other applications > built for the target, but those libraries must not be required for code > generation for the target; cross-compilation to the target must not require > such libraries at all. For instance, `rustc` built for the target may > depend on a common proprietary C runtime library or console output library, > but must not depend on a proprietary code generation library or code > optimization library. Rust's license permits such combinations, but the > Rust project has no interest in maintaining such combinations within the > scope of Rust itself, even at tier 3. The target only relies on open source tools. > - "onerous" here is an intentionally subjective term. At a minimum, "onerous" > legal/licensing terms include but are *not* limited to: non-disclosure > requirements, non-compete requirements, contributor license agreements > (CLAs) or equivalent, "non-commercial"/"research-only"/etc terms, > requirements conditional on the employer or employment of any particular > Rust developers, revocable terms, any requirements that create liability > for the Rust project or its developers or users, or any requirements that > adversely affect the livelihood or prospects of the Rust project or its > developers or users. No such terms present. > - Neither this policy nor any decisions made regarding targets shall create any > binding agreement or estoppel by any party. If any member of an approving > Rust team serves as one of the maintainers of a target, or has any legal or > employment requirement (explicit or implicit) that might affect their > decisions regarding a target, they must recuse themselves from any approval > decisions regarding the target's tier status, though they may otherwise > participate in discussions. Understood. > - This requirement does not prevent part or all of this policy from being > cited in an explicit contract or work agreement (e.g. to implement or > maintain support for a target). This requirement exists to ensure that a > developer or team responsible for reviewing and approving a target does not > face any legal threats or obligations that would prevent them from freely > exercising their judgment in such approval, even if such judgment involves > subjective matters or goes beyond the letter of these requirements. Understood. > - Tier 3 targets should attempt to implement as much of the standard libraries > as possible and appropriate (`core` for most targets, `alloc` for targets > that can support dynamic memory allocation, `std` for targets with an > operating system or equivalent layer of system-provided functionality), but > may leave some code unimplemented (either unavailable or stubbed out as > appropriate), whether because the target makes it impossible to implement or > challenging to implement. The authors of pull requests are not obligated to > avoid calling any portions of the standard library on the basis of a tier 3 > target not implementing those portions. `aarch64-unknown-linux-pauthtest target` has std library support, moreover all `library` tests pass for the target. > - The target must provide documentation for the Rust community explaining how > to build for the target, using cross-compilation if possible. If the target > supports running binaries, or running tests (even if they do not pass), the > documentation must explain how to run such binaries or tests for the target, > using emulation if possible or dedicated hardware if necessary. Platform support document covers building instructions. > - Tier 3 targets must not impose burden on the authors of pull requests, or > other developers in the community, to maintain the target. In particular, > do not post comments (automated or manual) on a PR that derail or suggest a > block on the PR based on a tier 3 target. Do not send automated messages or > notifications (via any medium, including via `@`) to a PR author or others > involved with a PR regarding a tier 3 target, unless they have opted into > such messages. Understood. > - Backlinks such as those generated by the issue/PR tracker when linking to > an issue or PR are not considered a violation of this policy, within > reason. However, such messages (even on a separate repository) must not > generate notifications to anyone involved with a PR who has not requested > such notifications. Understood. > - Patches adding or updating tier 3 targets must not break any existing tier 2 > or tier 1 target, and must not knowingly break another tier 3 target without > approval of either the compiler team or the maintainers of the other tier 3 > target. Understood. > - In particular, this may come up when working on closely related targets, > such as variations of the same architecture with different features. Avoid > introducing unconditional uses of features that another variation of the > target may not have; use conditional compilation or runtime detection, as > appropriate, to let each target run code supported by that target. Understood. > - Tier 3 targets must be able to produce assembly using at least one of > rustc's supported backends from any host target. (Having support in a fork > of the backend is not sufficient, it must be upstream.) It is expected that the target should be able to compile binaries on any systems that are capable of compiling `aarch64` code.
