Implement branch target protection using the branch target identification

feature introduced in Armv8.5.  This provides "head-CFI" to complement
the "tail-CFI" provided by retguard.  Unfortunately most arm64 machines
don't support this feature yet.  But Apple M2 does support it and it
seems to work there.

ok deraadt@

diff --git a/sys/arch/arm64/arm64/aesv8-armx.S b/sys/arch/arm64/arm64/aesv8-armx.S
index 1bc271c..6ca0877 100644 (file)
--- a/sys/arch/arm64/arm64/aesv8-armx.S
+++ b/sys/arch/arm64/arm64/aesv8-armx.S
@@ -1,4 +1,4 @@
-/*     $OpenBSD: aesv8-armx.S,v 1.2 2023/01/16 10:11:39 kettenis Exp $ */
+/*     $OpenBSD: aesv8-armx.S,v 1.3 2023/03/27 19:02:47 kettenis Exp $ */
 /*
  * Copyright (c) 2006, CRYPTOGAMS by <appro@openssl.org>
  * All rights reserved.
@@ -62,6 +62,7 @@
 .type  aes_v8_set_encrypt_key,%function
 .align 5
 aes_v8_set_encrypt_key:
+       bti     c
 .Lenc_key:
        stp     x29,x30,[sp,#-16]!
        add     x29,sp,#0
@@ -230,6 +231,7 @@ aes_v8_set_encrypt_key:
 .type  aes_v8_set_decrypt_key,%function
 .align 5
 aes_v8_set_decrypt_key:
+       bti     c
 .inst  0xd503233f              // paciasp
        stp     x29,x30,[sp,#-16]!
        add     x29,sp,#0
@@ -271,6 +273,7 @@ aes_v8_set_decrypt_key:
 .type  aes_v8_encrypt,%function
 .align 5
 aes_v8_encrypt:
+       bti     c
        ldr     w3,[x2,#240]
        ld1     {v0.4s},[x2],#16
        ld1     {v2.16b},[x0]
@@ -300,6 +303,7 @@ aes_v8_encrypt:
 .type  aes_v8_decrypt,%function
 .align 5
 aes_v8_decrypt:
+       bti     c
        ldr     w3,[x2,#240]
        ld1     {v0.4s},[x2],#16
        ld1     {v2.16b},[x0]
@@ -329,6 +333,7 @@ aes_v8_decrypt:
 .type  aes_v8_cbc_encrypt,%function
 .align 5
 aes_v8_cbc_encrypt:
+       bti     c
        stp     x29,x30,[sp,#-16]!
        add     x29,sp,#0
        subs    x2,x2,#16
@@ -804,6 +809,7 @@ aes_v8_cbc_encrypt:
 .type  aes_v8_ctr32_encrypt_blocks,%function
 .align 5
 aes_v8_ctr32_encrypt_blocks:
+       bti     c
        stp     x29,x30,[sp,#-16]!
        add     x29,sp,#0
        ldr     w5,[x3,#240]

diff --git a/sys/arch/arm64/arm64/pmap.c b/sys/arch/arm64/arm64/pmap.c
index cf893c2..edda6e8 100644 (file)
--- a/sys/arch/arm64/arm64/pmap.c
+++ b/sys/arch/arm64/arm64/pmap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pmap.c,v 1.92 2023/01/11 11:09:17 kettenis Exp $ */
+/* $OpenBSD: pmap.c,v 1.93 2023/03/27 19:02:47 kettenis Exp $ */
 /*
  * Copyright (c) 2008-2009,2014-2016 Dale Rahn <drahn@dalerahn.com>
  *
@@ -1688,6 +1688,9 @@ pmap_pte_update(struct pte_desc *pted, uint64_t *pl3)
        else
                access_bits = ap_bits_user[pted->pted_pte & PROT_MASK];
 
+       if (pm == pmap_kernel())
+               access_bits |= ATTR_GP;
+
        pte = (pted->pted_pte & PTE_RPGN) | attr | access_bits | L3_P;
        *pl3 = access_bits ? pte : 0;
 }

diff --git a/sys/arch/arm64/arm64/trap.c b/sys/arch/arm64/arm64/trap.c
index 4d089fc..7f4f37e 100644 (file)
--- a/sys/arch/arm64/arm64/trap.c
+++ b/sys/arch/arm64/arm64/trap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: trap.c,v 1.42 2022/11/07 09:43:04 mpi Exp $ */
+/* $OpenBSD: trap.c,v 1.43 2023/03/27 19:02:47 kettenis Exp $ */
 /*-
  * Copyright (c) 2014 Andrew Turner
  * All rights reserved.
@@ -218,6 +218,8 @@ do_el1h_sync(struct trapframe *frame)
        case EXCP_FP_SIMD:
        case EXCP_TRAP_FP:
                panic("FP exception in the kernel");
+       case EXCP_BRANCH_TGT:
+               panic("Branch target exception in the kernel");
        case EXCP_INSN_ABORT:
                kdata_abort(frame, esr, far, 1);
                break;

diff --git a/sys/arch/arm64/conf/Makefile.arm64 b/sys/arch/arm64/conf/Makefile.arm64
index b9f9e4d..6bd73a6 100644 (file)
--- a/sys/arch/arm64/conf/Makefile.arm64
+++ b/sys/arch/arm64/conf/Makefile.arm64
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile.arm64,v 1.44 2023/01/01 01:34:33 jsg Exp $
+#      $OpenBSD: Makefile.arm64,v 1.45 2023/03/27 19:02:47 kettenis Exp $
 
