mirror of
https://github.com/freebsd/freebsd-src
synced 2024-09-30 05:36:10 +00:00
arm64: Allow userspace to be built with PAC and BTI
Add the WITH/WITHOUT_BRANCH_PROTECTION build flags. This can be used to enable the use of pointer authentication (FEAT_PAuth) and branch target identification (FEAT_BTI) in userspace. The kernel already handles both of these is userspace, we just need to enable it. Leave disabled for a short period for this to settle before enabling. Reviewed by: emaste Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D42596
This commit is contained in:
parent
2183004e14
commit
82854693ae
|
@ -1,4 +1,7 @@
|
|||
|
||||
# z_Linux_asm.S is missing BTI support
|
||||
MK_BRANCH_PROTECTION=no
|
||||
|
||||
.include <bsd.compiler.mk>
|
||||
|
||||
SHLIB_NAME= libomp.so
|
||||
|
|
|
@ -97,6 +97,12 @@ LDFLAGS+= -Wl,-zretpolineplt
|
|||
.endif
|
||||
# LLD sensibly defaults to -znoexecstack, so do the same for BFD
|
||||
LDFLAGS.bfd+= -Wl,-znoexecstack
|
||||
.if ${MK_BRANCH_PROTECTION} != "no"
|
||||
CFLAGS+= -mbranch-protection=standard
|
||||
.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
|
||||
LDFLAGS+= -Wl,-zbti-report=error
|
||||
.endif
|
||||
.endif
|
||||
|
||||
# Initialize stack variables on function entry
|
||||
.if ${OPT_INIT_ALL} != "none"
|
||||
|
|
|
@ -74,6 +74,7 @@ __DEFAULT_YES_OPTIONS = \
|
|||
__DEFAULT_NO_OPTIONS = \
|
||||
ASAN \
|
||||
BIND_NOW \
|
||||
BRANCH_PROTECTION \
|
||||
CCACHE_BUILD \
|
||||
CTF \
|
||||
INSTALL_AS_USER \
|
||||
|
@ -102,6 +103,10 @@ __DEFAULT_NO_OPTIONS+= PIE
|
|||
__DEFAULT_YES_OPTIONS+=PIE
|
||||
.endif
|
||||
|
||||
.if ${MACHINE_CPUARCH} != "aarch64"
|
||||
BROKEN_OPTIONS+= BRANCH_PROTECTION
|
||||
.endif
|
||||
|
||||
__SINGLE_OPTIONS = \
|
||||
INIT_ALL
|
||||
|
||||
|
|
|
@ -69,6 +69,12 @@ LDFLAGS+= -Wl,-zretpolineplt
|
|||
.endif
|
||||
# LLD sensibly defaults to -znoexecstack, so do the same for BFD
|
||||
LDFLAGS.bfd+= -Wl,-znoexecstack
|
||||
.if ${MK_BRANCH_PROTECTION} != "no"
|
||||
CFLAGS+= -mbranch-protection=standard
|
||||
.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
|
||||
LDFLAGS+= -Wl,-zbti-report=error
|
||||
.endif
|
||||
.endif
|
||||
|
||||
# Initialize stack variables on function entry
|
||||
.if ${OPT_INIT_ALL} != "none"
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
|
||||
SUBDIR_PARALLEL= yes
|
||||
|
||||
# Firmware may not be able to handle branch protection failures
|
||||
MK_BRANCH_PROTECTION= no
|
||||
|
||||
.include "defs.mk"
|
||||
|
|
1
tools/build/options/WITHOUT_BRANCH_PROTECTION
Normal file
1
tools/build/options/WITHOUT_BRANCH_PROTECTION
Normal file
|
@ -0,0 +1 @@
|
|||
Build with branch protection disabled.
|
4
tools/build/options/WITH_BRANCH_PROTECTION
Normal file
4
tools/build/options/WITH_BRANCH_PROTECTION
Normal file
|
@ -0,0 +1,4 @@
|
|||
Build with branch protection enabled.
|
||||
On arm64 enable the use of pointer authentication and
|
||||
branch target identification instructions on arm64.
|
||||
These can be used to help mitigate some exploit techniques.
|
Loading…
Reference in a new issue