aarch64: support BTI and pointer authentication in assembly
This change adds optional support for
- Armv8.3-A Pointer Authentication (PAuth) and
- Armv8.5-A Branch Target Identification (BTI)
features to the perl scripts.
Both features can be enabled with additional compiler flags.
Unless any of these are enabled explicitly there is no code change at
all.
The extensions are briefly described below. Please read the appropriate
chapters of the Arm Architecture Reference Manual for the complete
specification.
Scope
-----
This change only affects generated assembly code.
Armv8.3-A Pointer Authentication
--------------------------------
Pointer Authentication extension supports the authentication of the
contents of registers before they are used for indirect branching
or load.
PAuth provides a probabilistic method to detect corruption of register
values. PAuth signing instructions generate a Pointer Authentication
Code (PAC) based on the value of a register, a seed and a key.
The generated PAC is inserted into the original value in the register.
A PAuth authentication instruction recomputes the PAC, and if it matches
the PAC in the register, restores its original value. In case of a
mismatch, an architecturally unmapped address is generated instead.
With PAuth, mitigation against ROP (Return-oriented Programming) attacks
can be implemented. This is achieved by signing the contents of the
link-register (LR) before it is pushed to stack. Once LR is popped,
it is authenticated. This way a stack corruption which overwrites the
LR on the stack is detectable.
The PAuth extension adds several new instructions, some of which are not
recognized by older hardware. To support a single codebase for both pre
Armv8.3-A targets and newer ones, only NOP-space instructions are added
by this patch. These instructions are treated as NOPs on hardware
which does not support Armv8.3-A. Furthermore, this patch only considers
cases where LR is saved to the stack and then restored before branching
to its content. There are cases in the code where LR is pushed to stack
but it is not used later. We do not address these cases as they are not
affected by PAuth.
There are two keys available to sign an instruction address: A and B.
PACIASP and PACIBSP only differ in the used keys: A and B, respectively.
The keys are typically managed by the operating system.
To enable generating code for PAuth compile with
-mbranch-protection=<mode>:
- standard or pac-ret: add PACIASP and AUTIASP, also enables BTI
(read below)
- pac-ret+b-key: add PACIBSP and AUTIBSP
Armv8.5-A Branch Target Identification
--------------------------------------
Branch Target Identification features some new instructions which
protect the execution of instructions on guarded pages which are not
intended branch targets.
If Armv8.5-A is supported by the hardware, execution of an instruction
changes the value of PSTATE.BTYPE field. If an indirect branch
lands on a guarded page the target instruction must be one of the
BTI <jc> flavors, or in case of a direct call or jump it can be any
other instruction. If the target instruction is not compatible with the
value of PSTATE.BTYPE a Branch Target Exception is generated.
In short, indirect jumps are compatible with BTI <j> and <jc> while
indirect calls are compatible with BTI <c> and <jc>. Please refer to the
specification for the details.
Armv8.3-A PACIASP and PACIBSP are implicit branch target
identification instructions which are equivalent with BTI c or BTI jc
depending on system register configuration.
BTI is used to mitigate JOP (Jump-oriented Programming) attacks by
limiting the set of instructions which can be jumped to.
BTI requires active linker support to mark the pages with BTI-enabled
code as guarded. For ELF64 files BTI compatibility is recorded in the
.note.gnu.property section. For a shared object or static binary it is
required that all linked units support BTI. This means that even a
single assembly file without the required note section turns-off BTI
for the whole binary or shared object.
The new BTI instructions are treated as NOPs on hardware which does
not support Armv8.5-A or on pages which are not guarded.
To insert this new and optional instruction compile with
-mbranch-protection=standard (also enables PAuth) or +bti.
When targeting a guarded page from a non-guarded page, weaker
compatibility restrictions apply to maintain compatibility between
legacy and new code. For detailed rules please refer to the Arm ARM.
Compiler support
----------------
Compiler support requires understanding '-mbranch-protection=<mode>'
and emitting the appropriate feature macros (__ARM_FEATURE_BTI_DEFAULT
and __ARM_FEATURE_PAC_DEFAULT). The current state is the following:
-------------------------------------------------------
| Compiler | -mbranch-protection | Feature macros |
+----------+---------------------+--------------------+
| clang | 9.0.0 | 11.0.0 |
+----------+---------------------+--------------------+
| gcc | 9 | expected in 10.1+ |
-------------------------------------------------------
Available Platforms
------------------
Arm Fast Model and QEMU support both extensions.
https://developer.arm.com/tools-and-software/simulation-models/fast-models
https://www.qemu.org/
Implementation Notes
--------------------
This change adds BTI landing pads even to assembly functions which are
likely to be directly called only. In these cases, landing pads might
be superfluous depending on what code the linker generates.
