xref: /optee_os/core/arch/arm/kernel/entry_a64.S (revision 12fc37711783247b0d05fdc271ef007f4930767b) 
1/* SPDX-License-Identifier: BSD-2-Clause */
2/*
3 * Copyright (c) 2015-2022, Linaro Limited
4 * Copyright (c) 2021-2023, Arm Limited
5 */
6
7#include <platform_config.h>
8
9#include <arm64_macros.S>
10#include <arm.h>
11#include <asm.S>
12#include <generated/asm-defines.h>
13#include <keep.h>
14#include <kernel/thread_private.h>
15#include <mm/core_mmu.h>
16#include <sm/optee_smc.h>
17#include <sm/teesmc_opteed.h>
18#include <sm/teesmc_opteed_macros.h>
19
20	/*
21	 * Setup SP_EL0 and SPEL1, SP will be set to SP_EL0.
22	 * SP_EL0 is assigned:
23	 *   stack_tmp + (cpu_id + 1) * stack_tmp_stride - STACK_TMP_GUARD
24	 * SP_EL1 is assigned thread_core_local[cpu_id]
25	 */
26	.macro set_sp
27		bl	__get_core_pos
28		cmp	x0, #CFG_TEE_CORE_NB_CORE
29		/* Unsupported CPU, park it before it breaks something */
30		bge	unhandled_cpu
31		add	x0, x0, #1
32		adr_l	x1, stack_tmp_stride
33		ldr	w1, [x1]
34		mul	x1, x0, x1
35
36		/* x0 = stack_tmp - STACK_TMP_GUARD */
37		adr_l	x2, stack_tmp_rel
38		ldr	w0, [x2]
39		add	x0, x0, x2
40
41		msr	spsel, #0
42		add	sp, x1, x0
43		bl	thread_get_core_local
44		msr	spsel, #1
45		mov	sp, x0
46		msr	spsel, #0
47	.endm
48
49	.macro read_feat_mte reg
50		mrs	\reg, id_aa64pfr1_el1
51		ubfx	\reg, \reg, #ID_AA64PFR1_EL1_MTE_SHIFT, #4
52	.endm
53
54	.macro set_sctlr_el1
55		mrs	x0, sctlr_el1
56		orr	x0, x0, #SCTLR_I
57		orr	x0, x0, #SCTLR_SA
58		orr	x0, x0, #SCTLR_SPAN
59#if defined(CFG_CORE_RWDATA_NOEXEC)
60		orr	x0, x0, #SCTLR_WXN
61#endif
62#if defined(CFG_SCTLR_ALIGNMENT_CHECK)
63		orr	x0, x0, #SCTLR_A
64#else
65		bic	x0, x0, #SCTLR_A
66#endif
67#ifdef CFG_MEMTAG
68		read_feat_mte x1
69		cmp	w1, #1
70		b.ls	111f
71		orr	x0, x0, #(SCTLR_ATA | SCTLR_ATA0)
72		bic	x0, x0, #SCTLR_TCF_MASK
73		bic	x0, x0, #SCTLR_TCF0_MASK
74111:
75#endif
76#if defined(CFG_TA_PAUTH) && defined(CFG_TA_BTI)
77		orr	x0, x0, #SCTLR_BT0
78#endif
79#if defined(CFG_CORE_PAUTH) && defined(CFG_CORE_BTI)
80		orr	x0, x0, #SCTLR_BT1
81#endif
82		msr	sctlr_el1, x0
83	.endm
84
85	.macro init_memtag_per_cpu
86		read_feat_mte x0
87		cmp	w0, #1
88		b.ls	11f
89
90#ifdef CFG_TEE_CORE_DEBUG
91		/*
92		 * This together with GCR_EL1.RRND = 0 will make the tags
93		 * acquired with the irg instruction deterministic.
94		 */
95		mov_imm	x0, 0xcafe00
96		msr	rgsr_el1, x0
97		/* Avoid tag = 0x0 and 0xf */
98		mov	x0, #0
99#else
100		/*
101		 * Still avoid tag = 0x0 and 0xf as we use that tag for
102		 * everything which isn't explicitly tagged. Setting
103		 * GCR_EL1.RRND = 1 to allow an implementation specific
104		 * method of generating the tags.
