Add CF protection for x86_64
This commit is contained in:
parent
35ecdc1cc4
commit
663d8b9ff4
191
libgcrypt-1.11.0-cf-protection.patch
Normal file
191
libgcrypt-1.11.0-cf-protection.patch
Normal file
@ -0,0 +1,191 @@
|
|||||||
|
From de3a04203b33c2248400392b535d2ab133bcd752 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||||
|
Date: Sat, 27 Jul 2024 08:16:56 +0300
|
||||||
|
Subject: [PATCH] Do not build rijndael-vaes-avx2-i386 on x86-64
|
||||||
|
|
||||||
|
* configure.ac: Enable building i386 "rijndael-vaes" only
|
||||||
|
on i?86 host instead of x86 MPI arch ("i?86 + x86-64").
|
||||||
|
--
|
||||||
|
|
||||||
|
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||||
|
---
|
||||||
|
configure.ac | 9 +++++----
|
||||||
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index d3dffb4b..1e182552 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -3025,6 +3025,11 @@ if test "$found" = "1" ; then
|
||||||
|
AC_DEFINE(USE_AES, 1, [Defined if this module should be included])
|
||||||
|
|
||||||
|
case "${host}" in
|
||||||
|
+ i?86-*-*)
|
||||||
|
+ # Build with the VAES/AVX2 implementation
|
||||||
|
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-i386.lo"
|
||||||
|
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-avx2-i386.lo"
|
||||||
|
+ ;;
|
||||||
|
x86_64-*-*)
|
||||||
|
# Build with the assembly implementation
|
||||||
|
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-amd64.lo"
|
||||||
|
@@ -3089,10 +3094,6 @@ if test "$found" = "1" ; then
|
||||||
|
|
||||||
|
# Build with the Padlock implementation
|
||||||
|
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-padlock.lo"
|
||||||
|
-
|
||||||
|
- # Build with the VAES/AVX2 implementation
|
||||||
|
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-i386.lo"
|
||||||
|
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-avx2-i386.lo"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
|
|
||||||
|
From 9178af96038acd295d02a4c405c19435dce92ad8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||||
|
Date: Fri, 26 Jul 2024 10:59:12 +0300
|
||||||
|
Subject: [PATCH 1/2] Add CET support for x86-64 assembly
|
||||||
|
|
||||||
|
* cipher/asm-common-amd64.h (ENDBRANCH): New.
|
||||||
|
(CFI_STARTPROC): Add ENDBRANCH.
|
||||||
|
[__CET__] (note.gnu.property): Add CET property section.
|
||||||
|
--
|
||||||
|
|
||||||
|
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||||
|
---
|
||||||
|
cipher/asm-common-amd64.h | 30 ++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 28 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/cipher/asm-common-amd64.h b/cipher/asm-common-amd64.h
|
||||||
|
index 3fa065e8..465ef62b 100644
|
||||||
|
--- a/cipher/asm-common-amd64.h
|
||||||
|
+++ b/cipher/asm-common-amd64.h
|
||||||
|
@@ -76,9 +76,15 @@
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifdef __CET__
|
||||||
|
+#define ENDBRANCH endbr64
|
||||||
|
+#else
|
||||||
|
+#define ENDBRANCH /*_*/
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifdef HAVE_GCC_ASM_CFI_DIRECTIVES
|
||||||
|
/* CFI directives to emit DWARF stack unwinding information. */
|
||||||
|
-# define CFI_STARTPROC() .cfi_startproc
|
||||||
|
+# define CFI_STARTPROC() .cfi_startproc; ENDBRANCH
|
||||||
|
# define CFI_ENDPROC() .cfi_endproc
|
||||||
|
# define CFI_REMEMBER_STATE() .cfi_remember_state
|
||||||
|
# define CFI_RESTORE_STATE() .cfi_restore_state
|
||||||
|
@@ -146,7 +152,7 @@
|
||||||
|
DW_SLEB128_28BIT(rsp_offs)
|
||||||
|
|
||||||
|
#else
|
||||||
|
-# define CFI_STARTPROC()
|
||||||
|
+# define CFI_STARTPROC() ENDBRANCH
|
||||||
|
# define CFI_ENDPROC()
|
||||||
|
# define CFI_REMEMBER_STATE()
|
||||||
|
# define CFI_RESTORE_STATE()
|
||||||
|
@@ -214,4 +220,24 @@
|
||||||
|
vpopcntb xmm16, xmm16; /* Supported only by newer AVX512 CPUs. */ \
|
||||||
|
vpxord ymm16, ymm16, ymm16;
|
||||||
|
|
||||||
|
+#ifdef __CET__
|
||||||
|
+/* Generate CET property for all assembly files including this header. */
|
||||||
|
+ELF(.section .note.gnu.property,"a")
|
||||||
|
+ELF(.align 8)
|
||||||
|
+ELF(.long 1f - 0f)
|
||||||
|
+ELF(.long 4f - 1f)
|
||||||
|
+ELF(.long 5)
|
||||||
|
+ELF(0:)
|
||||||
|
+ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */
|
||||||
|
+ELF(1:)
|
||||||
|
+ELF(.align 8)
|
||||||
|
+ELF(.long 0xc0000002)
|
||||||
|
+ELF(.long 3f - 2f)
|
||||||
|
+ELF(2:)
|
||||||
|
+ELF(.long 0x3)
|
||||||
|
+ELF(3:)
|
||||||
|
+ELF(.align 8)
|
||||||
|
+ELF(4:)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#endif /* GCRY_ASM_COMMON_AMD64_H */
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
|
From e7c81e64b1a81455ce72c54607ce6ab35c24f407 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||||
|
Date: Fri, 26 Jul 2024 11:09:37 +0300
|
||||||
|
Subject: [PATCH 2/2] Add CET support for i386 assembly
|
||||||
|
|
||||||
|
* cipher/asm-common-i386.h (ENDBRANCH): New.