Code size and performance impact for these cases would be negligble.
Interaction with C code
-----------------------
Pointer Authentication is a per-frame protection while Branch Target
Identification can be turned on and off only for all code pages of a
whole shared object or static binary. Because of these properties if
C/C++ code is compiled without any of the above features but assembly
files support any of them unconditionally there is no incompatibility
between the two.
Useful Links
------------
To fully understand the details of both PAuth and BTI it is advised to
read the related chapters of the Arm Architecture Reference Manual
(Arm ARM):
https://developer.arm.com/documentation/ddi0487/latest/
Additional materials:
"Providing protection for complex software"
https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software
Arm Compiler Reference Guide Version 6.14: -mbranch-protection
https://developer.arm.com/documentation/101754/0614/armclang-Reference/armclang-Command-line-Options/-mbranch-protection?lang=en
Arm C Language Extensions (ACLE)
https://developer.arm.com/docs/101028/latest
Change-Id: I4335f92e2ccc8e209c7d68a0a79f1acdf3aeb791
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/42084
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/crypto/chacha/asm/chacha-armv8.pl b/crypto/chacha/asm/chacha-armv8.pl
index 9cae28c..05958c8 100755
--- a/crypto/chacha/asm/chacha-armv8.pl
+++ b/crypto/chacha/asm/chacha-armv8.pl
@@ -139,6 +139,7 @@
.type ChaCha20_ctr32,%function
.align 5
ChaCha20_ctr32:
+ AARCH64_VALID_CALL_TARGET
cbz $len,.Labort
#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10
adrp @x[0],:pg_hi21_nc:OPENSSL_armcap_P
@@ -152,6 +153,7 @@
b.ne ChaCha20_neon
.Lshort:
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-96]!
add x29,sp,#0
@@ -272,6 +274,7 @@
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
.Labort:
ret
@@ -328,6 +331,7 @@
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size ChaCha20_ctr32,.-ChaCha20_ctr32
___
@@ -373,6 +377,7 @@
.type ChaCha20_neon,%function
.align 5
ChaCha20_neon:
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-96]!
add x29,sp,#0
@@ -572,6 +577,7 @@
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.Ltail_neon:
@@ -681,6 +687,7 @@
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size ChaCha20_neon,.-ChaCha20_neon
___
@@ -693,6 +700,7 @@
.type ChaCha20_512_neon,%function
.align 5
ChaCha20_512_neon:
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-96]!
add x29,sp,#0
@@ -1112,6 +1120,7 @@
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldp x29,x30,[sp],#96
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size ChaCha20_512_neon,.-ChaCha20_512_neon
___
diff --git a/crypto/fipsmodule/aes/asm/aesv8-armx.pl b/crypto/fipsmodule/aes/asm/aesv8-armx.pl
index 187c221..5fd9864 100644
--- a/crypto/fipsmodule/aes/asm/aesv8-armx.pl
+++ b/crypto/fipsmodule/aes/asm/aesv8-armx.pl
@@ -96,6 +96,8 @@
.Lenc_key:
___
$code.=<<___ if ($flavour =~ /64/);
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ AARCH64_VALID_CALL_TARGET
stp x29,x30,[sp,#-16]!
add x29,sp,#0
___
@@ -274,6 +276,7 @@
${prefix}_set_decrypt_key:
___
$code.=<<___ if ($flavour =~ /64/);
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-16]!
add x29,sp,#0
___
@@ -317,6 +320,7 @@
___
$code.=<<___ if ($flavour =~ /64/);
ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
ret
___
$code.=<<___;
@@ -336,6 +340,11 @@
.type ${prefix}_${dir}crypt,%function
.align 5
${prefix}_${dir}crypt:
+___
+$code.=<<___ if ($flavour =~ /64/);
+ AARCH64_VALID_CALL_TARGET
+___
+$code.=<<___;
ldr $rounds,[$key,#240]
vld1.32 {$rndkey0},[$key],#16
vld1.8 {$inout},[$inp]
@@ -383,6 +392,8 @@
${prefix}_cbc_encrypt:
___
$code.=<<___ if ($flavour =~ /64/);
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ AARCH64_VALID_CALL_TARGET
stp x29,x30,[sp,#-16]!
