mirror of https://github.com/freebsd/freebsd-src synced 2024-07-21 10:19:04 +00:00

History

Russ Butler 1bd9ca8b75 aarch64: support BTI and pointer authentication in assembly This change adds optional support for - Armv8.3-A Pointer Authentication (PAuth) and - Armv8.5-A Branch Target Identification (BTI) features to the perl scripts. Both features can be enabled with additional compiler flags. Unless any of these are enabled explicitly there is no code change at all. The extensions are briefly described below. Please read the appropriate chapters of the Arm Architecture Reference Manual for the complete specification. Scope ----- This change only affects generated assembly code. Armv8.3-A Pointer Authentication -------------------------------- Pointer Authentication extension supports the authentication of the contents of registers before they are used for indirect branching or load. PAuth provides a probabilistic method to detect corruption of register values. PAuth signing instructions generate a Pointer Authentication Code (PAC) based on the value of a register, a seed and a key. The generated PAC is inserted into the original value in the register. A PAuth authentication instruction recomputes the PAC, and if it matches the PAC in the register, restores its original value. In case of a mismatch, an architecturally unmapped address is generated instead. With PAuth, mitigation against ROP (Return-oriented Programming) attacks can be implemented. This is achieved by signing the contents of the link-register (LR) before it is pushed to stack. Once LR is popped, it is authenticated. This way a stack corruption which overwrites the LR on the stack is detectable. The PAuth extension adds several new instructions, some of which are not recognized by older hardware. To support a single codebase for both pre Armv8.3-A targets and newer ones, only NOP-space instructions are added by this patch. These instructions are treated as NOPs on hardware which does not support Armv8.3-A. Furthermore, this patch only considers cases where LR is saved to the stack and then restored before branching to its content. There are cases in the code where LR is pushed to stack but it is not used later. We do not address these cases as they are not affected by PAuth. There are two keys available to sign an instruction address: A and B. PACIASP and PACIBSP only differ in the used keys: A and B, respectively. The keys are typically managed by the operating system. To enable generating code for PAuth compile with -mbranch-protection=<mode>: - standard or pac-ret: add PACIASP and AUTIASP, also enables BTI (read below) - pac-ret+b-key: add PACIBSP and AUTIBSP Armv8.5-A Branch Target Identification -------------------------------------- Branch Target Identification features some new instructions which protect the execution of instructions on guarded pages which are not intended branch targets. If Armv8.5-A is supported by the hardware, execution of an instruction changes the value of PSTATE.BTYPE field. If an indirect branch lands on a guarded page the target instruction must be one of the BTI <jc> flavors, or in case of a direct call or jump it can be any other instruction. If the target instruction is not compatible with the value of PSTATE.BTYPE a Branch Target Exception is generated. In short, indirect jumps are compatible with BTI <j> and <jc> while indirect calls are compatible with BTI <c> and <jc>. Please refer to the specification for the details. Armv8.3-A PACIASP and PACIBSP are implicit branch target identification instructions which are equivalent with BTI c or BTI jc depending on system register configuration. BTI is used to mitigate JOP (Jump-oriented Programming) attacks by limiting the set of instructions which can be jumped to. BTI requires active linker support to mark the pages with BTI-enabled code as guarded. For ELF64 files BTI compatibility is recorded in the .note.gnu.property section. For a shared object or static binary it is required that all linked units support BTI. This means that even a single assembly file without the required note section turns-off BTI for the whole binary or shared object. The new BTI instructions are treated as NOPs on hardware which does not support Armv8.5-A or on pages which are not guarded. To insert this new and optional instruction compile with -mbranch-protection=standard (also enables PAuth) or +bti. When targeting a guarded page from a non-guarded page, weaker compatibility restrictions apply to maintain compatibility between legacy and new code. For detailed rules please refer to the Arm ARM. Compiler support ---------------- Compiler support requires understanding '-mbranch-protection=<mode>' and emitting the appropriate feature macros (__ARM_FEATURE_BTI_DEFAULT and __ARM_FEATURE_PAC_DEFAULT). The current state is the following: ------------------------------------------------------- \| Compiler \| -mbranch-protection \| Feature macros \| +----------+---------------------+--------------------+ \| clang \| 9.0.0 \| 11.0.0 \| +----------+---------------------+--------------------+ \| gcc \| 9 \| expected in 10.1+ \| ------------------------------------------------------- Available Platforms ------------------ Arm Fast Model and QEMU support both extensions. https://developer.arm.com/tools-and-software/simulation-models/fast-models https://www.qemu.org/ Implementation Notes -------------------- This change adds BTI landing pads even to assembly functions which are likely to be directly called only. In these cases, landing pads might be superfluous depending on what code the linker generates. Code size and performance impact for these cases would be negligible. Interaction with C code ----------------------- Pointer Authentication is a per-frame protection while Branch Target Identification can be turned on and off only for all code pages of a whole shared object or static binary. Because of these properties if C/C++ code is compiled without any of the above features but assembly files support any of them unconditionally there is no incompatibility between the two. Useful Links ------------ To fully understand the details of both PAuth and BTI it is advised to read the related chapters of the Arm Architecture Reference Manual (Arm ARM): https://developer.arm.com/documentation/ddi0487/latest/ Additional materials: "Providing protection for complex software" https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software Arm Compiler Reference Guide Version 6.14: -mbranch-protection https://developer.arm.com/documentation/101754/0614/armclang-Reference/armclang-Command-line-Options/-mbranch-protection?lang=en Arm C Language Extensions (ACLE) https://developer.arm.com/docs/101028/latest Addional Notes -------------- This patch is a copy of the work done by Tamas Petz in boringssl. It contains the changes from the following commits: aarch64: support BTI and pointer authentication in assembly Change-Id: I4335f92e2ccc8e209c7d68a0a79f1acdf3aeb791 URL: https://boringssl-review.googlesource.com/c/boringssl/+/42084 aarch64: Improve conditional compilation Change-Id: I14902a64e5f403c2b6a117bc9f5fb1a4f4611ebf URL: https://boringssl-review.googlesource.com/c/boringssl/+/43524 aarch64: Fix name of gnu property note section Change-Id: I6c432d1c852129e9c273f6469a8b60e3983671ec URL: https://boringssl-review.googlesource.com/c/boringssl/+/44024 Change-Id: I2d95ebc5e4aeb5610d3b226f9754ee80cf74a9af Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16674) Reviewed by: emaste, Pierre Pronchery <pierre@freebsdfoundation.org> Obtained from: OpenSSL 19e277dd19f2 Differential Revision: https://reviews.freebsd.org/D41940		2023-10-02 17:12:49 +01:00
..
apps	OpenSSL: update to 3.0.10	2023-08-10 12:07:32 -04:00
crypto	aarch64: support BTI and pointer authentication in assembly	2023-10-02 17:12:49 +01:00
doc	OpenSSL: clean up botched merges in OpenSSL 3.0.9 import	2023-08-10 22:36:15 -04:00
engines	OpenSSL: update to 3.0.10	2023-08-10 12:07:32 -04:00
include	OpenSSL: regen opensslv.h for OpenSSL 3.0.10	2023-08-10 20:17:23 -04:00
providers	OpenSSL: update to 3.0.10	2023-08-10 12:07:32 -04:00
ssl	OpenSSL: update to 3.0.10	2023-08-10 12:07:32 -04:00
ACKNOWLEDGEMENTS.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
appveyor.yml	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
AUTHORS.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
build.info	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
CHANGES.md	OpenSSL: update to 3.0.10	2023-08-10 12:07:32 -04:00
config	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
configdata.pm.in	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
Configure	OpenSSL: update to 3.0.10	2023-08-10 12:07:32 -04:00
CONTRIBUTING.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
e_os.h	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
FAQ.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
FREEBSD-upgrade	openssl: document the update process	2023-09-25 11:43:58 -04:00
HACKING.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
INSTALL.md	OpenSSL: update to 3.0.10	2023-08-10 12:07:32 -04:00
LICENSE.txt	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
NEWS.md	OpenSSL: update to 3.0.10	2023-08-10 12:07:32 -04:00
NOTES-ANDROID.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
NOTES-DJGPP.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
NOTES-NONSTOP.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
NOTES-PERL.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
NOTES-UNIX.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
NOTES-VALGRIND.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
NOTES-VMS.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
NOTES-WINDOWS.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
README-ENGINES.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
README-FIPS.md	OpenSSL: update to 3.0.10	2023-08-10 12:07:32 -04:00
README-PROVIDERS.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
README.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
SUPPORT.md	Merge OpenSSL 3.0.9	2023-06-23 18:53:36 -04:00
VERSION.dat	OpenSSL: update to 3.0.10	2023-08-10 12:07:32 -04:00

