arm64: Allow userspace to be built with PAC and BTI

Add the WITH/WITHOUT_BRANCH_PROTECTION build flags. This can be used to enable the use of pointer authentication (FEAT_PAuth) and branch target identification (FEAT_BTI) in userspace. The kernel already handles both of these is userspace, we just need to enable it. Leave disabled for a short period for this to settle before enabling. Reviewed by: emaste Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D42596
2024-09-30 05:36:10 +00:00 · 2024-05-22 15:54:32 +00:00 · 2024-05-22 15:54:32 +00:00 · 82854693ae
parent 2183004e14
commit 82854693ae
7 changed files with 28 additions and 0 deletions
--- a/lib/libomp/Makefile
+++ b/lib/libomp/Makefile
@ -1,4 +1,7 @@

+# z_Linux_asm.S is missing BTI support
+MK_BRANCH_PROTECTION=no
+
 .include <bsd.compiler.mk>

 SHLIB_NAME=	libomp.so
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@ -97,6 +97,12 @@ LDFLAGS+= -Wl,-zretpolineplt
 .endif
 # LLD sensibly defaults to -znoexecstack, so do the same for BFD
 LDFLAGS.bfd+= -Wl,-znoexecstack
+.if ${MK_BRANCH_PROTECTION} != "no"
+CFLAGS+=  -mbranch-protection=standard
+.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
+LDFLAGS+= -Wl,-zbti-report=error
+.endif
+.endif

 # Initialize stack variables on function entry
 .if ${OPT_INIT_ALL} != "none"
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@ -74,6 +74,7 @@ __DEFAULT_YES_OPTIONS = \
 __DEFAULT_NO_OPTIONS = \
    ASAN \
    BIND_NOW \
+    BRANCH_PROTECTION \
    CCACHE_BUILD \
    CTF \
    INSTALL_AS_USER \
@ -102,6 +103,10 @@ __DEFAULT_NO_OPTIONS+= PIE
 __DEFAULT_YES_OPTIONS+=PIE
 .endif

+.if ${MACHINE_CPUARCH} != "aarch64"
+BROKEN_OPTIONS+=	BRANCH_PROTECTION
+.endif
+
 __SINGLE_OPTIONS = \
   INIT_ALL

--- a/share/mk/bsd.prog.mk
+++ b/share/mk/bsd.prog.mk
@ -69,6 +69,12 @@ LDFLAGS+= -Wl,-zretpolineplt
 .endif
 # LLD sensibly defaults to -znoexecstack, so do the same for BFD
 LDFLAGS.bfd+= -Wl,-znoexecstack
+.if ${MK_BRANCH_PROTECTION} != "no"
+CFLAGS+=  -mbranch-protection=standard
+.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
+LDFLAGS+= -Wl,-zbti-report=error
+.endif
+.endif

 # Initialize stack variables on function entry
 .if ${OPT_INIT_ALL} != "none"
--- a/stand/Makefile.inc
+++ b/stand/Makefile.inc
@ -1,4 +1,7 @@

 SUBDIR_PARALLEL=	yes

+# Firmware may not be able to handle branch protection failures
+MK_BRANCH_PROTECTION=	no
+
 .include "defs.mk"
--- a/tools/build/options/WITHOUT_BRANCH_PROTECTION
+++ b/tools/build/options/WITHOUT_BRANCH_PROTECTION
@ -0,0 +1 @@
+Build with branch protection disabled.
--- a/tools/build/options/WITH_BRANCH_PROTECTION
+++ b/tools/build/options/WITH_BRANCH_PROTECTION
@ -0,0 +1,4 @@
+Build with branch protection enabled.
+On arm64 enable the use of pointer authentication and
+branch target identification instructions on arm64.
+These can be used to help mitigate some exploit techniques.