Add CF protection for x86_64

This commit is contained in:
Jakub Jelen 2024-07-26 11:04:36 +02:00
parent 35ecdc1cc4
commit 663d8b9ff4
2 changed files with 194 additions and 0 deletions

View File

@ -0,0 +1,191 @@
From de3a04203b33c2248400392b535d2ab133bcd752 Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Sat, 27 Jul 2024 08:16:56 +0300
Subject: [PATCH] Do not build rijndael-vaes-avx2-i386 on x86-64
* configure.ac: Enable building i386 "rijndael-vaes" only
on i?86 host instead of x86 MPI arch ("i?86 + x86-64").
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
configure.ac | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
index d3dffb4b..1e182552 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3025,6 +3025,11 @@ if test "$found" = "1" ; then
AC_DEFINE(USE_AES, 1, [Defined if this module should be included])
case "${host}" in
+ i?86-*-*)
+ # Build with the VAES/AVX2 implementation
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-i386.lo"
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-avx2-i386.lo"
+ ;;
x86_64-*-*)
# Build with the assembly implementation
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-amd64.lo"
@@ -3089,10 +3094,6 @@ if test "$found" = "1" ; then
# Build with the Padlock implementation
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-padlock.lo"
-
- # Build with the VAES/AVX2 implementation
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-i386.lo"
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-avx2-i386.lo"
;;
esac
fi
--
2.43.0
From 9178af96038acd295d02a4c405c19435dce92ad8 Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Fri, 26 Jul 2024 10:59:12 +0300
Subject: [PATCH 1/2] Add CET support for x86-64 assembly
* cipher/asm-common-amd64.h (ENDBRANCH): New.
(CFI_STARTPROC): Add ENDBRANCH.
[__CET__] (note.gnu.property): Add CET property section.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
cipher/asm-common-amd64.h | 30 ++++++++++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/cipher/asm-common-amd64.h b/cipher/asm-common-amd64.h
index 3fa065e8..465ef62b 100644
--- a/cipher/asm-common-amd64.h
+++ b/cipher/asm-common-amd64.h
@@ -76,9 +76,15 @@
# endif
#endif
+#ifdef __CET__
+#define ENDBRANCH endbr64
+#else
+#define ENDBRANCH /*_*/
+#endif
+
#ifdef HAVE_GCC_ASM_CFI_DIRECTIVES
/* CFI directives to emit DWARF stack unwinding information. */
-# define CFI_STARTPROC() .cfi_startproc
+# define CFI_STARTPROC() .cfi_startproc; ENDBRANCH
# define CFI_ENDPROC() .cfi_endproc
# define CFI_REMEMBER_STATE() .cfi_remember_state
# define CFI_RESTORE_STATE() .cfi_restore_state
@@ -146,7 +152,7 @@
DW_SLEB128_28BIT(rsp_offs)
#else
-# define CFI_STARTPROC()
+# define CFI_STARTPROC() ENDBRANCH
# define CFI_ENDPROC()
# define CFI_REMEMBER_STATE()
# define CFI_RESTORE_STATE()
@@ -214,4 +220,24 @@
vpopcntb xmm16, xmm16; /* Supported only by newer AVX512 CPUs. */ \
vpxord ymm16, ymm16, ymm16;
+#ifdef __CET__
+/* Generate CET property for all assembly files including this header. */
+ELF(.section .note.gnu.property,"a")
+ELF(.align 8)
+ELF(.long 1f - 0f)
+ELF(.long 4f - 1f)
+ELF(.long 5)
+ELF(0:)
+ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */
+ELF(1:)
+ELF(.align 8)
+ELF(.long 0xc0000002)
+ELF(.long 3f - 2f)
+ELF(2:)
+ELF(.long 0x3)
+ELF(3:)
+ELF(.align 8)
+ELF(4:)
+#endif
+
#endif /* GCRY_ASM_COMMON_AMD64_H */
--
2.43.0
From e7c81e64b1a81455ce72c54607ce6ab35c24f407 Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Date: Fri, 26 Jul 2024 11:09:37 +0300
Subject: [PATCH 2/2] Add CET support for i386 assembly
* cipher/asm-common-i386.h (ENDBRANCH): New.
(CFI_STARTPROC): Add ENDBRANCH.
[__CET__] (note.gnu.property): Add CET property section.
--
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
cipher/asm-common-i386.h | 30 ++++++++++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/cipher/asm-common-i386.h b/cipher/asm-common-i386.h
index d746ebc4..346a8ff2 100644
--- a/cipher/asm-common-i386.h
+++ b/cipher/asm-common-i386.h
@@ -59,9 +59,15 @@
movl name##@GOT(%reg), %reg;
#endif
+#ifdef __CET__
+#define ENDBRANCH endbr32
+#else
+#define ENDBRANCH /*_*/
+#endif
+
#ifdef HAVE_GCC_ASM_CFI_DIRECTIVES
/* CFI directives to emit DWARF stack unwinding information. */
-# define CFI_STARTPROC() .cfi_startproc
+# define CFI_STARTPROC() .cfi_startproc; ENDBRANCH
# define CFI_ENDPROC() .cfi_endproc
# define CFI_REMEMBER_STATE() .cfi_remember_state
# define CFI_RESTORE_STATE() .cfi_restore_state
@@ -121,7 +127,7 @@
DW_SLEB128_28BIT(esp_offs)
#else
-# define CFI_STARTPROC()
+# define CFI_STARTPROC() ENDBRANCH
# define CFI_ENDPROC()
# define CFI_REMEMBER_STATE()
# define CFI_RESTORE_STATE()
@@ -158,4 +164,24 @@
vpopcntb xmm7, xmm7; /* Supported only by newer AVX512 CPUs. */ \
vpxord ymm7, ymm7, ymm7;
+#ifdef __CET__
+/* Generate CET property for all assembly files including this header. */
+ELF(.section .note.gnu.property,"a")
+ELF(.align 4)
+ELF(.long 1f - 0f)
+ELF(.long 4f - 1f)
+ELF(.long 5)
+ELF(0:)
+ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */
+ELF(1:)
+ELF(.align 4)
+ELF(.long 0xc0000002)
+ELF(.long 3f - 2f)
+ELF(2:)
+ELF(.long 0x3)
+ELF(3:)
+ELF(.align 4)
+ELF(4:)
+#endif
+
#endif /* GCRY_ASM_COMMON_AMD64_H */
--
2.43.0

View File

@ -26,6 +26,8 @@ Patch1: libgcrypt-1.10.1-annobin.patch
Patch2: libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch Patch2: libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
# https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/20 # https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/20
Patch3: libgcrypt-1.11.0-covscan.patch Patch3: libgcrypt-1.11.0-covscan.patch
# https://dev.gnupg.org/T7220
Patch4: libgcrypt-1.11.0-cf-protection.patch
%global gcrylibdir %{_libdir} %global gcrylibdir %{_libdir}
%global gcrysoname libgcrypt.so.20 %global gcrysoname libgcrypt.so.20
@ -62,6 +64,7 @@ applications using libgcrypt.
%patch 1 -p1 %patch 1 -p1
%patch 2 -p1 %patch 2 -p1
%patch 3 -p1 %patch 3 -p1
%patch 4 -p1
%build %build
# should be all algorithms except SM3 and SM4, aria # should be all algorithms except SM3 and SM4, aria