JonathanBrouwer
added a commit
to JonathanBrouwer/rust
that referenced
this pull request
Jun 29, 2026
Introduce aarch64-unknown-linux-pauthtest target This target enables Pointer Authentication Code (PAC) support in Rust on AArch64 ELF-based Linux systems. It uses the `aarch64-unknown-linux-pauthtest` LLVM target and a pointer-authentication-enabled sysroot with a custom musl as a reference libc implementation. Dynamic linking is required, with a dynamic linker acting as the ELF interpreter that can resolve pauth relocations and enforce pointer authentication constraints. ### Supported features include: * authentication of signed function pointers for extern "C" calls (corresponds to LLVM's `-fptrauth-calls`) * signing of return addresses before spilling to the stack and authentication after restoring for non-leaf functions (corresponds to `-fptrauth-returns`) * trapping on authentication failure when the FPAC feature is not present (corresponds to `-fptrauth-auth-traps`) * signing of init/fini array entries using the LLVM-defined pointer authentication scheme (corresponds to `-fptrauth-init-fini` and `-fptrauth-init-fini-address-discrimination`) * non-ABI-affecting indirect control-flow hardening features as implemented in LLVM (corresponds to `-faarch64-jump-table-hardening` and `-fptrauth-indirect-gotos`) * signed ELF GOT entries (gated behind `-Z ptrauth-elf-got`, off by default) Existing compiler support, such as enabling branch authentication instructions (i.e.: `-Z branch-protection`) provide limited functionality, mainly signing return addresses (`pac-ret`). The new target goes further by enabling ABI-level pointer authentication support. This target does not define a new ABI; it builds on the existing C/C++ language ABI with pointer authentication support added. However, different authentication features, encoded in the signing schema, are not ABI-compatible with one another. ### Useful links: * Earlier PR: rust-lang#154759 * Part of: rust-lang#148640 * Project goal: https://rust-lang.github.io/rust-project-goals/2026/aarch64_pointer_authentication_pauthtest.html * Clang pointer authentication documentation: https://clang.llvm.org/docs/PointerAuthentication.html * LLVM pointer authentication documentation: https://llvm.org/docs/PointerAuth.html * PAuth ABI Extension to ELF for the AArch64 architecture: https://github.com/ARM-software/abi-aa/blob/main/pauthabielf64/pauthabielf64.rst ### Tier 3 check list > - A tier 3 target must have a designated developer or developers (the "target > maintainers") on record to be CCed when issues arise regarding the target. > (The mechanism to track and CC such developers may evolve over time.) I pledge to do my best maintaining it. > - Targets must use naming consistent with any existing targets; for instance, a > target for the same CPU or OS as an existing Rust target should use the same > name for that CPU or OS. Targets should normally use the same names and > naming conventions as used elsewhere in the broader ecosystem beyond Rust > (such as in other toolchains), unless they have a very good reason to > diverge. Changing the name of a target can be highly disruptive, especially > once the target reaches a higher tier, so getting the name right is important > even for a tier 3 target. The name chosen for the target is `aarch64-unknown-linux-pauthtest` which mirrors the [LLVM target naming](https://github.com/llvm/llvm-project/blob/main/llvm/unittests/TargetParser/TripleTest.cpp#L1407). > - Target names should not introduce undue confusion or ambiguity unless > absolutely necessary to maintain ecosystem compatibility. For example, if > the name of the target makes people extremely likely to form incorrect > beliefs about what it targets, the name should be changed or augmented to > disambiguate it. There should be no confusion, the name follows naming convention and is descriptive. > - If possible, use only letters, numbers, dashes and underscores for the name. > Periods (`.`) are known to cause issues in Cargo. Letters, numbers and dashes only. > - Tier 3 targets may have unusual requirements to build or use, but must not > create legal issues or impose onerous legal terms for the Rust project or for > Rust developers or users. The target requires system `clang` and `lld` available as well as custom libc ([musl](https://github.com/access-softek/musl) based) and sysroot, provided [through the build scripts](https://github.com/access-softek/pauth-toolchain-build-scripts/tree/master). > - The target must not introduce license incompatibilities. There are no license implications. > - Anything added to the Rust repository must be under the standard Rust > license (`MIT OR Apache-2.0`). Understood. > - The target must not cause the Rust tools or libraries built for any other > host (even when supporting cross-compilation to the target) to depend > on any new dependency less permissive than the Rust licensing policy. This > applies whether the dependency is a Rust crate that would require adding > new license exceptions (as specified by the `tidy` tool in the > rust-lang/rust repository), or whether the dependency is a native library > or binary. In other words, the introduction of the target must not cause a > user installing or running a version of Rust or the Rust tools to be > subject to any new license requirements. There are no new dependencies or requirements. > - Compiling, linking, and emitting functional binaries, libraries, or other > code for the target (whether hosted on the target itself or cross-compiling > from another target) must not depend on proprietary (non-FOSS) libraries. > Host tools built for the target itself may depend on the ordinary runtime > libraries supplied by the platform and commonly used by other applications > built for the target, but those libraries must not be required for code > generation for the target; cross-compilation to the target must not require > such libraries at all. For instance, `rustc` built for the target may > depend on a common proprietary C runtime library or console output library, > but must not depend on a proprietary code generation library or code > optimization library. Rust's license permits such combinations, but the > Rust