Trying to migrate Chromium to the "link all the asm files together" strategy broke the aarch64 Android build because some of the ifdef'd out assembly files were missing the .note.gnu.property section for BTI. If we add support for IBT, that'll be another one. To fix this, introduce <openssl/asm_base.h>, which must be included at the start of every assembly file (before the target ifdefs). This does a couple things: - It emits BTI and noexecstack markers into every assembly file, even those that ifdef themselves out. - It resolves the MSan -> OPENSSL_NO_ASM logic, so we only need to do it once. - It defines the same OPENSSL_X86_64, etc., defines we set elsewhere, so we can ensure they're consistent. This required carving files up a bit. <openssl/base.h> has a lot of things, such that trying to guard everything in it on __ASSEMBLER__ would be tedious. Instead, I moved the target defines to a new <openssl/target.h>. Then <openssl/asm_base.h> is the new header that pulls in all those things. Bug: 542 Change-Id: I1682b4d929adea72908655fa1bb15765a6b3473b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60765 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>main-with-bazel
David Benjamin
1 year ago
committed by
Boringssl LUCI CQ
parent
e79649ba4d
commit
a905bbb52a
13 changed files with 373 additions and 346 deletions
@ -0,0 +1,188 @@ |
||||
/* Copyright (c) 2023, Google Inc.
|
||||
* |
||||
* Permission to use, copy, modify, and/or distribute this software for any |
||||
* purpose with or without fee is hereby granted, provided that the above |
||||
* copyright notice and this permission notice appear in all copies. |
||||
* |
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
||||
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
||||
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
||||
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
||||
|
||||
#ifndef OPENSSL_HEADER_ASM_BASE_H |
||||
#define OPENSSL_HEADER_ASM_BASE_H |
||||
|
||||
#include <openssl/target.h> |
||||
|
||||
|
||||
// This header contains symbols and common sections used by assembly files. It
|
||||
// is included as a public header to simplify the build, but is not intended for
|
||||
// external use.
|
||||
//
|
||||
// Every assembly file must include this header. Some linker features require
|
||||
// all object files to be tagged with some section metadata. This header file,
|
||||
// when included in assembly, adds that metadata. It also makes defines like
|
||||
// |OPENSSL_X86_64| available and includes the prefixing macros.
|
||||
//
|
||||
// Including this header in an assembly file imples:
|
||||
//
|
||||
// - The file does not require an executable stack.
|
||||
//
|
||||
// - The file, on aarch64, uses the macros defined below to be compatible with
|
||||
// BTI and PAC.
|
||||
|
||||
#if defined(__ASSEMBLER__) |
||||
|
||||
#if defined(BORINGSSL_PREFIX) |
||||
#include <boringssl_prefix_symbols_asm.h> |
||||
#endif |
||||
|
||||
#if defined(__ELF__) |
||||
// Every ELF object file, even empty ones, should disable executable stacks. See
|
||||
// https://www.airs.com/blog/archives/518.
|
||||
.pushsection .note.GNU-stack, "", %progbits |
||||
.popsection |
||||
#endif |
||||
|
||||
#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) |
||||
|
||||
// We require the ARM assembler provide |__ARM_ARCH| from Arm C Language
|
||||
// Extensions (ACLE). This is supported in GCC 4.8+ and Clang 3.2+. MSVC does
|
||||
// not implement ACLE, but we require Clang's assembler on Windows.
|
||||
#if !defined(__ARM_ARCH) |
||||
#error "ARM assembler must define __ARM_ARCH" |
||||
#endif |
||||
|
||||
// __ARM_ARCH__ is used by OpenSSL assembly to determine the minimum target ARM
|
||||
// version.
|
||||
//
|
||||
// TODO(davidben): Switch the assembly to use |__ARM_ARCH| directly.
|
||||
#define __ARM_ARCH__ __ARM_ARCH |
||||
|
||||
// Even when building for 32-bit ARM, support for aarch64 crypto instructions
|
||||
// will be included.
|
||||
#define __ARM_MAX_ARCH__ 8 |
||||
|
||||
// Support macros for
|
||||
// - Armv8.3-A Pointer Authentication and
|
||||
// - Armv8.5-A Branch Target Identification
|
||||
// features which require emitting a .note.gnu.property section with the
|
||||
// appropriate architecture-dependent feature bits set.
