Add CF protection for x86_64
This commit is contained in:
Jakub Jelen
parent
35ecdc1cc4
commit
663d8b9ff4
191
libgcrypt-1.11.0-cf-protection.patch
Normal file
191
libgcrypt-1.11.0-cf-protection.patch
Normal file
@ -0,0 +1,191 @@
|
||||
From de3a04203b33c2248400392b535d2ab133bcd752 Mon Sep 17 00:00:00 2001
|
||||
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||
Date: Sat, 27 Jul 2024 08:16:56 +0300
|
||||
Subject: [PATCH] Do not build rijndael-vaes-avx2-i386 on x86-64
|
||||
|
||||
* configure.ac: Enable building i386 "rijndael-vaes" only
|
||||
on i?86 host instead of x86 MPI arch ("i?86 + x86-64").
|
||||
--
|
||||
|
||||
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||
---
|
||||
configure.ac | 9 +++++----
|
||||
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index d3dffb4b..1e182552 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -3025,6 +3025,11 @@ if test "$found" = "1" ; then
|
||||
AC_DEFINE(USE_AES, 1, [Defined if this module should be included])
|
||||
|
||||
case "${host}" in
|
||||
+ i?86-*-*)
|
||||
+ # Build with the VAES/AVX2 implementation
|
||||
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-i386.lo"
|
||||
+ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-avx2-i386.lo"
|
||||
+ ;;
|
||||
x86_64-*-*)
|
||||
# Build with the assembly implementation
|
||||
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-amd64.lo"
|
||||
@@ -3089,10 +3094,6 @@ if test "$found" = "1" ; then
|
||||
|
||||
# Build with the Padlock implementation
|
||||
GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-padlock.lo"
|
||||
-
|
||||
- # Build with the VAES/AVX2 implementation
|
||||
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-i386.lo"
|
||||
- GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-avx2-i386.lo"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
||||
From 9178af96038acd295d02a4c405c19435dce92ad8 Mon Sep 17 00:00:00 2001
|
||||
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||
Date: Fri, 26 Jul 2024 10:59:12 +0300
|
||||
Subject: [PATCH 1/2] Add CET support for x86-64 assembly
|
||||
|
||||
* cipher/asm-common-amd64.h (ENDBRANCH): New.
|
||||
(CFI_STARTPROC): Add ENDBRANCH.
|
||||
[__CET__] (note.gnu.property): Add CET property section.
|
||||
--
|
||||
|
||||
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||
---
|
||||
cipher/asm-common-amd64.h | 30 ++++++++++++++++++++++++++++--
|
||||
1 file changed, 28 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/cipher/asm-common-amd64.h b/cipher/asm-common-amd64.h
|
||||
index 3fa065e8..465ef62b 100644
|
||||
--- a/cipher/asm-common-amd64.h
|
||||
+++ b/cipher/asm-common-amd64.h
|
||||
@@ -76,9 +76,15 @@
|
||||
# endif
|
||||
#endif
|
||||
|
||||
+#ifdef __CET__
|
||||
+#define ENDBRANCH endbr64
|
||||
+#else
|
||||
+#define ENDBRANCH /*_*/
|
||||
+#endif
|
||||
+
|
||||
#ifdef HAVE_GCC_ASM_CFI_DIRECTIVES
|
||||
/* CFI directives to emit DWARF stack unwinding information. */
|
||||
-# define CFI_STARTPROC() .cfi_startproc
|
||||
+# define CFI_STARTPROC() .cfi_startproc; ENDBRANCH
|
||||
# define CFI_ENDPROC() .cfi_endproc
|
||||
# define CFI_REMEMBER_STATE() .cfi_remember_state
|
||||
# define CFI_RESTORE_STATE() .cfi_restore_state
|
||||
@@ -146,7 +152,7 @@
|
||||
DW_SLEB128_28BIT(rsp_offs)
|
||||
|
||||
#else
|
||||
-# define CFI_STARTPROC()
|
||||
+# define CFI_STARTPROC() ENDBRANCH
|
||||
# define CFI_ENDPROC()
|
||||
# define CFI_REMEMBER_STATE()
|
||||
# define CFI_RESTORE_STATE()
|
||||
@@ -214,4 +220,24 @@
|
||||
vpopcntb xmm16, xmm16; /* Supported only by newer AVX512 CPUs. */ \
|
||||
vpxord ymm16, ymm16, ymm16;
|
||||
|
||||
+#ifdef __CET__
|
||||
+/* Generate CET property for all assembly files including this header. */
|
||||
+ELF(.section .note.gnu.property,"a")
|
||||
+ELF(.align 8)
|
||||
+ELF(.long 1f - 0f)
|
||||
+ELF(.long 4f - 1f)
|
||||
+ELF(.long 5)
|
||||
+ELF(0:)
|
||||
+ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */
|
||||
+ELF(1:)
|
||||
+ELF(.align 8)
|
||||
+ELF(.long 0xc0000002)
|
||||
+ELF(.long 3f - 2f)
|
||||
+ELF(2:)
|
||||
+ELF(.long 0x3)
|
||||
+ELF(3:)
|
||||
+ELF(.align 8)
|
||||
+ELF(4:)
|
||||
+#endif
|
||||
+
|
||||
#endif /* GCRY_ASM_COMMON_AMD64_H */
|
||||
--
|
||||
2.43.0
|
||||
|
||||
From e7c81e64b1a81455ce72c54607ce6ab35c24f407 Mon Sep 17 00:00:00 2001
|
||||
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||
Date: Fri, 26 Jul 2024 11:09:37 +0300
|
||||
Subject: [PATCH 2/2] Add CET support for i386 assembly
|
||||
|
||||
* cipher/asm-common-i386.h (ENDBRANCH): New.
