arm64: Allow userspace to be built with PAC and BTI
Add the WITH/WITHOUT_BRANCH_PROTECTION build flags. This can be used to enable the use of pointer authentication (FEAT_PAuth) and branch target identification (FEAT_BTI) in userspace. The kernel already handles both of these is userspace, we just need to enable it. Leave disabled for a short period for this to settle before enabling. Reviewed by: emaste Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D42596
This commit is contained in:
@@ -1,4 +1,7 @@
|
|||||||
|
|
||||||
|
# z_Linux_asm.S is missing BTI support
|
||||||
|
MK_BRANCH_PROTECTION=no
|
||||||
|
|
||||||
.include <bsd.compiler.mk>
|
.include <bsd.compiler.mk>
|
||||||
|
|
||||||
SHLIB_NAME= libomp.so
|
SHLIB_NAME= libomp.so
|
||||||
|
|||||||
@@ -97,6 +97,12 @@ LDFLAGS+= -Wl,-zretpolineplt
|
|||||||
.endif
|
.endif
|
||||||
# LLD sensibly defaults to -znoexecstack, so do the same for BFD
|
# LLD sensibly defaults to -znoexecstack, so do the same for BFD
|
||||||
LDFLAGS.bfd+= -Wl,-znoexecstack
|
LDFLAGS.bfd+= -Wl,-znoexecstack
|
||||||
|
.if ${MK_BRANCH_PROTECTION} != "no"
|
||||||
|
CFLAGS+= -mbranch-protection=standard
|
||||||
|
.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
|
||||||
|
LDFLAGS+= -Wl,-zbti-report=error
|
||||||
|
.endif
|
||||||
|
.endif
|
||||||
|
|
||||||
# Initialize stack variables on function entry
|
# Initialize stack variables on function entry
|
||||||
.if ${OPT_INIT_ALL} != "none"
|
.if ${OPT_INIT_ALL} != "none"
|
||||||
|
|||||||
@@ -74,6 +74,7 @@ __DEFAULT_YES_OPTIONS = \
|
|||||||
__DEFAULT_NO_OPTIONS = \
|
__DEFAULT_NO_OPTIONS = \
|
||||||
ASAN \
|
ASAN \
|
||||||
BIND_NOW \
|
BIND_NOW \
|
||||||
|
BRANCH_PROTECTION \
|
||||||
CCACHE_BUILD \
|
CCACHE_BUILD \
|
||||||
CTF \
|
CTF \
|
||||||
INSTALL_AS_USER \
|
INSTALL_AS_USER \
|
||||||
@@ -102,6 +103,10 @@ __DEFAULT_NO_OPTIONS+= PIE
|
|||||||
__DEFAULT_YES_OPTIONS+=PIE
|
__DEFAULT_YES_OPTIONS+=PIE
|
||||||
.endif
|
.endif
|
||||||
|
|
||||||
|
.if ${MACHINE_CPUARCH} != "aarch64"
|
||||||
|
BROKEN_OPTIONS+= BRANCH_PROTECTION
|
||||||
|
.endif
|
||||||
|
|
||||||
__SINGLE_OPTIONS = \
|
__SINGLE_OPTIONS = \
|
||||||
INIT_ALL
|
INIT_ALL
|
||||||
|
|
||||||
|
|||||||
@@ -69,6 +69,12 @@ LDFLAGS+= -Wl,-zretpolineplt
|
|||||||
.endif
|
.endif
|
||||||
# LLD sensibly defaults to -znoexecstack, so do the same for BFD
|
# LLD sensibly defaults to -znoexecstack, so do the same for BFD
|
||||||
LDFLAGS.bfd+= -Wl,-znoexecstack
|
LDFLAGS.bfd+= -Wl,-znoexecstack
|
||||||
|
.if ${MK_BRANCH_PROTECTION} != "no"
|
||||||
|
CFLAGS+= -mbranch-protection=standard
|
||||||
|
.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
|
||||||
|
LDFLAGS+= -Wl,-zbti-report=error
|
||||||
|
.endif
|
||||||
|
.endif
|
||||||
|
|
||||||
# Initialize stack variables on function entry
|
# Initialize stack variables on function entry
|
||||||
.if ${OPT_INIT_ALL} != "none"
|
.if ${OPT_INIT_ALL} != "none"
|
||||||
|
|||||||
@@ -1,4 +1,7 @@
|
|||||||
|
|
||||||
SUBDIR_PARALLEL= yes
|
SUBDIR_PARALLEL= yes
|
||||||
|
|
||||||
|
# Firmware may not be able to handle branch protection failures
|
||||||
|
MK_BRANCH_PROTECTION= no
|
||||||
|
|
||||||
.include "defs.mk"
|
.include "defs.mk"
|
||||||
|
|||||||
@@ -0,0 +1 @@
|
|||||||
|
Build with branch protection disabled.
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
Build with branch protection enabled.
|
||||||
|
On arm64 enable the use of pointer authentication and
|
||||||
|
branch target identification instructions on arm64.
|
||||||
|
These can be used to help mitigate some exploit techniques.
|
||||||
Reference in New Issue
Block a user