105		 */
106		mov	x0, #GCR_EL1_RRND
107#endif
108		orr	x0, x0, #1
109		orr	x0, x0, #(1 << 15)
110		msr	gcr_el1, x0
111
112		/*
113		 * Enable the tag checks on the current CPU.
114		 *
115		 * Depends on boot_init_memtag() having cleared tags for
116		 * TEE core memory. Well, not really, addresses with the
117		 * tag value 0b0000 will use unchecked access due to
118		 * TCR_TCMA0.
119		 */
120		mrs	x0, tcr_el1
121		orr	x0, x0, #TCR_TBI0
122		orr	x0, x0, #TCR_TCMA0
123		msr	tcr_el1, x0
124
125		mrs	x0, sctlr_el1
126		orr	x0, x0, #SCTLR_TCF_SYNC
127		orr	x0, x0, #SCTLR_TCF0_SYNC
128		msr	sctlr_el1, x0
129
130		isb
13111:
132	.endm
133
134	.macro init_pauth_per_cpu
135		msr	spsel, #1
136		ldp	x0, x1, [sp, #THREAD_CORE_LOCAL_KEYS]
137		msr	spsel, #0
138		write_apiakeyhi x0
139		write_apiakeylo x1
140		mrs	x0, sctlr_el1
141		orr	x0, x0, #SCTLR_ENIA
142		msr	sctlr_el1, x0
143		isb
144	.endm
145
146FUNC _start , :
147	/*
148	 * Register use:
149	 * x0	- CFG_CORE_FFA=y && CFG_CORE_SEL2_SPMC=n:
150	 *	  if non-NULL holds the TOS FW config [1] address
151	 *	- CFG_CORE_FFA=y && CFG_CORE_SEL2_SPMC=y:
152	 *	  address of FF-A Boot Information Blob
153	 *	- CFG_CORE_FFA=n:
154	 *	  if non-NULL holds the pagable part address
155	 * x2	- CFG_CORE_SEL2_SPMC=n:
156	 *	  if non-NULL holds the system DTB address
157	 *
158	 * x19 - saved x0
159	 * x20 - saved x2
160	 *
161	 * [1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware
162	 * configuration file. Used by Trusted OS (BL32), that is, OP-TEE
163	 * here.
164	 */
165	mov	x19, x0
166#if defined(CFG_DT_ADDR)
167	ldr     x20, =CFG_DT_ADDR
168#else
169	mov	x20, x2		/* Save DT address */
170#endif
171
172	adr	x0, reset_vect_table
173	msr	vbar_el1, x0
174	isb
175
176	set_sctlr_el1
177	isb
178
179#ifdef CFG_WITH_PAGER
180	/*
181	 * Move init code into correct location and move hashes to a
182	 * temporary safe location until the heap is initialized.
183	 *
184	 * The binary is built as:
185	 * [Pager code, rodata and data] : In correct location
186	 * [Init code and rodata] : Should be copied to __init_start
187	 * [struct boot_embdata + data] : Should be saved before
188	 * initializing pager, first uint32_t tells the length of the data
189	 */
190	adr	x0, __init_start	/* dst */
191	adr	x1, __data_end		/* src */
192	adr	x2, __init_end
193	sub	x2, x2, x0		/* init len */
194	ldr	w4, [x1, x2]		/* length of hashes etc */
195	add	x2, x2, x4		/* length of init and hashes etc */
196	/* Copy backwards (as memmove) in case we're overlapping */
197	add	x0, x0, x2		/* __init_start + len */
198	add	x1, x1, x2		/* __data_end + len */
199	adr	x3, cached_mem_end
200	str	x0, [x3]
201	adr	x2, __init_start
202copy_init:
203	ldp	x3, x4, [x1, #-16]!
204	stp	x3, x4, [x0, #-16]!
205	cmp	x0, x2
206	b.gt	copy_init
207#else
208	/*
209	 * The binary is built as:
210	 * [Core, rodata and data] : In correct location
211	 * [struct boot_embdata + data] : Should be moved to __end, first
212	 * uint32_t tells the length of the struct + data
213	 */
214	adr_l	x0, __end		/* dst */
215	adr_l	x1, __data_end		/* src */
216	ldr	w2, [x1]		/* struct boot_embdata::total_len */
217	/* Copy backwards (as memmove) in case we're overlapping */
218	add	x0, x0, x2
219	add	x1, x1, x2
220	adr	x3, cached_mem_end
221	str	x0, [x3]
222	adr_l	x2, __end
223
224copy_init:
225	ldp	x3, x4, [x1, #-16]!
