Hardware-based tracing on ARM
Hardware-assisted tracing is a powerful and low-overhead means to obtain real-time, whole-system coverage informatiom. The ARM CoreSight architecture specifies an Embedded Trace Macrocell that allows tracing both to be accesses through JTAG and exported through an ETM trace port as well as to be programmed entirely in software and stored in a ring buffer. On Linux 4.9 and above, ETM-based tracing can be used out-of-the box due to ARM CoreSight being supported by the perf subsystem, software-based usage on other operating systems requires low-level programming. This talk will investigate availability of ETM-based program flow tracing on various ARMv7 and ARMv8 SoCs and explain how to set up software-based ETM tracing yourself and use the coverage information to drive a fuzzer.