|
||||
(CFI_STARTPROC): Add ENDBRANCH.
|
||||
[__CET__] (note.gnu.property): Add CET property section.
|
||||
--
|
||||
|
||||
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
|
||||
---
|
||||
cipher/asm-common-i386.h | 30 ++++++++++++++++++++++++++++--
|
||||
1 file changed, 28 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/cipher/asm-common-i386.h b/cipher/asm-common-i386.h
|
||||
index d746ebc4..346a8ff2 100644
|
||||
--- a/cipher/asm-common-i386.h
|
||||
+++ b/cipher/asm-common-i386.h
|
||||
@@ -59,9 +59,15 @@
|
||||
movl name##@GOT(%reg), %reg;
|
||||
#endif
|
||||
|
||||
+#ifdef __CET__
|
||||
+#define ENDBRANCH endbr32
|
||||
+#else
|
||||
+#define ENDBRANCH /*_*/
|
||||
+#endif
|
||||
+
|
||||
#ifdef HAVE_GCC_ASM_CFI_DIRECTIVES
|
||||
/* CFI directives to emit DWARF stack unwinding information. */
|
||||
-# define CFI_STARTPROC() .cfi_startproc
|
||||
+# define CFI_STARTPROC() .cfi_startproc; ENDBRANCH
|
||||
# define CFI_ENDPROC() .cfi_endproc
|
||||
# define CFI_REMEMBER_STATE() .cfi_remember_state
|
||||
# define CFI_RESTORE_STATE() .cfi_restore_state
|
||||
@@ -121,7 +127,7 @@
|
||||
DW_SLEB128_28BIT(esp_offs)
|
||||
|
||||
#else
|
||||
-# define CFI_STARTPROC()
|
||||
+# define CFI_STARTPROC() ENDBRANCH
|
||||
# define CFI_ENDPROC()
|
||||
# define CFI_REMEMBER_STATE()
|
||||
# define CFI_RESTORE_STATE()
|
||||
@@ -158,4 +164,24 @@
|
||||
vpopcntb xmm7, xmm7; /* Supported only by newer AVX512 CPUs. */ \
|
||||
vpxord ymm7, ymm7, ymm7;
|
||||
|
||||
+#ifdef __CET__
|
||||
+/* Generate CET property for all assembly files including this header. */
|
||||
+ELF(.section .note.gnu.property,"a")
|
||||
+ELF(.align 4)
|
||||
+ELF(.long 1f - 0f)
|
||||
+ELF(.long 4f - 1f)
|
||||
+ELF(.long 5)
|
||||
+ELF(0:)
|
||||
+ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */
|
||||
+ELF(1:)
|
||||
+ELF(.align 4)
|
||||
+ELF(.long 0xc0000002)
|
||||
+ELF(.long 3f - 2f)
|
||||
+ELF(2:)
|
||||
+ELF(.long 0x3)
|
||||
+ELF(3:)
|
||||
+ELF(.align 4)
|
||||
+ELF(4:)
|
||||
+#endif
|
||||
+
|
||||
#endif /* GCRY_ASM_COMMON_AMD64_H */
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -26,6 +26,8 @@ Patch1: libgcrypt-1.10.1-annobin.patch
|
||||
Patch2: libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
|
||||
# https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/20
|
||||
Patch3: libgcrypt-1.11.0-covscan.patch
|
||||
# https://dev.gnupg.org/T7220
|
||||
Patch4: libgcrypt-1.11.0-cf-protection.patch
|
||||
|
||||
%global gcrylibdir %{_libdir}
|
||||
%global gcrysoname libgcrypt.so.20
|
||||
@ -62,6 +64,7 @@ applications using libgcrypt.
|
||||
%patch 1 -p1
|
||||
%patch 2 -p1
|
||||
%patch 3 -p1
|
||||
%patch 4 -p1
|
||||
|
||||
%build
|
||||
# should be all algorithms except SM3 and SM4, aria
|
||||
|
||||
Loading…
Reference in New Issue
Block a user