add x29,sp,#0
___
@@ -712,6 +723,8 @@
${prefix}_ctr32_encrypt_blocks:
___
$code.=<<___ if ($flavour =~ /64/);
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ AARCH64_VALID_CALL_TARGET
stp x29,x30,[sp,#-16]!
add x29,sp,#0
___
diff --git a/crypto/fipsmodule/aes/asm/vpaes-armv8.pl b/crypto/fipsmodule/aes/asm/vpaes-armv8.pl
index bae5e7e..e4b9ceb 100755
--- a/crypto/fipsmodule/aes/asm/vpaes-armv8.pl
+++ b/crypto/fipsmodule/aes/asm/vpaes-armv8.pl
@@ -49,6 +49,8 @@
*STDOUT=*OUT;
$code.=<<___;
+#include <openssl/arm_arch.h>
+
.section .rodata
.type _vpaes_consts,%object
@@ -259,6 +261,7 @@
.type vpaes_encrypt,%function
.align 4
vpaes_encrypt:
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-16]!
add x29,sp,#0
@@ -268,6 +271,7 @@
st1 {v0.16b}, [$out]
ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size vpaes_encrypt,.-vpaes_encrypt
@@ -495,6 +499,7 @@
.type vpaes_decrypt,%function
.align 4
vpaes_decrypt:
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-16]!
add x29,sp,#0
@@ -504,6 +509,7 @@
st1 {v0.16b}, [$out]
ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size vpaes_decrypt,.-vpaes_decrypt
@@ -680,6 +686,7 @@
.type _vpaes_schedule_core,%function
.align 4
_vpaes_schedule_core:
+ AARCH64_SIGN_LINK_REGISTER
stp x29, x30, [sp,#-16]!
add x29,sp,#0
@@ -849,6 +856,7 @@
eor v6.16b, v6.16b, v6.16b // vpxor %xmm6, %xmm6, %xmm6
eor v7.16b, v7.16b, v7.16b // vpxor %xmm7, %xmm7, %xmm7
ldp x29, x30, [sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size _vpaes_schedule_core,.-_vpaes_schedule_core
@@ -1061,6 +1069,7 @@
.type vpaes_set_encrypt_key,%function
.align 4
vpaes_set_encrypt_key:
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-16]!
add x29,sp,#0
stp d8,d9,[sp,#-16]! // ABI spec says so
@@ -1076,6 +1085,7 @@
ldp d8,d9,[sp],#16
ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size vpaes_set_encrypt_key,.-vpaes_set_encrypt_key
@@ -1083,6 +1093,7 @@
.type vpaes_set_decrypt_key,%function
.align 4
vpaes_set_decrypt_key:
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-16]!
add x29,sp,#0
stp d8,d9,[sp,#-16]! // ABI spec says so
@@ -1102,6 +1113,7 @@
ldp d8,d9,[sp],#16
ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size vpaes_set_decrypt_key,.-vpaes_set_decrypt_key
___
@@ -1114,6 +1126,7 @@
.type vpaes_cbc_encrypt,%function
.align 4
vpaes_cbc_encrypt:
+ AARCH64_SIGN_LINK_REGISTER
cbz $len, .Lcbc_abort
cmp w5, #0 // check direction
b.eq vpaes_cbc_decrypt
@@ -1140,6 +1153,7 @@
st1 {v0.16b}, [$ivec] // write ivec
ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
.Lcbc_abort:
ret
.size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt
@@ -1147,6 +1161,8 @@
.type vpaes_cbc_decrypt,%function
.align 4
vpaes_cbc_decrypt:
+ // Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to
+ // only from vpaes_cbc_encrypt which has already signed the return address.
stp x29,x30,[sp,#-16]!
add x29,sp,#0
stp d8,d9,[sp,#-16]! // ABI spec says so
@@ -1188,6 +1204,7 @@
ldp d10,d11,[sp],#16
ldp d8,d9,[sp],#16
ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size vpaes_cbc_decrypt,.-vpaes_cbc_decrypt
___
@@ -1198,6 +1215,7 @@
.type vpaes_ecb_encrypt,%function
.align 4
vpaes_ecb_encrypt:
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-16]!
