Fix branch protection also on Aarch64

Related: RHEL-58736
This commit is contained in:
Jakub Jelen 2024-08-06 11:51:54 +02:00
parent 617e4c5f4c
commit 60990da0cc
2 changed files with 231 additions and 0 deletions

View File

@ -0,0 +1,229 @@
From afdd68b162103820edb72ad170f8ee26f206b396 Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Sun, 4 Aug 2024 18:51:34 +0300
Subject: [PATCH] Add PAC/BTI support for AArch64 assembly
* cipher/asm-common-aarch64.h (AARCH64_BTI_PROPERTY_FLAG)
(AARCH64_HINT_BTI_C, AARCH64_PAC_PROPERTY_FLAG)
(note.gnu.property): New.
(CFI_STARTPROC): Add AARCH64_HINT_BTI_C.
--
GnuPG-bug-id: 7220
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
cipher/asm-common-aarch64.h | 50 +++++++++++++++++++++++++++++++++++--
1 file changed, 48 insertions(+), 2 deletions(-)
diff --git a/cipher/asm-common-aarch64.h b/cipher/asm-common-aarch64.h
index 3a72d7c4..ff65ea6a 100644
--- a/cipher/asm-common-aarch64.h
+++ b/cipher/asm-common-aarch64.h
@@ -45,9 +45,25 @@
add reg, reg, #:lo12:name ;
#endif
+#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
+# define AARCH64_BTI_PROPERTY_FLAG (1 << 0)
+# define AARCH64_HINT_BTI_C \
+ hint #34
+#else
+# define AARCH64_BTI_PROPERTY_FLAG 0 /* No BTI */
+# define AARCH64_HINT_BTI_C /*_*/
+#endif
+
+#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT & 3) != 0
+/* PAC enabled, signed with either A or B key. */
+# define AARCH64_PAC_PROPERTY_FLAG (1 << 1)
+#else
+# define AARCH64_PAC_PROPERTY_FLAG 0 /* No PAC */
+#endif
+
#ifdef HAVE_GCC_ASM_CFI_DIRECTIVES
/* CFI directives to emit DWARF stack unwinding information. */
-# define CFI_STARTPROC() .cfi_startproc
+# define CFI_STARTPROC() .cfi_startproc; AARCH64_HINT_BTI_C
# define CFI_ENDPROC() .cfi_endproc
# define CFI_REMEMBER_STATE() .cfi_remember_state
# define CFI_RESTORE_STATE() .cfi_restore_state
@@ -89,7 +105,7 @@
DW_SLEB128_28BIT(rsp_offs)
#else
-# define CFI_STARTPROC()
+# define CFI_STARTPROC() AARCH64_HINT_BTI_C
# define CFI_ENDPROC()
# define CFI_REMEMBER_STATE()
# define CFI_RESTORE_STATE()
@@ -129,4 +145,34 @@
ldp d8, d9, [sp], #16; \
CFI_ADJUST_CFA_OFFSET(-16);
+#if (AARCH64_BTI_PROPERTY_FLAG | AARCH64_PAC_PROPERTY_FLAG)
+/* Generate PAC/BTI property for all assembly files including this header.
+ *
+ * libgcrypt support these extensions:
+ * - Armv8.3-A Pointer Authentication (PAC):
+ * As currently all AArch64 assembly functions are leaf functions and do
+ * not store/load link register LR, we just mark PAC as supported.
+ *
+ * - Armv8.5-A Branch Target Identification (BTI):
+ * All AArch64 assembly functions get branch target instruction through
+ * CFI_STARTPROC macro.
+ */
+ELF(.section .note.gnu.property,"a")
+ELF(.balign 8)
+ELF(.long 1f - 0f)
+ELF(.long 4f - 1f)
+ELF(.long 5)
+ELF(0:)
+ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */
+ELF(1:)
+ELF(.balign 8)
+ELF(.long 0xc0000000)
+ELF(.long 3f - 2f)
+ELF(2:)
+ELF(.long (AARCH64_BTI_PROPERTY_FLAG | AARCH64_PAC_PROPERTY_FLAG))
+ELF(3:)
+ELF(.balign 8)
+ELF(4:)
+#endif
+
#endif /* GCRY_ASM_COMMON_AARCH64_H */
--
2.43.0
From 07706d69f238f6a3bfc3f74145686a02decbee9c Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Mon, 5 Aug 2024 20:18:05 +0300
Subject: [PATCH] Do not build 32-bit ARM assembly on Aarch64
* configure.ac: Build "serpent-armv7-neon", "salsa20-armv7-neon",
"chacha20-armv7-neon", "sha512-armv7-neon" and "keccak-armv7-neon"
only on 32-bit ARM.
--
GnuPG-bug-id: 7220
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
configure.ac | 54 ++++++++++++++++++++++++++++------------------------
1 file changed, 29 insertions(+), 25 deletions(-)
diff --git a/configure.ac b/configure.ac
index 191aa38d..2b6ddb7b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3139,17 +3139,18 @@ if test "$found" = "1" ; then
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS serpent-avx2-amd64.lo"
fi
;;
+ arm*-*-*)
+ if test x"$neonsupport" = xyes ; then
+ # Build with the NEON implementation
