Fix branch protection also on Aarch64
Related: RHEL-58736
This commit is contained in:
parent
617e4c5f4c
commit
60990da0cc
229
libgcrypt-1.11.0-pac-bti-protection.patch
Normal file
229
libgcrypt-1.11.0-pac-bti-protection.patch
Normal file
@ -0,0 +1,229 @@
|
|||||||
|
From afdd68b162103820edb72ad170f8ee26f206b396 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||||
|
Date: Sun, 4 Aug 2024 18:51:34 +0300
|
||||||
|
Subject: [PATCH] Add PAC/BTI support for AArch64 assembly
|
||||||
|
|
||||||
|
* cipher/asm-common-aarch64.h (AARCH64_BTI_PROPERTY_FLAG)
|
||||||
|
(AARCH64_HINT_BTI_C, AARCH64_PAC_PROPERTY_FLAG)
|
||||||
|
(note.gnu.property): New.
|
||||||
|
(CFI_STARTPROC): Add AARCH64_HINT_BTI_C.
|
||||||
|
--
|
||||||
|
|
||||||
|
GnuPG-bug-id: 7220
|
||||||
|
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||||
|
---
|
||||||
|
cipher/asm-common-aarch64.h | 50 +++++++++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 48 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/cipher/asm-common-aarch64.h b/cipher/asm-common-aarch64.h
|
||||||
|
index 3a72d7c4..ff65ea6a 100644
|
||||||
|
--- a/cipher/asm-common-aarch64.h
|
||||||
|
+++ b/cipher/asm-common-aarch64.h
|
||||||
|
@@ -45,9 +45,25 @@
|
||||||
|
add reg, reg, #:lo12:name ;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
|
||||||
|
+# define AARCH64_BTI_PROPERTY_FLAG (1 << 0)
|
||||||
|
+# define AARCH64_HINT_BTI_C \
|
||||||
|
+ hint #34
|
||||||
|
+#else
|
||||||
|
+# define AARCH64_BTI_PROPERTY_FLAG 0 /* No BTI */
|
||||||
|
+# define AARCH64_HINT_BTI_C /*_*/
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT & 3) != 0
|
||||||
|
+/* PAC enabled, signed with either A or B key. */
|
||||||
|
+# define AARCH64_PAC_PROPERTY_FLAG (1 << 1)
|
||||||
|
+#else
|
||||||
|
+# define AARCH64_PAC_PROPERTY_FLAG 0 /* No PAC */
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifdef HAVE_GCC_ASM_CFI_DIRECTIVES
|
||||||
|
/* CFI directives to emit DWARF stack unwinding information. */
|
||||||
|
-# define CFI_STARTPROC() .cfi_startproc
|
||||||
|
+# define CFI_STARTPROC() .cfi_startproc; AARCH64_HINT_BTI_C
|
||||||
|
# define CFI_ENDPROC() .cfi_endproc
|
||||||
|
# define CFI_REMEMBER_STATE() .cfi_remember_state
|
||||||
|
# define CFI_RESTORE_STATE() .cfi_restore_state
|
||||||
|
@@ -89,7 +105,7 @@
|
||||||
|
DW_SLEB128_28BIT(rsp_offs)
|
||||||
|
|
||||||
|
#else
|
||||||
|
-# define CFI_STARTPROC()
|
||||||
|
+# define CFI_STARTPROC() AARCH64_HINT_BTI_C
|
||||||
|
# define CFI_ENDPROC()
|
||||||
|
# define CFI_REMEMBER_STATE()
|
||||||
|
# define CFI_RESTORE_STATE()
|
||||||
|
@@ -129,4 +145,34 @@
|
||||||
|
ldp d8, d9, [sp], #16; \
|
||||||
|
CFI_ADJUST_CFA_OFFSET(-16);
|
||||||
|
|
||||||
|
+#if (AARCH64_BTI_PROPERTY_FLAG | AARCH64_PAC_PROPERTY_FLAG)
|
||||||
|
+/* Generate PAC/BTI property for all assembly files including this header.
|
||||||
|
+ *
|
||||||
|
+ * libgcrypt support these extensions:
|
||||||
|
+ * - Armv8.3-A Pointer Authentication (PAC):
|
||||||
|
+ * As currently all AArch64 assembly functions are leaf functions and do
|
||||||
|
+ * not store/load link register LR, we just mark PAC as supported.
|
||||||
|
+ *
|
||||||
|
+ * - Armv8.5-A Branch Target Identification (BTI):
|
||||||
|
+ * All AArch64 assembly functions get branch target instruction through
|
||||||
|
+ * CFI_STARTPROC macro.
|
||||||
|
+ */
|
||||||
|
+ELF(.section .note.gnu.property,"a")
|
||||||
|
+ELF(.balign 8)
|
||||||
|
+ELF(.long 1f - 0f)
|
||||||
|
+ELF(.long 4f - 1f)
|
||||||
|
+ELF(.long 5)
|
||||||
|
+ELF(0:)
|
||||||
|
+ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */
|
||||||
|
+ELF(1:)
|
||||||
|
+ELF(.balign 8)
|
||||||
|
+ELF(.long 0xc0000000)
|
||||||
|
+ELF(.long 3f - 2f)
|
||||||
|
+ELF(2:)
|
||||||
|
+ELF(.long (AARCH64_BTI_PROPERTY_FLAG | AARCH64_PAC_PROPERTY_FLAG))
|
||||||
|
+ELF(3:)
|
||||||
|
+ELF(.balign 8)
|
||||||
|
+ELF(4:)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#endif /* GCRY_ASM_COMMON_AARCH64_H */
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
|
From 07706d69f238f6a3bfc3f74145686a02decbee9c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||||
|
Date: Mon, 5 Aug 2024 20:18:05 +0300
|
||||||
|
Subject: [PATCH] Do not build 32-bit ARM assembly on Aarch64
|
||||||
|
|
||||||
|
* configure.ac: Build "serpent-armv7-neon", "salsa20-armv7-neon",
|
||||||
|
"chacha20-armv7-neon", "sha512-armv7-neon" and "keccak-armv7-neon"
|
||||||
|
only on 32-bit ARM.
|
||||||
|
--
|
||||||
|
|
||||||
|
GnuPG-bug-id: 7220
|
||||||
|
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||||
|
---
|
||||||
|
configure.ac | 54 ++++++++++++++++++++++++++++------------------------
|
||||||
|
1 file changed, 29 insertions(+), 25 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 191aa38d..2b6ddb7b 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -3139,17 +3139,18 @@ if test "$found" = "1" ; then
|
||||||
|
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS serpent-avx2-amd64.lo"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
+ arm*-*-*)
|
||||||
|
+ if test x"$neonsupport" = xyes ; then
|
||||||
|
+ # Build with the NEON implementation
|
||||||
|
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS serpent-armv7-neon.lo"
|
||||||
|
+ fi
|
||||||
|
+ ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if test x"$avx512support" = xyes ; then
|
||||||
|
# Build with the AVX512 implementation
|
||||||
|
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS serpent-avx512-x86.lo"
|
||||||
|
fi
|
||||||
|
-
|
||||||
|
- if test x"$neonsupport" = xyes ; then
|
||||||
|
- # Build with the NEON implementation
|
||||||
|
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS serpent-armv7-neon.lo"
|
||||||
|
- fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
LIST_MEMBER(rfc2268, $enabled_ciphers)
|
||||||
|
@@ -3230,12 +3231,13 @@ if test "$found" = "1" ; then
|
||||||
|
# Build with the assembly implementation
|
||||||
|
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS salsa20-amd64.lo"
|
||||||
|
;;
|
||||||
|
+ arm*-*-*)
|
||||||
|
+ if test x"$neonsupport" = xyes ; then
|
||||||
|
+ # Build with the NEON implementation
|
||||||
|
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS salsa20-armv7-neon.lo"
|
||||||
|
+ fi
|
||||||
|
+ ;;
|
||||||
|
esac
|
||||||
|
-
|
||||||
|
- if test x"$neonsupport" = xyes ; then
|
||||||
|
- # Build with the NEON implementation
|
||||||
|
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS salsa20-armv7-neon.lo"
|
||||||
|
- fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
LIST_MEMBER(gost28147, $enabled_ciphers)
|
||||||
|
@@ -3256,6 +3258,12 @@ if test "$found" = "1" ; then
|
||||||
|
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-amd64-avx2.lo"
|
||||||
|
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-amd64-avx512.lo"
|
||||||
|
;;
|
||||||
|
+ arm*-*-*)
|
||||||
|
+ if test x"$neonsupport" = xyes ; then
|
||||||
|
+ # Build with the NEON implementation
|
||||||
|
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-armv7-neon.lo"
|
||||||
|
+ fi
|
||||||
|
+ ;;
|
||||||
|
aarch64-*-*)
|
||||||
|
# Build with the assembly implementation
|
||||||
|
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-aarch64.lo"
|
||||||
|
@@ -3282,11 +3290,6 @@ if test "$found" = "1" ; then
|
||||||
|
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-s390x.lo"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
-
|
||||||
|
- if test x"$neonsupport" = xyes ; then
|
||||||
|
- # Build with the NEON implementation
|
||||||
|
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-armv7-neon.lo"
|
||||||
|
- fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
LIST_MEMBER(sm4, $enabled_ciphers)
|
||||||
|
@@ -3491,6 +3494,11 @@ if test "$found" = "1" ; then
|
||||||
|
arm*-*-*)
|
||||||
|
# Build with the assembly implementation
|
||||||
|
GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sha512-arm.lo"
|
||||||
|
+
|
||||||
|
+ if test x"$neonsupport" = xyes ; then
|
||||||
|
+ # Build with the NEON implementation
|
||||||
|
+ GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sha512-armv7-neon.lo"
|
||||||
|
+ fi
|
||||||
|
;;
|
||||||
|
aarch64-*-*)
|
||||||
|
# Build with the assembly implementation
|
||||||
|
@@ -3510,11 +3518,6 @@ if test "$found" = "1" ; then
|
||||||
|
# Build with the crypto extension implementation
|
||||||
|
GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sha512-ppc.lo"
|
||||||
|
esac
|
||||||
|
-
|
||||||
|
- if test x"$neonsupport" = xyes ; then
|
||||||
|
- # Build with the NEON implementation
|
||||||
|
- GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sha512-armv7-neon.lo"
|
||||||
|
- fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
LIST_MEMBER(sha3, $enabled_digests)
|
||||||
|
@@ -3527,12 +3530,13 @@ if test "$found" = "1" ; then
|
||||||
|
# Build with the assembly implementation
|
||||||
|
GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS keccak-amd64-avx512.lo"
|
||||||
|
;;
|
||||||
|
+ arm*-*-*)
|
||||||
|
+ if test x"$neonsupport" = xyes ; then
|
||||||
|
+ # Build with the NEON implementation
|
||||||
|
+ GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS keccak-armv7-neon.lo"
|
||||||
|
+ fi
|
||||||
|
+ ;;
|
||||||
|
esac
|
||||||
|
-
|
||||||
|
- if test x"$neonsupport" = xyes ; then
|
||||||
|
- # Build with the NEON implementation
|
||||||
|
- GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS keccak-armv7-neon.lo"
|
||||||
|
- fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
LIST_MEMBER(tiger, $enabled_digests)
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -28,6 +28,7 @@ Patch2: libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
|
|||||||
Patch3: libgcrypt-1.11.0-covscan.patch
|
Patch3: libgcrypt-1.11.0-covscan.patch
|
||||||
# https://dev.gnupg.org/T7220
|
# https://dev.gnupg.org/T7220
|
||||||
Patch4: libgcrypt-1.11.0-cf-protection.patch
|
Patch4: libgcrypt-1.11.0-cf-protection.patch
|
||||||
|
Patch5: libgcrypt-1.11.0-pac-bti-protection.patch
|
||||||
|
|
||||||
%global gcrylibdir %{_libdir}
|
%global gcrylibdir %{_libdir}
|
||||||
%global gcrysoname libgcrypt.so.20
|
%global gcrysoname libgcrypt.so.20
|
||||||
@ -65,6 +66,7 @@ applications using libgcrypt.
|
|||||||
%patch 2 -p1
|
%patch 2 -p1
|
||||||
%patch 3 -p1
|
%patch 3 -p1
|
||||||
%patch 4 -p1
|
%patch 4 -p1
|
||||||
|
%patch 5 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# should be all algorithms except SM3 and SM4, aria
|
# should be all algorithms except SM3 and SM4, aria
|
||||||
|
Loading…
Reference in New Issue
Block a user