226	stp	x3, x4, [x0, #-16]!
227	cmp	x0, x2
228	b.gt	copy_init
229#endif
230
231	/*
232	 * Clear .bss, this code obviously depends on the linker keeping
233	 * start/end of .bss at least 8 byte aligned.
234	 */
235	adr_l	x0, __bss_start
236	adr_l	x1, __bss_end
237clear_bss:
238	str	xzr, [x0], #8
239	cmp	x0, x1
240	b.lt	clear_bss
241
242#ifdef CFG_NS_VIRTUALIZATION
243	/*
244	 * Clear .nex_bss, this code obviously depends on the linker keeping
245	 * start/end of .bss at least 8 byte aligned.
246	 */
247	adr_l	x0, __nex_bss_start
248	adr_l	x1, __nex_bss_end
249clear_nex_bss:
250	str	xzr, [x0], #8
251	cmp	x0, x1
252	b.lt	clear_nex_bss
253#endif
254
255
256#if defined(CFG_CORE_PHYS_RELOCATABLE)
257	/*
258	 * Save the base physical address, it will not change after this
259	 * point.
260	 */
261	adr_l	x2, core_mmu_tee_load_pa
262	adr	x1, _start		/* Load address */
263	str	x1, [x2]
264
265	mov_imm	x0, TEE_LOAD_ADDR	/* Compiled load address */
266	sub	x0, x1, x0		/* Relocatation offset */
267
268	cbz	x0, 1f
269	bl	relocate
2701:
271#endif
272
273	/* Setup SP_EL0 and SP_EL1, SP will be set to SP_EL0 */
274	set_sp
275
276	bl	thread_init_thread_core_local
277
278	/* Enable aborts now that we can receive exceptions */
279	msr	daifclr, #DAIFBIT_ABT
280
281	/*
282	 * Invalidate dcache for all memory used during initialization to
283	 * avoid nasty surprices when the cache is turned on. We must not
284	 * invalidate memory not used by OP-TEE since we may invalidate
285	 * entries used by for instance ARM Trusted Firmware.
286	 */
287	adr_l	x0, __text_start
288	ldr	x1, cached_mem_end
289	sub	x1, x1, x0
290	bl	dcache_cleaninv_range
291
292	/* Enable Console */
293	bl	console_init
294
295#if defined(CFG_CORE_SEL2_SPMC) && defined(CFG_CORE_PHYS_RELOCATABLE)
296	mov	x0, x19		/* boot info */
297	bl	boot_save_boot_info
298#endif
299
300#ifdef CFG_MEMTAG
301	/*
302	 * If FEAT_MTE2 is available, initializes the memtag callbacks.
303	 * Tags for OP-TEE core memory are then cleared to make it safe to
304	 * enable MEMTAG below.
305	 */
306	bl	boot_init_memtag
307#endif
308
309#ifdef CFG_CORE_ASLR
310	mov	x0, x20		/* DT address */
311	bl	get_aslr_seed
312#else
313	mov	x0, #0
314#endif
315
316	adr	x1, boot_mmu_config
317	bl	core_init_mmu_map
318
319#ifdef CFG_CORE_ASLR
320	/*
321	 * Process relocation information again updating for the virtual
322	 * map offset. We're doing this now before MMU is enabled as some
323	 * of the memory will become write protected.
324	 */
325	ldr	x0, boot_mmu_config + CORE_MMU_CONFIG_MAP_OFFSET
326	cbz	x0, 1f
327	/*
328	 * Update cached_mem_end address with load offset since it was
329	 * calculated before relocation.
330	 */
331	adr	x5, cached_mem_end
332	ldr	x6, [x5]
333	add	x6, x6, x0
334	str	x6, [x5]
335	adr	x1, _start		/* Load address */
336	bl	relocate
3371:
338#endif
339
340	bl	__get_core_pos
341	bl	enable_mmu
342#ifdef CFG_CORE_ASLR
343	/*
344	 * Reinitialize console, since register_serial_console() has
345	 * previously registered a PA and with ASLR the VA is different
346	 * from the PA.