add x29,sp,#0
stp d8,d9,[sp,#-16]! // ABI spec says so
@@ -1231,6 +1249,7 @@
ldp d10,d11,[sp],#16
ldp d8,d9,[sp],#16
ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size vpaes_ecb_encrypt,.-vpaes_ecb_encrypt
@@ -1238,6 +1257,7 @@
.type vpaes_ecb_decrypt,%function
.align 4
vpaes_ecb_decrypt:
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-16]!
add x29,sp,#0
stp d8,d9,[sp,#-16]! // ABI spec says so
@@ -1271,6 +1291,7 @@
ldp d10,d11,[sp],#16
ldp d8,d9,[sp],#16
ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size vpaes_ecb_decrypt,.-vpaes_ecb_decrypt
___
@@ -1285,6 +1306,7 @@
.type vpaes_ctr32_encrypt_blocks,%function
.align 4
vpaes_ctr32_encrypt_blocks:
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-16]!
add x29,sp,#0
stp d8,d9,[sp,#-16]! // ABI spec says so
@@ -1352,6 +1374,7 @@
ldp d10,d11,[sp],#16
ldp d8,d9,[sp],#16
ldp x29,x30,[sp],#16
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size vpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks
___
diff --git a/crypto/fipsmodule/bn/asm/armv8-mont.pl b/crypto/fipsmodule/bn/asm/armv8-mont.pl
index db2ba49..788a0ce 100644
--- a/crypto/fipsmodule/bn/asm/armv8-mont.pl
+++ b/crypto/fipsmodule/bn/asm/armv8-mont.pl
@@ -64,12 +64,15 @@
$num="x5"; # size_t num);
$code.=<<___;
+#include <openssl/arm_arch.h>
+
.text
.globl bn_mul_mont
.type bn_mul_mont,%function
.align 5
bn_mul_mont:
+ AARCH64_SIGN_LINK_REGISTER
tst $num,#7
b.eq __bn_sqr8x_mont
tst $num,#3
@@ -267,6 +270,7 @@
mov x0,#1
ldp x23,x24,[x29,#48]
ldr x29,[sp],#64
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size bn_mul_mont,.-bn_mul_mont
___
@@ -284,6 +288,8 @@
.type __bn_sqr8x_mont,%function
.align 5
__bn_sqr8x_mont:
+ // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to
+ // only from bn_mul_mont which has already signed the return address.
cmp $ap,$bp
b.ne __bn_mul4x_mont
.Lsqr8x_mont:
@@ -1040,6 +1046,8 @@
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldr x29,[sp],#128
+ // x30 is popped earlier
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size __bn_sqr8x_mont,.-__bn_sqr8x_mont
___
@@ -1063,6 +1071,9 @@
.type __bn_mul4x_mont,%function
.align 5
__bn_mul4x_mont:
+ // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to
+ // only from bn_mul_mont or __bn_mul8x_mont which have already signed the
+ // return address.
stp x29,x30,[sp,#-128]!
add x29,sp,#0
stp x19,x20,[sp,#16]
@@ -1496,6 +1507,8 @@
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldr x29,[sp],#128
+ // x30 is popped earlier
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size __bn_mul4x_mont,.-__bn_mul4x_mont
___
diff --git a/crypto/fipsmodule/modes/asm/ghash-neon-armv8.pl b/crypto/fipsmodule/modes/asm/ghash-neon-armv8.pl
index e72d0dc..94f95c2 100644
--- a/crypto/fipsmodule/modes/asm/ghash-neon-armv8.pl
+++ b/crypto/fipsmodule/modes/asm/ghash-neon-armv8.pl
@@ -157,12 +157,15 @@
}
$code .= <<___;
+#include <openssl/arm_arch.h>
+
.text
.global gcm_init_neon
.type gcm_init_neon,%function
.align 4
gcm_init_neon:
+ AARCH64_VALID_CALL_TARGET
// This function is adapted from gcm_init_v8. xC2 is t3.