project has no interest in maintaining such combinations within the > scope of Rust itself, even at tier 3. The target only relies on open source tools. > - "onerous" here is an intentionally subjective term. At a minimum, "onerous" > legal/licensing terms include but are *not* limited to: non-disclosure > requirements, non-compete requirements, contributor license agreements > (CLAs) or equivalent, "non-commercial"/"research-only"/etc terms, > requirements conditional on the employer or employment of any particular > Rust developers, revocable terms, any requirements that create liability > for the Rust project or its developers or users, or any requirements that > adversely affect the livelihood or prospects of the Rust project or its > developers or users. No such terms present. > - Neither this policy nor any decisions made regarding targets shall create any > binding agreement or estoppel by any party. If any member of an approving > Rust team serves as one of the maintainers of a target, or has any legal or > employment requirement (explicit or implicit) that might affect their > decisions regarding a target, they must recuse themselves from any approval > decisions regarding the target's tier status, though they may otherwise > participate in discussions. Understood. > - This requirement does not prevent part or all of this policy from being > cited in an explicit contract or work agreement (e.g. to implement or > maintain support for a target). This requirement exists to ensure that a > developer or team responsible for reviewing and approving a target does not > face any legal threats or obligations that would prevent them from freely > exercising their judgment in such approval, even if such judgment involves > subjective matters or goes beyond the letter of these requirements. Understood. > - Tier 3 targets should attempt to implement as much of the standard libraries > as possible and appropriate (`core` for most targets, `alloc` for targets > that can support dynamic memory allocation, `std` for targets with an > operating system or equivalent layer of system-provided functionality), but > may leave some code unimplemented (either unavailable or stubbed out as > appropriate), whether because the target makes it impossible to implement or > challenging to implement. The authors of pull requests are not obligated to > avoid calling any portions of the standard library on the basis of a tier 3 > target not implementing those portions. `aarch64-unknown-linux-pauthtest target` has std library support, moreover all `library` tests pass for the target. > - The target must provide documentation for the Rust community explaining how > to build for the target, using cross-compilation if possible. If the target > supports running binaries, or running tests (even if they do not pass), the > documentation must explain how to run such binaries or tests for the target, > using emulation if possible or dedicated hardware if necessary. Platform support document covers building instructions. > - Tier 3 targets must not impose burden on the authors of pull requests, or > other developers in the community, to maintain the target. In particular, > do not post comments (automated or manual) on a PR that derail or suggest a > block on the PR based on a tier 3 target. Do not send automated messages or > notifications (via any medium, including via `@`) to a PR author or others > involved with a PR regarding a tier 3 target, unless they have opted into > such messages. Understood. > - Backlinks such as those generated by the issue/PR tracker when linking to > an issue or PR are not considered a violation of this policy, within > reason. However, such messages (even on a separate repository) must not > generate notifications to anyone involved with a PR who has not requested > such notifications. Understood. > - Patches adding or updating tier 3 targets must not break any existing tier 2 > or tier 1 target, and must not knowingly break another tier 3 target without > approval of either the compiler team or the maintainers of the other tier 3 > target. Understood. > - In particular, this may come up when working on closely related targets, > such as variations of the same architecture with different features. Avoid > introducing unconditional uses of features that another variation of the > target may not have; use conditional compilation or runtime detection, as > appropriate, to let each target run code supported by that target. Understood. > - Tier 3 targets must be able to produce assembly using at least one of > rustc's supported backends from any host target. (Having support in a fork > of the backend is not sufficient, it must be upstream.) It is expected that the target should be able to compile binaries on any systems that are capable of compiling `aarch64` code.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
View all comments
The target enables Pointer Authentication Code (PAC) support in Rust on AArch64
ELF based Linux systems using a pauthtest ABI (provided by LLVM) and
pauthtest-enabled sysroot with custom musl, serving as a reference libc
implementation. It requires dynamic linking with a pauthtest-enabled dynamic
linker serving as ELF interpreter capable of resolving pauth relocations and
respecting pauthtest ABI constraints.
Supported features include:
(corresponds to
-fptrauth-callsincluded in pauthtest ABI as defined inLLVM)
address after restoring from stack for non-leaf functions (corresponds to
-fptrauth-returns)(corresponds to
-fptrauth-auth-traps)ABI (corresponding to
-fptrauth-init-fini,-fptrauth-init-fini-address-discrimination)pauthtest ABI (corresponding to
-faarch64-jump-table-hardening,-fptrauth-indirect-gotos)-Z ptrauth-elf-got, off by default)Existing compiler support, such as enabling branch authentication instructions
(i.e.:
-Z branch-protection) provide limited functionality, mainly signingreturn addresses (
pac-ret). The new target goes further by enabling ABI-levelpointer authentication support.
Please note that efforts were made to split the work into individual commits
that encapsulate different areas of the code; however, the commits are not
atomic and cannot be built or tested in isolation.
Useful links: