From de70334b5a2c09bbc275011f8925056bb02c52e7 Mon Sep 17 00:00:00 2001 From: visa Date: Thu, 8 Jun 2017 11:44:00 +0000 Subject: [PATCH] Split early startup code out of locore.S into locore0.S. Adjust link run so that this locore0.o is always at the start of the executable. But randomize the link order of all other .o files in the kernel, so that their exec/rodata/data/bss segments land all over the place. Late during kernel boot, smash the startup code with traps so that it does not point to the other randomly placed code. It has be smashed, because loongson runs in the kseg0 space. As a result, the internal layout of every newly build bsd kernel is different from past kernels. Internal relative offsets are not known to an outside attacker. Ramdisk kernels cannot be compiled like this, because they are gzip'd. When the internal pointer references change, the compression dictionary bloats and results in poorer compression. --- sys/arch/loongson/conf/Makefile.loongson | 26 ++++++++++---- sys/arch/loongson/conf/files.loongson | 3 +- sys/arch/loongson/loongson/autoconf.c | 15 ++++++++- sys/arch/loongson/loongson/locore.S | 10 +++--- sys/arch/loongson/loongson/locore0.S | 43 ++++++++++++++++++++++++ 5 files changed, 83 insertions(+), 14 deletions(-) create mode 100644 sys/arch/loongson/loongson/locore0.S diff --git a/sys/arch/loongson/conf/Makefile.loongson b/sys/arch/loongson/conf/Makefile.loongson index 450c2060347..306d4e2b430 100644 --- a/sys/arch/loongson/conf/Makefile.loongson +++ b/sys/arch/loongson/conf/Makefile.loongson @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.loongson,v 1.56 2017/06/05 12:43:59 deraadt Exp $ +# $OpenBSD: Makefile.loongson,v 1.57 2017/06/08 11:44:00 visa Exp $ # For instructions on building kernels consult the config(8) and options(4) # manual pages. @@ -36,9 +36,13 @@ CWARNFLAGS= -Werror -Wall -Wimplicit-function-declaration \ CMACHFLAGS= -mno-abicalls ${ABI} -msoft-float -Wa,-mfix-loongson2f-btb -G 0 CMACHFLAGS+= -ffreestanding ${NOPIE_FLAGS} +SORTR= sort -R .if ${IDENT:M-DNO_PROPOLICE} CMACHFLAGS+= -fno-stack-protector .endif +.if ${IDENT:M-DSMALL_KERNEL} +SORTR= cat +.endif DEBUG?= -g COPTS?= -O2 @@ -72,13 +76,14 @@ NORMAL_S= ${CC} ${AFLAGS} ${CPPFLAGS} -c $< # ${SYSTEM_LD_HEAD} # ${SYSTEM_LD} swapxxx.o # ${SYSTEM_LD_TAIL} -SYSTEM_HEAD= locore.o param.o ioconf.o -SYSTEM_OBJ= ${SYSTEM_HEAD} ${OBJS} +SYSTEM_HEAD= locore0.o gap.o +SYSTEM_OBJ= ${SYSTEM_HEAD} ${OBJS} param.o ioconf.o SYSTEM_DEP= Makefile ${SYSTEM_OBJ} ld.script SYSTEM_LD_HEAD= @rm -f $@ SYSTEM_LD= @echo ${LD} ${LINKFLAGS} -o $@ '$${SYSTEM_HEAD} vers.o $${OBJS}'; \ umask 007; \ - ${LD} ${LINKFLAGS} -o $@ ${SYSTEM_HEAD} vers.o ${OBJS} + echo ${OBJS} param.o ioconf.o vers.o | tr " " "\n" | ${SORTR} > lorder; \ + ${LD} ${LINKFLAGS} -o $@ ${SYSTEM_HEAD} `cat lorder` SYSTEM_LD_TAIL= @${SIZE} $@ .if ${DEBUG} == "-g" @@ -125,8 +130,15 @@ vers.o: ${SYSTEM_DEP} ${SYSTEM_SWAP_DEP} sh $S/conf/newvers.sh ${CC} ${CFLAGS} ${CPPFLAGS} ${PROF} -c vers.c +gap.S: ${SYSTEM_SWAP_DEP} Makefile $S/conf/makegap.sh + umask 007; sh $S/conf/makegap.sh 0xef > gap.S + +gap.o: gap.S + umask 007; ${CC} ${AFLAGS} ${CPPFLAGS} ${PROF} -c gap.S + clean: - rm -f *bsd *bsd.gdb *.[dio] [a-z]*.s assym.* ${DB_STRUCTINFO} param.c + rm -f *bsd *bsd.gdb *.[dio] [a-z]*.s assym.