Page Menu
Home
FreeBSD
Search
Configure Global Search
Log In
Files
F98227621
D42596.id.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Size
2 KB
Referenced Files
None
Subscribers
None
D42596.id.diff
View Options
diff --git a/lib/libomp/Makefile b/lib/libomp/Makefile
--- a/lib/libomp/Makefile
+++ b/lib/libomp/Makefile
@@ -1,4 +1,7 @@
+# z_Linux_asm.S is missing BTI support
+MK_BRANCH_PROTECTION=no
+
.include <bsd.compiler.mk>
SHLIB_NAME= libomp.so
diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@@ -97,6 +97,12 @@
.endif
# LLD sensibly defaults to -znoexecstack, so do the same for BFD
LDFLAGS.bfd+= -Wl,-znoexecstack
+.if ${MK_BRANCH_PROTECTION} != "no"
+CFLAGS+= -mbranch-protection=standard
+.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
+LDFLAGS+= -Wl,-zbti-report=error
+.endif
+.endif
# Initialize stack variables on function entry
.if ${OPT_INIT_ALL} != "none"
diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@@ -74,6 +74,7 @@
__DEFAULT_NO_OPTIONS = \
ASAN \
BIND_NOW \
+ BRANCH_PROTECTION \
CCACHE_BUILD \
CTF \
INSTALL_AS_USER \
@@ -102,6 +103,10 @@
__DEFAULT_YES_OPTIONS+=PIE
.endif
+.if ${MACHINE_CPUARCH} != "aarch64"
+BROKEN_OPTIONS+= BRANCH_PROTECTION
+.endif
+
__SINGLE_OPTIONS = \
INIT_ALL
diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk
--- a/share/mk/bsd.prog.mk
+++ b/share/mk/bsd.prog.mk
@@ -69,6 +69,12 @@
.endif
# LLD sensibly defaults to -znoexecstack, so do the same for BFD
LDFLAGS.bfd+= -Wl,-znoexecstack
+.if ${MK_BRANCH_PROTECTION} != "no"
+CFLAGS+= -mbranch-protection=standard
+.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
+LDFLAGS+= -Wl,-zbti-report=error
+.endif
+.endif
# Initialize stack variables on function entry
.if ${OPT_INIT_ALL} != "none"
diff --git a/stand/Makefile.inc b/stand/Makefile.inc
--- a/stand/Makefile.inc
+++ b/stand/Makefile.inc
@@ -1,4 +1,7 @@
SUBDIR_PARALLEL= yes
+# Firmware may not be able to handle branch protection failures
+MK_BRANCH_PROTECTION= no
+
.include "defs.mk"
diff --git a/tools/build/options/WITHOUT_BRANCH_PROTECTION b/tools/build/options/WITHOUT_BRANCH_PROTECTION
new file mode 100644
--- /dev/null
+++ b/tools/build/options/WITHOUT_BRANCH_PROTECTION
@@ -0,0 +1 @@
+Build with branch protection disabled.
diff --git a/tools/build/options/WITH_BRANCH_PROTECTION b/tools/build/options/WITH_BRANCH_PROTECTION
new file mode 100644
--- /dev/null
+++ b/tools/build/options/WITH_BRANCH_PROTECTION
@@ -0,0 +1,4 @@
+Build with branch protection enabled.
+On arm64 enable the use of pointer authentication and
+branch target identification instructions on arm64.
+These can be used to help mitigate some exploit techniques.
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Thu, Oct 3, 6:29 PM (15 h, 51 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
13309211
Default Alt Text
D42596.id.diff (2 KB)
Attached To
Mode
D42596: arm64: Allow userspace to be built with PAC and BTI
Attached
Detach File
Event Timeline
Log In to Comment