From aa60921aa22cd2c4d517dfbcb04731f5614b8130 Mon Sep 17 00:00:00 2001 From: kettenis Date: Mon, 27 Mar 2023 19:02:47 +0000 Subject: [PATCH] Implement branch target protection using the branch target identification feature introduced in Armv8.5. This provides "head-CFI" to complement the "tail-CFI" provided by retguard. Unfortunately most arm64 machines don't support this feature yet. But Apple M2 does support it and it seems to work there. ok deraadt@ --- sys/arch/arm64/arm64/aesv8-armx.S | 8 +++++++- sys/arch/arm64/arm64/pmap.c | 5 ++++- sys/arch/arm64/arm64/trap.c | 4 +++- sys/arch/arm64/conf/Makefile.arm64 | 4 ++-- sys/arch/arm64/include/armreg.h | 3 ++- sys/arch/arm64/include/asm.h | 12 ++++++------ sys/arch/arm64/include/pte.h | 3 ++- 7 files changed, 26 insertions(+), 13 deletions(-) diff --git a/sys/arch/arm64/arm64/aesv8-armx.S b/sys/arch/arm64/arm64/aesv8-armx.S index 1bc271cfc60..6ca08775844 100644 --- a/sys/arch/arm64/arm64/aesv8-armx.S +++ b/sys/arch/arm64/arm64/aesv8-armx.S @@ -1,4 +1,4 @@ -/* $OpenBSD: aesv8-armx.S,v 1.2 2023/01/16 10:11:39 kettenis Exp $ */ +/* $OpenBSD: aesv8-armx.S,v 1.3 2023/03/27 19:02:47 kettenis Exp $ */ /* * Copyright (c) 2006, CRYPTOGAMS by * All rights reserved. @@ -62,6 +62,7 @@ .type aes_v8_set_encrypt_key,%function .align 5 aes_v8_set_encrypt_key: + bti c .Lenc_key: stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -230,6 +231,7 @@ aes_v8_set_encrypt_key: .type aes_v8_set_decrypt_key,%function .align 5 aes_v8_set_decrypt_key: + bti c .inst 0xd503233f // paciasp stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -271,6 +273,7 @@ aes_v8_set_decrypt_key: .type aes_v8_encrypt,%function .align 5 aes_v8_encrypt: + bti c ldr w3,[x2,#240] ld1 {v0.4s},[x2],#16 ld1 {v2.16b},[x0] @@ -300,6 +303,7 @@ aes_v8_encrypt: .type aes_v8_decrypt,%function .align 5 aes_v8_decrypt: + bti c ldr w3,[x2,#240] ld1 {v0.4s},[x2],#16 ld1 {v2.16b},[x0] @@ -329,6 +333,7 @@ aes_v8_decrypt: .type aes_v8_cbc_encrypt,%function .align 5 aes_v8_cbc_encrypt: + bti c stp x29,x30,[sp,#-16]! add x29,sp,#0 subs x2,x2,#16 @@ -804,6 +809,7 @@ aes_v8_cbc_encrypt: .type aes_v8_ctr32_encrypt_blocks,%function .align 5 aes_v8_ctr32_encrypt_blocks: + bti c stp x29,x30,[sp,#-16]! add x29,sp,#0 ldr w5,[x3,#240] diff --git a/sys/arch/arm64/arm64/pmap.c b/sys/arch/arm64/arm64/pmap.c index cf893c24601..edda6e8fe9a 100644 --- a/sys/arch/arm64/arm64/pmap.c +++ b/sys/arch/arm64/arm64/pmap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pmap.c,v 1.92 2023/01/11 11:09:17 kettenis Exp $ */ +/* $OpenBSD: pmap.c,v 1.93 2023/03/27 19:02:47 kettenis Exp $ */ /* * Copyright (c) 2008-2009,2014-2016 Dale Rahn * @@ -1688,6 +1688,9 @@ pmap_pte_update(struct pte_desc *pted, uint64_t *pl3) else access_bits = ap_bits_user[pted->pted_pte & PROT_MASK]; + if (pm == pmap_kernel()) + access_bits |= ATTR_GP; + pte = (pted->pted_pte & PTE_RPGN) | attr | access_bits | L3_P; *pl3 = access_bits ? pte : 0; } diff --git a/sys/arch/arm64/arm64/trap.c b/sys/arch/arm64/arm64/trap.c index 4d089fc3774..7f4f37ef4c2 100644 --- a/sys/arch/arm64/arm64/trap.c +++ b/sys/arch/arm64/arm64/trap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: trap.c,v 1.42 2022/11/07 09:43:04 mpi Exp $ */ +/* $OpenBSD: trap.c,v 1.43 2023/03/27 19:02:47 kettenis Exp $ */ /*- * Copyright (c) 2014 Andrew Turner * All rights reserved. @@ -218,6 +218,8 @@ do_el1h_sync(struct trapframe *frame) case EXCP_FP_SIMD: case EXCP_TRAP_FP: panic("FP exception in the kernel"); + case EXCP_BRANCH_TGT: + panic("Branch target exception in the kernel"); case EXCP_INSN_ABORT: kdata_abort(frame, esr, far, 1); break; diff --git a/sys/arch/arm64/conf/Makefile.arm64 b/sys/arch/arm64/conf/Makefile.arm64 index b9f9e4d7d3d..6bd73a674f6 100644 --- a/sys/arch/arm64/conf/Makefile.arm64 +++ b/sys/arch/arm64/conf/Makefile.arm64 @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.arm64,v 1.44 2023/01/01 01:34:33 jsg Exp $ +# $OpenBSD: Makefile.arm64,v 1.45 2023/03/27 19:02:47 kettenis Exp $ # For instructions on building kernels consult the config(8) and options(4) # manual pages. @@ -61,7 +61,7 @@ CWARNFLAGS+= -Wno-deprecated-non-prototype -Wno-unknown-warning-option CMACHFLAGS= -march=armv8-a+nofp+nosimd \ -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer \ - -ffixed-x18 + -ffixed-x18 -mbranch-protection=bti CMACHFLAGS+= -ffreestanding ${NOPIE_FLAGS} SORTR= sort -R .if ${IDENT:M-DNO_PROPOLICE} diff --git a/sys/arch/arm64/include/armreg.h b/sys/arch/arm64/include/armreg.h index c1799668508..bffe8cccacf 100644 --- a/sys/arch/arm64/include/armreg.h +++ b/sys/arch/arm64/include/armreg.h @@ -1,4 +1,4 @@ -/* $OpenBSD: armreg.h,v 1.26 2022/12/23 17:46:49 kettenis Exp $ */ +/* $OpenBSD: armreg.h,v 1.27 2023/03/27 19:02:48 kettenis Exp $ */ /*- * Copyright (c) 2013, 2014 Andrew Turner * Copyright (c) 2015 The FreeBSD Foundation @@ -165,6 +165,7 @@ #define ESR_ELx_EXCEPTION(esr) (((esr) & ESR_ELx_EC_MASK) >> ESR_ELx_EC_SHIFT) #define EXCP_UNKNOWN 0x00 /* Unkwn exception */ #define EXCP_FP_SIMD 0x07 /* FP/SIMD trap */ +#define EXCP_BRANCH_TGT 0x0d /* Branch target exception */ #define EXCP_ILL_STATE 0x0e /* Illegal execution state */ #define EXCP_SVC 0x15 /* SVC trap */ #define EXCP_MSR 0x18 /* MSR/MRS trap */ diff --git a/sys/arch/arm64/include/asm.h b/sys/arch/arm64/include/asm.h index 59687fc2149..c85ea5c2c9c 100644 --- a/sys/arch/arm64/include/asm.h +++ b/sys/arch/arm64/include/asm.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asm.h,v 1.11 2022/12/08 01:25:44 guenther Exp $ */ +/* $OpenBSD: asm.h,v 1.12 2023/03/27 19:02:48 kettenis Exp $ */ /* $NetBSD: asm.h,v 1.4 2001/07/16 05:43:32 matt Exp $ */ /* @@ -125,11 +125,11 @@ # define RETGUARD_SYMBOL(x) #endif -#define ENTRY(y) _ENTRY(y); _PROF_PROLOGUE -#define ENTRY_NP(y) _ENTRY(y) -#define ENTRY_NB(y) _ENTRY_NB(y); _PROF_PROLOGUE -#define ASENTRY(y) _ENTRY(y); _PROF_PROLOGUE -#define ASENTRY_NP(y) _ENTRY(y) +#define ENTRY(y) _ENTRY(y); bti c; _PROF_PROLOGUE +#define ENTRY_NP(y) _ENTRY(y); bti c +#define ENTRY_NB(y) _ENTRY_NB(y); bti c; _PROF_PROLOGUE +#define ASENTRY(y) _ENTRY(y); bti c; _PROF_PROLOGUE +#define ASENTRY_NP(y) _ENTRY(y); bti c #define END(y) .size y, . - y #define EENTRY(sym) .globl sym; sym: #define EEND(sym) diff --git a/sys/arch/arm64/include/pte.h b/sys/arch/arm64/include/pte.h index c6fa32124c1..8306b2b7e69 100644 --- a/sys/arch/arm64/include/pte.h +++ b/sys/arch/arm64/include/pte.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pte.h,v 1.7 2021/02/28 21:28:33 patrick Exp $ */ +/* $OpenBSD: pte.h,v 1.8 2023/03/27 19:02:48 kettenis Exp $ */ /* * Copyright (c) 2014 Dale Rahn * @@ -43,6 +43,7 @@ #define ATTR_SW_WIRED (1UL << 55) #define ATTR_UXN (1UL << 54) #define ATTR_PXN (1UL << 53) +#define ATTR_GP (1UL << 50) #define ATTR_nG (1 << 11) #define ATTR_AF (1 << 10) #define ATTR_SH(x) ((x) << 8) -- 2.20.1