README.md

Welcome to the OpenSSL Project

OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit for the Transport Layer Security (TLS) protocol formerly known as the Secure Sockets Layer (SSL) protocol. The protocol implementation is based on a full-strength general purpose cryptographic library, which can also be used stand-alone.

OpenSSL is descended from the SSLeay library developed by Eric A. Young and Tim J. Hudson.

The official Home Page of the OpenSSL Project is www.openssl.org.

Overview
Download
Build and Install
Documentation
License
Support
Contributing
Legalities

Overview

The OpenSSL toolkit includes:

libssl an implementation of all TLS protocol versions up to TLSv1.3 (RFC 8446).
libcrypto a full-strength general purpose cryptographic library. It constitutes the basis of the TLS implementation, but can also be used independently.
openssl the OpenSSL command line tool, a swiss army knife for cryptographic tasks, testing and analyzing. It can be used for
- creation of key parameters
- creation of X.509 certificates, CSRs and CRLs
- calculation of message digests
- encryption and decryption
- SSL/TLS client and server tests
- handling of S/MIME signed or encrypted mail
- and more...

Download

For Production Use

Source code tarballs of the official releases can be downloaded from www.openssl.org/source. The OpenSSL project does not distribute the toolkit in binary form.

However, for a large variety of operating systems precompiled versions of the OpenSSL toolkit are available. In particular on Linux and other Unix operating systems it is normally recommended to link against the precompiled shared libraries provided by the distributor or vendor.

For Testing and Development

Although testing and development could in theory also be done using the source tarballs, having a local copy of the git repository with the entire project history gives you much more insight into the code base.

The official OpenSSL Git Repository is located at git.openssl.org. There is a GitHub mirror of the repository at github.com/openssl/openssl, which is updated automatically from the former on every commit.

A local copy of the Git Repository can be obtained by cloning it from the original OpenSSL repository using

git clone git://git.openssl.org/openssl.git

or from the GitHub mirror using

git clone https://github.com/openssl/openssl.git

If you intend to contribute to OpenSSL, either to fix bugs or contribute new features, you need to fork the OpenSSL repository openssl/openssl on GitHub and clone your public fork instead.

git clone https://github.com/yourname/openssl.git

This is necessary, because all development of OpenSSL nowadays is done via GitHub pull requests. For more details, see Contributing.

Build and Install

After obtaining the Source, have a look at the INSTALL file for detailed instructions about building and installing OpenSSL. For some platforms, the installation instructions are amended by a platform specific document.

Specific notes on upgrading to OpenSSL 3.0 from previous versions can be found in the migration_guide(7ossl) manual page.

Documentation

Manual Pages

The manual pages for the master branch and all current stable releases are available online.

Wiki

There is a Wiki at wiki.openssl.org which is currently not very active. It contains a lot of useful information, not all of which is up to date.

License

OpenSSL is licensed under the Apache License 2.0, which means that you are free to get and use it for commercial and non-commercial purposes as long as you fulfill its conditions.

See the LICENSE.txt file for more details.

Support

There are various ways to get in touch. The correct channel depends on your requirement. see the SUPPORT file for more details.

Contributing

If you are interested and willing to contribute to the OpenSSL project, please take a look at the CONTRIBUTING file.

Legalities

A number of nations restrict the use or export of cryptography. If you are potentially subject to such restrictions you should seek legal advice before attempting to develop or distribute cryptographic code.