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS serpent-armv7-neon.lo"
+ fi
+ ;;
esac
if test x"$avx512support" = xyes ; then
# Build with the AVX512 implementation
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS serpent-avx512-x86.lo"
fi
-
- if test x"$neonsupport" = xyes ; then
- # Build with the NEON implementation
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS serpent-armv7-neon.lo"
- fi
fi
LIST_MEMBER(rfc2268, $enabled_ciphers)
@@ -3230,12 +3231,13 @@ if test "$found" = "1" ; then
# Build with the assembly implementation
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS salsa20-amd64.lo"
;;
+ arm*-*-*)
+ if test x"$neonsupport" = xyes ; then
+ # Build with the NEON implementation
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS salsa20-armv7-neon.lo"
+ fi
+ ;;
esac
-
- if test x"$neonsupport" = xyes ; then
- # Build with the NEON implementation
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS salsa20-armv7-neon.lo"
- fi
fi
LIST_MEMBER(gost28147, $enabled_ciphers)
@@ -3256,6 +3258,12 @@ if test "$found" = "1" ; then
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-amd64-avx2.lo"
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-amd64-avx512.lo"
;;
+ arm*-*-*)
+ if test x"$neonsupport" = xyes ; then
+ # Build with the NEON implementation
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-armv7-neon.lo"
+ fi
+ ;;
aarch64-*-*)
# Build with the assembly implementation
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-aarch64.lo"
@@ -3282,11 +3290,6 @@ if test "$found" = "1" ; then
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-s390x.lo"
;;
esac
-
- if test x"$neonsupport" = xyes ; then
- # Build with the NEON implementation
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-armv7-neon.lo"
- fi
fi
LIST_MEMBER(sm4, $enabled_ciphers)
@@ -3491,6 +3494,11 @@ if test "$found" = "1" ; then
arm*-*-*)
# Build with the assembly implementation
GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sha512-arm.lo"
+
+ if test x"$neonsupport" = xyes ; then
+ # Build with the NEON implementation
+ GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sha512-armv7-neon.lo"
+ fi
;;
aarch64-*-*)
# Build with the assembly implementation
@@ -3510,11 +3518,6 @@ if test "$found" = "1" ; then
# Build with the crypto extension implementation
GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sha512-ppc.lo"
esac
-
- if test x"$neonsupport" = xyes ; then
- # Build with the NEON implementation
- GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sha512-armv7-neon.lo"
- fi
fi
LIST_MEMBER(sha3, $enabled_digests)
@@ -3527,12 +3530,13 @@ if test "$found" = "1" ; then
# Build with the assembly implementation
GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS keccak-amd64-avx512.lo"
;;
+ arm*-*-*)
+ if test x"$neonsupport" = xyes ; then
+ # Build with the NEON implementation
+ GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS keccak-armv7-neon.lo"
+ fi
+ ;;
esac
-
- if test x"$neonsupport" = xyes ; then
- # Build with the NEON implementation
- GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS keccak-armv7-neon.lo"
- fi
fi
LIST_MEMBER(tiger, $enabled_digests)
--
2.43.0

View File

@ -28,6 +28,7 @@ Patch2: libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
Patch3: libgcrypt-1.11.0-covscan.patch Patch3: libgcrypt-1.11.0-covscan.patch
# https://dev.gnupg.org/T7220 # https://dev.gnupg.org/T7220
Patch4: libgcrypt-1.11.0-cf-protection.patch Patch4: libgcrypt-1.11.0-cf-protection.patch
Patch5: libgcrypt-1.11.0-pac-bti-protection.patch
%global gcrylibdir %{_libdir} %global gcrylibdir %{_libdir}
%global gcrysoname libgcrypt.so.20 %global gcrysoname libgcrypt.so.20
@ -65,6 +66,7 @@ applications using libgcrypt.
%patch 2 -p1 %patch 2 -p1
%patch 3 -p1 %patch 3 -p1
%patch 4 -p1 %patch 4 -p1
%patch 5 -p1
%build %build
# should be all algorithms except SM3 and SM4, aria # should be all algorithms except SM3 and SM4, aria