* ${DB_STRUCTINFO} \ + gap.S lorder param.c cleandir: clean rm -f Makefile *.h ioconf.c options machine ${_mach} vers.c @@ -142,8 +154,8 @@ db_structinfo.h: $S/ddb/db_structinfo.c $S/ddb/parse_structinfo.pl objdump -g db_structinfo.o | perl $S/ddb/parse_structinfo.pl > $@ rm -f db_structinfo.o -locore.o: ${_machdir}/${_mach}/locore.S assym.h -context.o cp0access.o exception.o: assym.h +locore0.o: ${_machdir}/${_mach}/locore0.S assym.h +context.o cp0access.o exception.o locore.o: assym.h lcore_access.o lcore_ddb.o lcore_float.o tlbhandler.o: assym.h pmon32.o: assym.h diff --git a/sys/arch/loongson/conf/files.loongson b/sys/arch/loongson/conf/files.loongson index f647efbd38c..c28f4b5b5c3 100644 --- a/sys/arch/loongson/conf/files.loongson +++ b/sys/arch/loongson/conf/files.loongson @@ -1,4 +1,4 @@ -# $OpenBSD: files.loongson,v 1.24 2016/11/17 14:41:21 visa Exp $ +# $OpenBSD: files.loongson,v 1.25 2017/06/08 11:44:00 visa Exp $ # Standard stanzas config(8) can't run without maxpartitions 16 @@ -21,6 +21,7 @@ file arch/loongson/loongson/gdium_machdep.c cpu_loongson2 file arch/loongson/loongson/generic2e_machdep.c cpu_loongson2 file arch/loongson/loongson/generic3a_machdep.c cpu_loongson3 file arch/loongson/loongson/isa_machdep.c isa +file arch/loongson/loongson/locore.S file arch/loongson/loongson/loongson2_machdep.c file arch/loongson/loongson/loongson3_intr.c cpu_loongson3 file arch/loongson/loongson/loongson3_machdep.c cpu_loongson3 diff --git a/sys/arch/loongson/loongson/autoconf.c b/sys/arch/loongson/loongson/autoconf.c index 40ea638e53c..00755ee5f1d 100644 --- a/sys/arch/loongson/loongson/autoconf.c +++ b/sys/arch/loongson/loongson/autoconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: autoconf.c,v 1.6 2013/06/02 21:46:04 pirofti Exp $ */ +/* $OpenBSD: autoconf.c,v 1.7 2017/06/08 11:44:00 visa Exp $ */ /* * Copyright (c) 2009 Miodrag Vallat. * @@ -34,6 +34,17 @@ enum devclass bootdev_class = DV_DULL; extern char pmon_bootp[]; +void +unmap_startup(void) +{ + extern uint32_t kernel_text[], endboot[]; + uint32_t *word = kernel_text; + + /* Cannot unmap kseg0; smash with trap. */ + while (word < endboot) + *word++ = 0x00000034u; /* TEQ zero, zero */ +} + void cpu_configure(void) { @@ -42,6 +53,8 @@ cpu_configure(void) softintr_init(); (void)config_rootfound("mainbus", NULL); + unmap_startup(); + splinit(); cold = 0; } diff --git a/sys/arch/loongson/loongson/locore.S b/sys/arch/loongson/loongson/locore.S index 8fde8bf9ae0..481235ec782 100644 --- a/sys/arch/loongson/loongson/locore.S +++ b/sys/arch/loongson/loongson/locore.S @@ -1,4 +1,4 @@ -/* $OpenBSD: locore.S,v 1.7 2017/01/19 15:09:04 visa Exp $ */ +/* $OpenBSD: locore.S,v 1.8 2017/06/08 11:44:00 visa Exp $ */ /* * Copyright (c) 2001-2004 Opsycon AB (www.opsycon.se / www.opsycon.com) @@ -39,10 +39,9 @@ .set noreorder # Noreorder is default style! - .globl start - .globl kernel_text -kernel_text = start -start: + .globl locore_start + .ent locore_start, 0 +locore_start: mfc0 v0, COP_0_STATUS_REG li v1, ~SR_INT_ENAB and v0, v1 @@ -74,6 +73,7 @@ start: PTR_L sp, 0(sp) jr ra nop + .end locore_start #ifdef HIBERNATE diff --git a/sys/arch/loongson/loongson/locore0.S b/sys/arch/loongson/loongson/locore0.S new file mode 100644 index 00000000000..7f2f381718d --- /dev/null +++ b/sys/arch/loongson/loongson/locore0.S @@ -0,0 +1,43 @@ +/* $OpenBSD: locore0.S,v 1.1 2017/06/08 11:44:00 visa Exp $ */ + +/* + * Copyright (c) 2001-2004 Opsycon AB (www.opsycon.se / www.opsycon.com) + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS + * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ + +#include +#include + +#include "assym.h" + + .set noreorder # Noreorder is default style! + + .globl kernel_text + .globl start + .ent start, 0 +kernel_text = start +start: + j locore_start + nop + .end start -- 2.20.1