|
||||
//
|
||||
// |AARCH64_SIGN_LINK_REGISTER| and |AARCH64_VALIDATE_LINK_REGISTER| expand to
|
||||
// PACIxSP and AUTIxSP, respectively. |AARCH64_SIGN_LINK_REGISTER| should be
|
||||
// used immediately before saving the LR register (x30) to the stack.
|
||||
// |AARCH64_VALIDATE_LINK_REGISTER| should be used immediately after restoring
|
||||
// it. Note |AARCH64_SIGN_LINK_REGISTER|'s modifications to LR must be undone
|
||||
// with |AARCH64_VALIDATE_LINK_REGISTER| before RET. The SP register must also
|
||||
// have the same value at the two points. For example:
|
||||
//
|
||||
// .global f
|
||||
// f:
|
||||
// AARCH64_SIGN_LINK_REGISTER
|
||||
// stp x29, x30, [sp, #-96]!
|
||||
// mov x29, sp
|
||||
// ...
|
||||
// ldp x29, x30, [sp], #96
|
||||
// AARCH64_VALIDATE_LINK_REGISTER
|
||||
// ret
|
||||
//
|
||||
// |AARCH64_VALID_CALL_TARGET| expands to BTI 'c'. Either it, or
|
||||
// |AARCH64_SIGN_LINK_REGISTER|, must be used at every point that may be an
|
||||
// indirect call target. In particular, all symbols exported from a file must
|
||||
// begin with one of these macros. For example, a leaf function that does not
|
||||
// save LR can instead use |AARCH64_VALID_CALL_TARGET|:
|
||||
//
|
||||
// .globl return_zero
|
||||
// return_zero:
|
||||
// AARCH64_VALID_CALL_TARGET
|
||||
// mov x0, #0
|
||||
// ret
|
||||
//
|
||||
// A non-leaf function which does not immediately save LR may need both macros
|
||||
// because |AARCH64_SIGN_LINK_REGISTER| appears late. For example, the function
|
||||
// may jump to an alternate implementation before setting up the stack:
|
||||
//
|
||||
// .globl with_early_jump
|
||||
// with_early_jump:
|
||||
// AARCH64_VALID_CALL_TARGET
|
||||
// cmp x0, #128
|
||||
// b.lt .Lwith_early_jump_128
|
||||
// AARCH64_SIGN_LINK_REGISTER
|
||||
// stp x29, x30, [sp, #-96]!
|
||||
// mov x29, sp
|
||||
// ...
|
||||
// ldp x29, x30, [sp], #96
|
||||
// AARCH64_VALIDATE_LINK_REGISTER
|
||||
// ret
|
||||
//
|
||||
// .Lwith_early_jump_128:
|
||||
// ...
|
||||
// ret
|
||||
//
|
||||
// These annotations are only required with indirect calls. Private symbols that
|
||||
// are only the target of direct calls do not require annotations. Also note
|
||||
// that |AARCH64_VALID_CALL_TARGET| is only valid for indirect calls (BLR), not
|
||||
// indirect jumps (BR). Indirect jumps in assembly are currently not supported
|
||||
// and would require a macro for BTI 'j'.
|
||||
//
|
||||
// Although not necessary, it is safe to use these macros in 32-bit ARM
|
||||
// assembly. This may be used to simplify dual 32-bit and 64-bit files.
|
||||
//
|
||||
// References:
|
||||
// - "ELF for the Arm® 64-bit Architecture"
|
||||
// https://github.com/ARM-software/abi-aa/blob/master/aaelf64/aaelf64.rst
|
||||
// - "Providing protection for complex software"
|
||||
// https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software
|
||||
|
||||
#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 |
||||
#define GNU_PROPERTY_AARCH64_BTI (1 << 0) // Has Branch Target Identification
|
||||
#define AARCH64_VALID_CALL_TARGET hint #34 // BTI 'c'
|
||||
#else |
||||
#define GNU_PROPERTY_AARCH64_BTI 0 // No Branch Target Identification
|
||||
#define AARCH64_VALID_CALL_TARGET |
||||
#endif |
||||
|
||||
#if defined(__ARM_FEATURE_PAC_DEFAULT) && \ |
||||
(__ARM_FEATURE_PAC_DEFAULT & 1) == 1 // Signed with A-key
|
||||
#define GNU_PROPERTY_AARCH64_POINTER_AUTH \ |
||||
(1 << 1) // Has Pointer Authentication
|
||||
#define AARCH64_SIGN_LINK_REGISTER hint #25 // PACIASP
|
||||
#define AARCH64_VALIDATE_LINK_REGISTER hint #29 // AUTIASP
|
||||
#elif defined(__ARM_FEATURE_PAC_DEFAULT) && \ |
||||
(__ARM_FEATURE_PAC_DEFAULT & 2) == 2 // Signed with B-key
|
||||
#define GNU_PROPERTY_AARCH64_POINTER_AUTH \ |
||||
(1 << 1) // Has Pointer Authentication
|
||||
#define AARCH64_SIGN_LINK_REGISTER hint #27 // PACIBSP
|
||||
#define AARCH64_VALIDATE_LINK_REGISTER hint #31 // AUTIBSP
|
||||
#else |
||||
#define GNU_PROPERTY_AARCH64_POINTER_AUTH 0 // No Pointer Authentication
|
||||
#if GNU_PROPERTY_AARCH64_BTI != 0 |
||||
#define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET |
||||
#else |
||||
#define AARCH64_SIGN_LINK_REGISTER |
||||
#endif |
||||
#define AARCH64_VALIDATE_LINK_REGISTER |
||||
#endif |
||||
|
||||
#if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0 |
||||
.pushsection .note.gnu.property, "a"; |
||||
.balign 8; |
||||
.long 4; |
||||
.long 0x10; |
||||
.long 0x5; |
||||
.asciz "GNU"; |
||||
.long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */ |
||||
.long 4; |
||||
.long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI); |
||||
.long 0; |
||||
.popsection; |
||||
#endif |
||||
#endif // ARM || AARCH64
|
||||
|
||||
#endif // __ASSEMBLER__
|
||||
|
||||
#endif // OPENSSL_HEADER_ASM_BASE_H
|
||||
@ -0,0 +1,151 @@ |
||||
/* Copyright (c) 2023, Google Inc.
|
||||
* |
||||
* Permission to use, copy, modify, and/or distribute this software for any |
||||
* purpose with or without fee is hereby granted, provided that the above |
||||
* copyright notice and this permission notice appear in all copies. |
||||
* |
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
||||
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
||||
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
||||
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
||||
|
||||
#ifndef OPENSSL_HEADER_TARGET_H |
||||
#define OPENSSL_HEADER_TARGET_H |
||||
|
||||
// Preprocessor symbols that define the target platform.
|
||||
//
|
||||
// This file may be included in C, C++, and assembler and must be compatible
|
||||
// with each environment. It is separated out only to share code between
|
||||
// <openssl/base.h> and <openssl/asm_base.h>. Prefer to include those headers
|
||||
// instead.
|
||||
|
||||
#if defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) |
||||
#define OPENSSL_64_BIT |
||||
#define OPENSSL_X86_64 |
||||
#elif defined(__x86) || defined(__i386) || defined(__i386__) || defined(_M_IX86) |
||||
#define OPENSSL_32_BIT |
||||
#define OPENSSL_X86 |
||||
#elif defined(__AARCH64EL__) || defined(_M_ARM64) |
||||
#define OPENSSL_64_BIT |
||||
#define OPENSSL_AARCH64 |
||||
#elif defined(__ARMEL__) || defined(_M_ARM) |
||||
#define OPENSSL_32_BIT |
||||
#define OPENSSL_ARM |
||||
#elif defined(__MIPSEL__) && !defined(__LP64__) |
||||
#define OPENSSL_32_BIT |
||||
#define OPENSSL_MIPS |
||||
#elif defined(__MIPSEL__) && defined(__LP64__) |
||||
#define OPENSSL_64_BIT |
||||
#define OPENSSL_MIPS64 |
||||
#elif defined(__riscv) && __SIZEOF_POINTER__ == 8 |
||||
#define OPENSSL_64_BIT |
||||
#define OPENSSL_RISCV64 |
||||
#elif defined(__riscv) && __SIZEOF_POINTER__ == 4 |
||||
#define OPENSSL_32_BIT |
||||
#elif defined(__pnacl__) |
||||
#define OPENSSL_32_BIT |
||||
#define OPENSSL_PNACL |
||||
#elif defined(__wasm__) |
||||
#define OPENSSL_32_BIT |
||||
#elif defined(__asmjs__) |
||||
#define OPENSSL_32_BIT |
||||
#elif defined(__myriad2__) |
||||
#define OPENSSL_32_BIT |
||||
#else |
||||
// Note BoringSSL only supports standard 32-bit and 64-bit two's-complement,
|
||||
// little-endian architectures. Functions will not produce the correct answer
|
||||
// on other systems. Run the crypto_test binary, notably
|
||||
// crypto/compiler_test.cc, before adding a new architecture.
|
||||
#error "Unknown target CPU" |
||||
#endif |
||||
|
||||
#if defined(__APPLE__) |
||||
#define OPENSSL_APPLE |
||||
#endif |
||||
|
||||
#if defined(_WIN32) |
||||
#define OPENSSL_WINDOWS |
||||
#endif |
||||
|
||||
// Trusty isn't Linux but currently defines __linux__. As a workaround, we
|
||||
// exclude it here.
|
||||
// TODO(b/169780122): Remove this workaround once Trusty no longer defines it.
|
||||
#if defined(__linux__) && !defined(__TRUSTY__) |
||||
#define OPENSSL_LINUX |
||||
#endif |
||||
|
||||
#if defined(__Fuchsia__) |
||||
#define OPENSSL_FUCHSIA |
||||
#endif |
||||
|
||||
#if defined(__TRUSTY__) |
||||
#define OPENSSL_TRUSTY |
||||
#define OPENSSL_NO_POSIX_IO |
||||
#define OPENSSL_NO_SOCK |
||||
#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED |
||||
#endif |
||||
|
||||
#if defined(OPENSSL_NANOLIBC) |
||||
#define OPENSSL_NO_POSIX_IO |
||||
#define OPENSSL_NO_SOCK |
||||
#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED |
||||
#endif |
||||
|
||||
#if defined(__ANDROID_API__) |
||||
#define OPENSSL_ANDROID |
||||
#endif |
||||
|
||||
#if defined(__FreeBSD__) |
||||
#define OPENSSL_FREEBSD |
||||
#endif |
||||
|
||||
#if defined(__OpenBSD__) |
||||
#define OPENSSL_OPENBSD |
||||
#endif |
||||
|
||||
// BoringSSL requires platform's locking APIs to make internal global state
|
||||
// thread-safe, including the PRNG. On some single-threaded embedded platforms,
|
||||
// locking APIs may not exist, so this dependency may be disabled with the
|
||||
// following build flag.
|
||||
//
|
||||
// IMPORTANT: Doing so means the consumer promises the library will never be
|
||||
// used in any multi-threaded context. It causes BoringSSL to be globally
|
||||
// thread-unsafe. Setting it inappropriately will subtly and unpredictably
|
||||
// corrupt memory and leak secret keys.
|
||||
//
|
||||
// Do not set this flag on any platform where threads are possible. BoringSSL
|
||||
// maintainers will not provide support for any consumers that do so. Changes
|
||||
// which break such unsupported configurations will not be reverted.
|
||||
#if !defined(OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED) |
||||
#define OPENSSL_THREADS |
||||
#endif |
||||
|
||||
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) && \ |
||||
!defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) |
||||
#define BORINGSSL_UNSAFE_DETERMINISTIC_MODE |
||||
#endif |
||||
|
||||
#if defined(__has_feature) |
||||
#if __has_feature(address_sanitizer) |
||||
#define OPENSSL_ASAN |
||||
#endif |
||||
#if __has_feature(thread_sanitizer) |
||||
#define OPENSSL_TSAN |
||||
#endif |
||||
#if __has_feature(memory_sanitizer) |
||||
#define OPENSSL_MSAN |
||||
#define OPENSSL_ASM_INCOMPATIBLE |
||||
#endif |
||||
#endif |
||||
|
||||
#if defined(OPENSSL_ASM_INCOMPATIBLE) |
||||
#undef OPENSSL_ASM_INCOMPATIBLE |
||||
#if !defined(OPENSSL_NO_ASM) |
||||
#define OPENSSL_NO_ASM |
||||
#endif |
||||
#endif // OPENSSL_ASM_INCOMPATIBLE
|
||||
|
||||
#endif // OPENSSL_HEADER_TARGET_H
|
||||
Loading…
Reference in new issue