347	 */
348	bl	console_init
349#endif
350
351#ifdef CFG_NS_VIRTUALIZATION
352	/*
353	 * Initialize partition tables for each partition to
354	 * default_partition which has been relocated now to a different VA
355	 */
356	bl	core_mmu_set_default_prtn_tbl
357#endif
358
359#ifdef CFG_CORE_SEL1_SPMC
360	mov	x0, xzr		/* pager not used */
361#else
362	mov	x0, x19		/* pagable part address */
363#endif
364	mov	x1, #-1
365	bl	boot_init_primary_early
366
367#ifdef CFG_MEMTAG
368	init_memtag_per_cpu
369#endif
370
371#ifndef CFG_NS_VIRTUALIZATION
372	mov	x21, sp
373	adr_l	x0, threads
374	ldr	x0, [x0, #THREAD_CTX_STACK_VA_END]
375	mov	sp, x0
376	bl	thread_get_core_local
377	mov	x22, x0
378	str	wzr, [x22, #THREAD_CORE_LOCAL_FLAGS]
379#endif
380	mov	x0, x20		/* DT address also known as HW_CONFIG */
381#ifdef CFG_CORE_SEL1_SPMC
382	mov	x1, x19		/* TOS_FW_CONFIG DT address */
383#else
384	mov	x1, xzr		/* unused */
385#endif
386	bl	boot_init_primary_late
387#ifdef CFG_CORE_PAUTH
388	init_pauth_per_cpu
389#endif
390
391#ifndef CFG_NS_VIRTUALIZATION
392	mov	x0, #THREAD_CLF_TMP
393	str     w0, [x22, #THREAD_CORE_LOCAL_FLAGS]
394	mov	sp, x21
395#endif
396
397#ifdef _CFG_CORE_STACK_PROTECTOR
398	/* Update stack canary value */
399	bl	plat_get_random_stack_canary
400	adr_l	x5, __stack_chk_guard
401	str	x0, [x5]
402#endif
403
404	/*
405	 * In case we've touched memory that secondary CPUs will use before
406	 * they have turned on their D-cache, clean and invalidate the
407	 * D-cache before exiting to normal world.
408	 */
409	adr_l	x0, __text_start
410	ldr	x1, cached_mem_end
411	sub	x1, x1, x0
412	bl	dcache_cleaninv_range
413
414
415	/*
416	 * Clear current thread id now to allow the thread to be reused on
417	 * next entry. Matches the thread_init_boot_thread in
418	 * boot.c.
419	 */
420#ifndef CFG_NS_VIRTUALIZATION
421	bl 	thread_clr_boot_thread
422#endif
423
424#ifdef CFG_CORE_FFA
425	adr	x0, cpu_on_handler
426	/*
427	 * Compensate for the virtual map offset since cpu_on_handler() is
428	 * called with MMU off.
429	 */
430	ldr	x1, boot_mmu_config + CORE_MMU_CONFIG_MAP_OFFSET
431	sub	x0, x0, x1
432	bl	thread_spmc_register_secondary_ep
433	b	thread_ffa_msg_wait
434#else
435	/*
436	 * Pass the vector address returned from main_init Compensate for
437	 * the virtual map offset since cpu_on_handler() is called with MMU
438	 * off.
439	 */
440	ldr	x0, boot_mmu_config + CORE_MMU_CONFIG_MAP_OFFSET
441	adr	x1, thread_vector_table
442	sub	x1, x1, x0
443	mov	x0, #TEESMC_OPTEED_RETURN_ENTRY_DONE
444	smc	#0
445	/* SMC should not return */
446	panic_at_smc_return
447#endif
448END_FUNC _start
449DECLARE_KEEP_INIT _start
450
451	.section .identity_map.data
452	.balign	8
453LOCAL_DATA cached_mem_end , :
454	.skip	8
455END_DATA cached_mem_end
456
457#if defined(CFG_CORE_ASLR) || defined(CFG_CORE_PHYS_RELOCATABLE)
458LOCAL_FUNC relocate , :
459	/*
460	 * x0 holds relocate offset
461	 * x1 holds load address
462	 */
463#ifdef CFG_WITH_PAGER
464	adr_l	x6, __init_end
465#else
466	adr_l	x6, __end
467#endif
468	ldp	w2, w3, [x6, #BOOT_EMBDATA_RELOC_OFFSET]
469
470	add	x2, x2, x6	/* start of relocations */
471	add	x3, x3, x2	/* end of relocations */
472
473	/*
474	 * Relocations are not formatted as Rela64, instead they are in a
475	 * compressed format created by get_reloc_bin() in
476	 * scripts/gen_tee_bin.py
477	 *
478	 * All the R_AARCH64_RELATIVE relocations are translated into a
479	 * list of 32-bit offsets from TEE_LOAD_ADDR. At each address a
480	 * 64-bit value pointed out which increased with the load offset.
