git: 82854693aec1 - main - arm64: Allow userspace to be built with PAC and BTI
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 22 May 2024 17:03:31 UTC
The branch main has been updated by andrew: URL: https://cgit.FreeBSD.org/src/commit/?id=82854693aec11f87f1f0560e8395452b64f1770f commit 82854693aec11f87f1f0560e8395452b64f1770f Author: Andrew Turner <andrew@FreeBSD.org> AuthorDate: 2024-05-22 15:54:32 +0000 Commit: Andrew Turner <andrew@FreeBSD.org> CommitDate: 2024-05-22 17:02:26 +0000 arm64: Allow userspace to be built with PAC and BTI Add the WITH/WITHOUT_BRANCH_PROTECTION build flags. This can be used to enable the use of pointer authentication (FEAT_PAuth) and branch target identification (FEAT_BTI) in userspace. The kernel already handles both of these is userspace, we just need to enable it. Leave disabled for a short period for this to settle before enabling. Reviewed by: emaste Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D42596 --- lib/libomp/Makefile | 3 +++ share/mk/bsd.lib.mk | 6 ++++++ share/mk/bsd.opts.mk | 5 +++++ share/mk/bsd.prog.mk | 6 ++++++ stand/Makefile.inc | 3 +++ tools/build/options/WITHOUT_BRANCH_PROTECTION | 1 + tools/build/options/WITH_BRANCH_PROTECTION | 4 ++++ 7 files changed, 28 insertions(+) diff --git a/lib/libomp/Makefile b/lib/libomp/Makefile index aa9e6799ab59..2be8a207a219 100644 --- a/lib/libomp/Makefile +++ b/lib/libomp/Makefile @@ -1,4 +1,7 @@ +# z_Linux_asm.S is missing BTI support +MK_BRANCH_PROTECTION=no + .include <bsd.compiler.mk> SHLIB_NAME= libomp.so diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk index 981d0b49df39..575b521bea55 100644 --- a/share/mk/bsd.lib.mk +++ b/share/mk/bsd.lib.mk @@ -97,6 +97,12 @@ LDFLAGS+= -Wl,-zretpolineplt .endif # LLD sensibly defaults to -znoexecstack, so do the same for BFD LDFLAGS.bfd+= -Wl,-znoexecstack +.if ${MK_BRANCH_PROTECTION} != "no" +CFLAGS+= -mbranch-protection=standard +.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR) +LDFLAGS+= -Wl,-zbti-report=error +.endif +.endif # Initialize stack variables on function entry .if ${OPT_INIT_ALL} != "none" diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk index 65ae4f4cfa7c..18098c93605c 100644 --- a/share/mk/bsd.opts.mk +++ b/share/mk/bsd.opts.mk @@ -74,6 +74,7 @@ __DEFAULT_YES_OPTIONS = \ __DEFAULT_NO_OPTIONS = \ ASAN \ BIND_NOW \ + BRANCH_PROTECTION \ CCACHE_BUILD \ CTF \ INSTALL_AS_USER \ @@ -102,6 +103,10 @@ __DEFAULT_NO_OPTIONS+= PIE __DEFAULT_YES_OPTIONS+=PIE .endif +.if ${MACHINE_CPUARCH} != "aarch64" +BROKEN_OPTIONS+= BRANCH_PROTECTION +.endif + __SINGLE_OPTIONS = \ INIT_ALL diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk index c546c4f0b680..74a653057bda 100644 --- a/share/mk/bsd.prog.mk +++ b/share/mk/bsd.prog.mk @@ -69,6 +69,12 @@ LDFLAGS+= -Wl,-zretpolineplt .endif # LLD sensibly defaults to -znoexecstack, so do the same for BFD LDFLAGS.bfd+= -Wl,-znoexecstack +.if ${MK_BRANCH_PROTECTION} != "no" +CFLAGS+= -mbranch-protection=standard +.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR) +LDFLAGS+= -Wl,-zbti-report=error +.endif +.endif # Initialize stack variables on function entry .if ${OPT_INIT_ALL} != "none" diff --git a/stand/Makefile.inc b/stand/Makefile.inc index 13b3f2a1f418..391de6abc6d4 100644 --- a/stand/Makefile.inc +++ b/stand/Makefile.inc @@ -1,4 +1,7 @@ SUBDIR_PARALLEL= yes +# Firmware may not be able to handle branch protection failures +MK_BRANCH_PROTECTION= no + .include "defs.mk" diff --git a/tools/build/options/WITHOUT_BRANCH_PROTECTION b/tools/build/options/WITHOUT_BRANCH_PROTECTION new file mode 100644 index 000000000000..97b459b53c92 --- /dev/null +++ b/tools/build/options/WITHOUT_BRANCH_PROTECTION @@ -0,0 +1 @@ +Build with branch protection disabled. diff --git a/tools/build/options/WITH_BRANCH_PROTECTION b/tools/build/options/WITH_BRANCH_PROTECTION new file mode 100644 index 000000000000..3326aa5db965 --- /dev/null +++ b/tools/build/options/WITH_BRANCH_PROTECTION @@ -0,0 +1,4 @@ +Build with branch protection enabled. +On arm64 enable the use of pointer authentication and +branch target identification instructions on arm64. +These can be used to help mitigate some exploit techniques.