 # For instructions on building kernels consult the config(8) and options(4)
 # manual pages.
@@ -61,7 +61,7 @@ CWARNFLAGS+=  -Wno-deprecated-non-prototype -Wno-unknown-warning-option
 
 CMACHFLAGS=    -march=armv8-a+nofp+nosimd \
                -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer \
-               -ffixed-x18
+               -ffixed-x18 -mbranch-protection=bti
 CMACHFLAGS+=   -ffreestanding ${NOPIE_FLAGS}
 SORTR=         sort -R
 .if ${IDENT:M-DNO_PROPOLICE}

diff --git a/sys/arch/arm64/include/armreg.h b/sys/arch/arm64/include/armreg.h
index c179966..bffe8cc 100644 (file)
--- a/sys/arch/arm64/include/armreg.h
+++ b/sys/arch/arm64/include/armreg.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: armreg.h,v 1.26 2022/12/23 17:46:49 kettenis Exp $ */
+/* $OpenBSD: armreg.h,v 1.27 2023/03/27 19:02:48 kettenis Exp $ */
 /*-
  * Copyright (c) 2013, 2014 Andrew Turner
  * Copyright (c) 2015 The FreeBSD Foundation
@@ -165,6 +165,7 @@
 #define        ESR_ELx_EXCEPTION(esr)  (((esr) & ESR_ELx_EC_MASK) >> ESR_ELx_EC_SHIFT)
 #define         EXCP_UNKNOWN           0x00    /* Unkwn exception */
 #define         EXCP_FP_SIMD           0x07    /* FP/SIMD trap */
+#define         EXCP_BRANCH_TGT        0x0d    /* Branch target exception */
 #define         EXCP_ILL_STATE         0x0e    /* Illegal execution state */
 #define         EXCP_SVC               0x15    /* SVC trap */
 #define         EXCP_MSR               0x18    /* MSR/MRS trap */

diff --git a/sys/arch/arm64/include/asm.h b/sys/arch/arm64/include/asm.h
index 59687fc..c85ea5c 100644 (file)
--- a/sys/arch/arm64/include/asm.h
+++ b/sys/arch/arm64/include/asm.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: asm.h,v 1.11 2022/12/08 01:25:44 guenther Exp $       */
+/*     $OpenBSD: asm.h,v 1.12 2023/03/27 19:02:48 kettenis Exp $       */
 /*     $NetBSD: asm.h,v 1.4 2001/07/16 05:43:32 matt Exp $     */
 
 /*
@@ -125,11 +125,11 @@
 # define RETGUARD_SYMBOL(x)
 #endif
 
-#define        ENTRY(y)        _ENTRY(y); _PROF_PROLOGUE
-#define        ENTRY_NP(y)     _ENTRY(y)
-#define        ENTRY_NB(y)     _ENTRY_NB(y); _PROF_PROLOGUE
-#define        ASENTRY(y)      _ENTRY(y); _PROF_PROLOGUE
-#define        ASENTRY_NP(y)   _ENTRY(y)
+#define        ENTRY(y)        _ENTRY(y); bti c; _PROF_PROLOGUE
+#define        ENTRY_NP(y)     _ENTRY(y); bti c
+#define        ENTRY_NB(y)     _ENTRY_NB(y); bti c; _PROF_PROLOGUE
+#define        ASENTRY(y)      _ENTRY(y); bti c; _PROF_PROLOGUE
+#define        ASENTRY_NP(y)   _ENTRY(y); bti c
 #define        END(y)          .size y, . - y
 #define EENTRY(sym)     .globl  sym; sym:
 #define EEND(sym)

diff --git a/sys/arch/arm64/include/pte.h b/sys/arch/arm64/include/pte.h
index c6fa321..8306b2b 100644 (file)
--- a/sys/arch/arm64/include/pte.h
+++ b/sys/arch/arm64/include/pte.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pte.h,v 1.7 2021/02/28 21:28:33 patrick Exp $ */
+/* $OpenBSD: pte.h,v 1.8 2023/03/27 19:02:48 kettenis Exp $ */
 /*
  * Copyright (c) 2014 Dale Rahn <drahn@dalerahn.com>
  *
@@ -43,6 +43,7 @@
 #define                ATTR_SW_WIRED   (1UL << 55)
 #define                ATTR_UXN        (1UL << 54)
 #define                ATTR_PXN        (1UL << 53)
+#define                ATTR_GP         (1UL << 50)
 #define                ATTR_nG         (1 << 11)
 #define                ATTR_AF         (1 << 10)
 #define                ATTR_SH(x)      ((x) << 8)