481	 */
482
483#ifdef CFG_WITH_PAGER
484	/*
485	 * With pager enabled we can only relocate the pager and init
486	 * parts, the rest has to be done when a page is populated.
487	 */
488	sub	x6, x6, x1
489#endif
490
491	b	2f
492	/* Loop over the relocation addresses and process all entries */
4931:	ldr	w4, [x2], #4
494#ifdef CFG_WITH_PAGER
495	/* Skip too large addresses */
496	cmp	x4, x6
497	b.ge	2f
498#endif
499	add	x4, x4, x1
500	ldr	x5, [x4]
501	add	x5, x5, x0
502	str	x5, [x4]
503
5042:	cmp	x2, x3
505	b.ne	1b
506
507	ret
508END_FUNC relocate
509#endif
510
511/*
512 * void enable_mmu(unsigned long core_pos);
513 *
514 * This function depends on being mapped with in the identity map where
515 * physical address and virtual address is the same. After MMU has been
516 * enabled the instruction pointer will be updated to execute as the new
517 * offset instead. Stack pointers and the return address are updated.
518 */
519LOCAL_FUNC enable_mmu , : , .identity_map
520	adr	x1, boot_mmu_config
521	load_xregs x1, 0, 2, 6
522	/*
523	 * x0 = core_pos
524	 * x2 = tcr_el1
525	 * x3 = mair_el1
526	 * x4 = ttbr0_el1_base
527	 * x5 = ttbr0_core_offset
528	 * x6 = load_offset
529	 */
530	msr	tcr_el1, x2
531	msr	mair_el1, x3
532
533	/*
534	 * ttbr0_el1 = ttbr0_el1_base + ttbr0_core_offset * core_pos
535	 */
536	madd	x1, x5, x0, x4
537	msr	ttbr0_el1, x1
538	msr	ttbr1_el1, xzr
539	isb
540
541	/* Invalidate TLB */
542	tlbi	vmalle1
543
544	/*
545	 * Make sure translation table writes have drained into memory and
546	 * the TLB invalidation is complete.
547	 */
548	dsb	sy
549	isb
550
551	/* Enable the MMU */
552	mrs	x1, sctlr_el1
553	orr	x1, x1, #SCTLR_M
554	msr	sctlr_el1, x1
555	isb
556
557	/* Update vbar */
558	mrs	x1, vbar_el1
559	add	x1, x1, x6
560	msr	vbar_el1, x1
561	isb
562
563	/* Invalidate instruction cache and branch predictor */
564	ic	iallu
565	isb
566
567	/* Enable I and D cache */
568	mrs	x1, sctlr_el1
569	orr	x1, x1, #SCTLR_I
570	orr	x1, x1, #SCTLR_C
571	msr	sctlr_el1, x1
572	isb
573
574	/* Adjust stack pointers and return address */
575	msr	spsel, #1
576	add	sp, sp, x6
577	msr	spsel, #0
578	add	sp, sp, x6
579	add	x30, x30, x6
580
581	ret
582END_FUNC enable_mmu
583
584	.section .identity_map.data
585	.balign	8
586DATA boot_mmu_config , : /* struct core_mmu_config */
587	.skip	CORE_MMU_CONFIG_SIZE
588END_DATA boot_mmu_config
589
590FUNC cpu_on_handler , :
591	mov	x19, x0
592	mov	x20, x1
593	mov	x21, x30
594
595	adr	x0, reset_vect_table
596	msr	vbar_el1, x0
597	isb
598
599	set_sctlr_el1
600	isb
601
602	/* Enable aborts now that we can receive exceptions */
603	msr	daifclr, #DAIFBIT_ABT
604
605	bl	__get_core_pos
606	bl	enable_mmu
607
608	/* Setup SP_EL0 and SP_EL1, SP will be set to SP_EL0 */
609	set_sp
610
611#ifdef CFG_MEMTAG
612	init_memtag_per_cpu
613#endif
614#ifdef CFG_CORE_PAUTH
615	init_pauth_per_cpu
616#endif
617
618	mov	x0, x19
619	mov	x1, x20
620#ifdef CFG_CORE_FFA
621	bl	boot_cpu_on_handler
622	b	thread_ffa_msg_wait
623#else
624	mov	x30, x21