|
||||||
|
(CFI_STARTPROC): Add ENDBRANCH.
|
||||||
|
[__CET__] (note.gnu.property): Add CET property section.
|
||||||
|
--
|
||||||
|
|
||||||
|
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||||
|
---
|
||||||
|
cipher/asm-common-i386.h | 30 ++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 28 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/cipher/asm-common-i386.h b/cipher/asm-common-i386.h
|
||||||
|
index d746ebc4..346a8ff2 100644
|
||||||
|
--- a/cipher/asm-common-i386.h
|
||||||
|
+++ b/cipher/asm-common-i386.h
|
||||||
|
@@ -59,9 +59,15 @@
|
||||||
|
movl name##@GOT(%reg), %reg;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifdef __CET__
|
||||||
|
+#define ENDBRANCH endbr32
|
||||||
|
+#else
|
||||||
|
+#define ENDBRANCH /*_*/
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifdef HAVE_GCC_ASM_CFI_DIRECTIVES
|
||||||
|
/* CFI directives to emit DWARF stack unwinding information. */
|
||||||
|
-# define CFI_STARTPROC() .cfi_startproc
|
||||||
|
+# define CFI_STARTPROC() .cfi_startproc; ENDBRANCH
|
||||||
|
# define CFI_ENDPROC() .cfi_endproc
|
||||||
|
# define CFI_REMEMBER_STATE() .cfi_remember_state
|
||||||
|
# define CFI_RESTORE_STATE() .cfi_restore_state
|
||||||
|
@@ -121,7 +127,7 @@
|
||||||
|
DW_SLEB128_28BIT(esp_offs)
|
||||||
|
|
||||||
|
#else
|
||||||
|
-# define CFI_STARTPROC()
|
||||||
|
+# define CFI_STARTPROC() ENDBRANCH
|
||||||
|
# define CFI_ENDPROC()
|
||||||
|
# define CFI_REMEMBER_STATE()
|
||||||
|
# define CFI_RESTORE_STATE()
|
||||||
|
@@ -158,4 +164,24 @@
|
||||||
|
vpopcntb xmm7, xmm7; /* Supported only by newer AVX512 CPUs. */ \
|
||||||
|
vpxord ymm7, ymm7, ymm7;
|
||||||
|
|
||||||
|
+#ifdef __CET__
|
||||||
|
+/* Generate CET property for all assembly files including this header. */
|
||||||
|
+ELF(.section .note.gnu.property,"a")
|
||||||
|
+ELF(.align 4)
|
||||||
|
+ELF(.long 1f - 0f)
|
||||||
|
+ELF(.long 4f - 1f)
|
||||||
|
+ELF(.long 5)
|
||||||
|
+ELF(0:)
|
||||||
|
+ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */
|
||||||
|
+ELF(1:)
|
||||||
|
+ELF(.align 4)
|
||||||
|
+ELF(.long 0xc0000002)
|
||||||
|
+ELF(.long 3f - 2f)
|
||||||
|
+ELF(2:)
|
||||||
|
+ELF(.long 0x3)
|
||||||
|
+ELF(3:)
|
||||||
|
+ELF(.align 4)
|
||||||
|
+ELF(4:)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#endif /* GCRY_ASM_COMMON_AMD64_H */
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -26,6 +26,8 @@ Patch1: libgcrypt-1.10.1-annobin.patch
|
|||||||
Patch2: libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
|
Patch2: libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
|
||||||
# https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/20
|
# https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/20
|
||||||
Patch3: libgcrypt-1.11.0-covscan.patch
|
Patch3: libgcrypt-1.11.0-covscan.patch
|
||||||
|
# https://dev.gnupg.org/T7220
|
||||||
|
Patch4: libgcrypt-1.11.0-cf-protection.patch
|
||||||
|
|
||||||
%global gcrylibdir %{_libdir}
|
%global gcrylibdir %{_libdir}
|
||||||
%global gcrysoname libgcrypt.so.20
|
%global gcrysoname libgcrypt.so.20
|
||||||
@ -62,6 +64,7 @@ applications using libgcrypt.
|
|||||||
%patch 1 -p1
|
%patch 1 -p1
|
||||||
%patch 2 -p1
|
%patch 2 -p1
|
||||||
%patch 3 -p1
|
%patch 3 -p1
|
||||||
|
%patch 4 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# should be all algorithms except SM3 and SM4, aria
|
# should be all algorithms except SM3 and SM4, aria
|
||||||
|
Loading…
Reference in New Issue
Block a user