git: 82854693aec1 - main - arm64: Allow userspace to be built with PAC and BTI

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Andrew Turner <andrew_at_FreeBSD.org>
Date: Wed, 22 May 2024 17:03:31 UTC
The branch main has been updated by andrew:

URL: https://cgit.FreeBSD.org/src/commit/?id=82854693aec11f87f1f0560e8395452b64f1770f

commit 82854693aec11f87f1f0560e8395452b64f1770f
Author:     Andrew Turner <andrew@FreeBSD.org>
AuthorDate: 2024-05-22 15:54:32 +0000
Commit:     Andrew Turner <andrew@FreeBSD.org>
CommitDate: 2024-05-22 17:02:26 +0000

    arm64: Allow userspace to be built with PAC and BTI
    
    Add the WITH/WITHOUT_BRANCH_PROTECTION build flags. This can be used
    to enable the use of pointer authentication (FEAT_PAuth) and branch
    target identification (FEAT_BTI) in userspace.
    
    The kernel already handles both of these is userspace, we just need
    to enable it.
    
    Leave disabled for a short period for this to settle before enabling.
    
    Reviewed by:    emaste
    Sponsored by:   Arm Ltd
    Differential Revision:  https://reviews.freebsd.org/D42596
---
 lib/libomp/Makefile                           | 3 +++
 share/mk/bsd.lib.mk                           | 6 ++++++
 share/mk/bsd.opts.mk                          | 5 +++++
 share/mk/bsd.prog.mk                          | 6 ++++++
 stand/Makefile.inc                            | 3 +++
 tools/build/options/WITHOUT_BRANCH_PROTECTION | 1 +
 tools/build/options/WITH_BRANCH_PROTECTION    | 4 ++++
 7 files changed, 28 insertions(+)

diff --git a/lib/libomp/Makefile b/lib/libomp/Makefile
index aa9e6799ab59..2be8a207a219 100644
--- a/lib/libomp/Makefile
+++ b/lib/libomp/Makefile
@@ -1,4 +1,7 @@
 
+# z_Linux_asm.S is missing BTI support
+MK_BRANCH_PROTECTION=no
+
 .include <bsd.compiler.mk>
 
 SHLIB_NAME=	libomp.so
diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk
index 981d0b49df39..575b521bea55 100644
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@@ -97,6 +97,12 @@ LDFLAGS+= -Wl,-zretpolineplt
 .endif
 # LLD sensibly defaults to -znoexecstack, so do the same for BFD
 LDFLAGS.bfd+= -Wl,-znoexecstack
+.if ${MK_BRANCH_PROTECTION} != "no"
+CFLAGS+=  -mbranch-protection=standard
+.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
+LDFLAGS+= -Wl,-zbti-report=error
+.endif
+.endif
 
 # Initialize stack variables on function entry
 .if ${OPT_INIT_ALL} != "none"
diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk
index 65ae4f4cfa7c..18098c93605c 100644
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@@ -74,6 +74,7 @@ __DEFAULT_YES_OPTIONS = \
 __DEFAULT_NO_OPTIONS = \
     ASAN \
     BIND_NOW \
+    BRANCH_PROTECTION \
     CCACHE_BUILD \
     CTF \
     INSTALL_AS_USER \
@@ -102,6 +103,10 @@ __DEFAULT_NO_OPTIONS+= PIE
 __DEFAULT_YES_OPTIONS+=PIE
 .endif
 
+.if ${MACHINE_CPUARCH} != "aarch64"
+BROKEN_OPTIONS+=	BRANCH_PROTECTION
+.endif
+
 __SINGLE_OPTIONS = \
    INIT_ALL
 
diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk
index c546c4f0b680..74a653057bda 100644
--- a/share/mk/bsd.prog.mk
+++ b/share/mk/bsd.prog.mk
@@ -69,6 +69,12 @@ LDFLAGS+= -Wl,-zretpolineplt
 .endif
 # LLD sensibly defaults to -znoexecstack, so do the same for BFD
 LDFLAGS.bfd+= -Wl,-znoexecstack
+.if ${MK_BRANCH_PROTECTION} != "no"
+CFLAGS+=  -mbranch-protection=standard
+.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
+LDFLAGS+= -Wl,-zbti-report=error
+.endif
+.endif
 
 # Initialize stack variables on function entry
 .if ${OPT_INIT_ALL} != "none"
diff --git a/stand/Makefile.inc b/stand/Makefile.inc
index 13b3f2a1f418..391de6abc6d4 100644
--- a/stand/Makefile.inc
+++ b/stand/Makefile.inc
@@ -1,4 +1,7 @@
 
 SUBDIR_PARALLEL=	yes
 
+# Firmware may not be able to handle branch protection failures
+MK_BRANCH_PROTECTION=	no
+
 .include "defs.mk"
diff --git a/tools/build/options/WITHOUT_BRANCH_PROTECTION b/tools/build/options/WITHOUT_BRANCH_PROTECTION
new file mode 100644
index 000000000000..97b459b53c92
--- /dev/null
+++ b/tools/build/options/WITHOUT_BRANCH_PROTECTION
@@ -0,0 +1 @@
+Build with branch protection disabled.
diff --git a/tools/build/options/WITH_BRANCH_PROTECTION b/tools/build/options/WITH_BRANCH_PROTECTION
new file mode 100644
index 000000000000..3326aa5db965
--- /dev/null
+++ b/tools/build/options/WITH_BRANCH_PROTECTION
@@ -0,0 +1,4 @@
+Build with branch protection enabled.
+On arm64 enable the use of pointer authentication and
+branch target identification instructions on arm64.
+These can be used to help mitigate some exploit techniques.