625	b	boot_cpu_on_handler
626#endif
627END_FUNC cpu_on_handler
628DECLARE_KEEP_PAGER cpu_on_handler
629
630LOCAL_FUNC unhandled_cpu , :
631	wfi
632	b	unhandled_cpu
633END_FUNC unhandled_cpu
634
635LOCAL_DATA stack_tmp_rel , :
636	.word	stack_tmp - stack_tmp_rel - STACK_TMP_GUARD
637END_DATA stack_tmp_rel
638
639	/*
640	 * This macro verifies that the a given vector doesn't exceed the
641	 * architectural limit of 32 instructions. This is meant to be placed
642	 * immedately after the last instruction in the vector. It takes the
643	 * vector entry as the parameter
644	 */
645	.macro check_vector_size since
646	  .if (. - \since) > (32 * 4)
647	    .error "Vector exceeds 32 instructions"
648	  .endif
649	.endm
650
651	.section .identity_map, "ax", %progbits
652	.align	11
653LOCAL_FUNC reset_vect_table , :, .identity_map, , nobti
654	/* -----------------------------------------------------
655	 * Current EL with SP0 : 0x0 - 0x180
656	 * -----------------------------------------------------
657	 */
658SynchronousExceptionSP0:
659	b	SynchronousExceptionSP0
660	check_vector_size SynchronousExceptionSP0
661
662	.align	7
663IrqSP0:
664	b	IrqSP0
665	check_vector_size IrqSP0
666
667	.align	7
668FiqSP0:
669	b	FiqSP0
670	check_vector_size FiqSP0
671
672	.align	7
673SErrorSP0:
674	b	SErrorSP0
675	check_vector_size SErrorSP0
676
677	/* -----------------------------------------------------
678	 * Current EL with SPx: 0x200 - 0x380
679	 * -----------------------------------------------------
680	 */
681	.align	7
682SynchronousExceptionSPx:
683	b	SynchronousExceptionSPx
684	check_vector_size SynchronousExceptionSPx
685
686	.align	7
687IrqSPx:
688	b	IrqSPx
689	check_vector_size IrqSPx
690
691	.align	7
692FiqSPx:
693	b	FiqSPx
694	check_vector_size FiqSPx
695
696	.align	7
697SErrorSPx:
698	b	SErrorSPx
699	check_vector_size SErrorSPx
700
701	/* -----------------------------------------------------
702	 * Lower EL using AArch64 : 0x400 - 0x580
703	 * -----------------------------------------------------
704	 */
705	.align	7
706SynchronousExceptionA64:
707	b	SynchronousExceptionA64
708	check_vector_size SynchronousExceptionA64
709
710	.align	7
711IrqA64:
712	b	IrqA64
713	check_vector_size IrqA64
714
715	.align	7
716FiqA64:
717	b	FiqA64
718	check_vector_size FiqA64
719
720	.align	7
721SErrorA64:
722	b   	SErrorA64
723	check_vector_size SErrorA64
724
725	/* -----------------------------------------------------
726	 * Lower EL using AArch32 : 0x0 - 0x180
727	 * -----------------------------------------------------
728	 */
729	.align	7
730SynchronousExceptionA32:
731	b	SynchronousExceptionA32
732	check_vector_size SynchronousExceptionA32
733
734	.align	7
735IrqA32:
736	b	IrqA32
737	check_vector_size IrqA32
738
739	.align	7
740FiqA32:
741	b	FiqA32
742	check_vector_size FiqA32
743
744	.align	7
745SErrorA32:
746	b	SErrorA32
747	check_vector_size SErrorA32
748
749END_FUNC reset_vect_table
750
751BTI(emit_aarch64_feature_1_and     GNU_PROPERTY_AARCH64_FEATURE_1_BTI)
752