ld1 {$t1.2d}, [x1] // load H
movi $t3.16b, #0xe1
@@ -187,6 +190,7 @@
.type gcm_gmult_neon,%function
.align 4
gcm_gmult_neon:
+ AARCH64_VALID_CALL_TARGET
ld1 {$INlo.16b}, [$Xi] // load Xi
ld1 {$Hlo.1d}, [$Htbl], #8 // load twisted H
ld1 {$Hhi.1d}, [$Htbl]
@@ -205,6 +209,7 @@
.type gcm_ghash_neon,%function
.align 4
gcm_ghash_neon:
+ AARCH64_VALID_CALL_TARGET
ld1 {$Xl.16b}, [$Xi] // load Xi
ld1 {$Hlo.1d}, [$Htbl], #8 // load twisted H
ld1 {$Hhi.1d}, [$Htbl]
diff --git a/crypto/fipsmodule/modes/asm/ghashv8-armx.pl b/crypto/fipsmodule/modes/asm/ghashv8-armx.pl
index 99124a2..82f7637 100644
--- a/crypto/fipsmodule/modes/asm/ghashv8-armx.pl
+++ b/crypto/fipsmodule/modes/asm/ghashv8-armx.pl
@@ -86,6 +86,11 @@
.type gcm_init_v8,%function
.align 4
gcm_init_v8:
+___
+$code.=<<___ if ($flavour =~ /64/);
+ AARCH64_VALID_CALL_TARGET
+___
+$code.=<<___;
vld1.64 {$t1},[x1] @ load input H
vmov.i8 $xC2,#0xe1
vshl.i64 $xC2,$xC2,#57 @ 0xc2.0
@@ -145,6 +150,11 @@
.type gcm_gmult_v8,%function
.align 4
gcm_gmult_v8:
+___
+$code.=<<___ if ($flavour =~ /64/);
+ AARCH64_VALID_CALL_TARGET
+___
+$code.=<<___;
vld1.64 {$t1},[$Xi] @ load Xi
vmov.i8 $xC2,#0xe1
vld1.64 {$H-$Hhl},[$Htbl] @ load twisted H, ...
@@ -198,6 +208,9 @@
.align 4
gcm_ghash_v8:
___
+$code.=<<___ if ($flavour =~ /64/);
+ AARCH64_VALID_CALL_TARGET
+___
$code.=<<___ if ($flavour !~ /64/);
vstmdb sp!,{d8-d15} @ 32-bit ABI says so
___
diff --git a/crypto/fipsmodule/sha/asm/sha1-armv8.pl b/crypto/fipsmodule/sha/asm/sha1-armv8.pl
index 59d55b3..dfde8c9 100644
--- a/crypto/fipsmodule/sha/asm/sha1-armv8.pl
+++ b/crypto/fipsmodule/sha/asm/sha1-armv8.pl
@@ -180,6 +180,8 @@
.type sha1_block_data_order,%function
.align 6
sha1_block_data_order:
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ AARCH64_VALID_CALL_TARGET
#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10
adrp x16,:pg_hi21_nc:OPENSSL_armcap_P
#else
@@ -249,6 +251,8 @@
.type sha1_block_armv8,%function
.align 6
sha1_block_armv8:
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ AARCH64_VALID_CALL_TARGET
.Lv8_entry:
stp x29,x30,[sp,#-16]!
add x29,sp,#0
diff --git a/crypto/fipsmodule/sha/asm/sha512-armv8.pl b/crypto/fipsmodule/sha/asm/sha512-armv8.pl
index 1afaf58..aff41ce 100644
--- a/crypto/fipsmodule/sha/asm/sha512-armv8.pl
+++ b/crypto/fipsmodule/sha/asm/sha512-armv8.pl
@@ -185,6 +185,7 @@
$func:
___
$code.=<<___ if ($SZ==4);
+ AARCH64_VALID_CALL_TARGET
#ifndef __KERNEL__
#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10
adrp x16,:pg_hi21_nc:OPENSSL_armcap_P
@@ -197,6 +198,7 @@
#endif
___
$code.=<<___;
+ AARCH64_SIGN_LINK_REGISTER
stp x29,x30,[sp,#-128]!
add x29,sp,#0
@@ -259,6 +261,7 @@
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldp x29,x30,[sp],#128
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size $func,.-$func
@@ -350,6 +353,7 @@
.align 6
sha256_block_armv8:
.Lv8_entry:
+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
stp x29,x30,[sp,#-16]!
add x29,sp,#0
diff --git a/crypto/test/asm/trampoline-armv8.pl b/crypto/test/asm/trampoline-armv8.pl
index aefe5f7..426360e 100755
--- a/crypto/test/asm/trampoline-armv8.pl
+++ b/crypto/test/asm/trampoline-armv8.pl
@@ -45,6 +45,8 @@
my ($func, $state, $argv, $argc) = ("x0", "x1", "x2", "x3");
my $code = <<____;
+#include <openssl/arm_arch.h>
+
.text
// abi_test_trampoline loads callee-saved registers from |state|, calls |func|
@@ -57,6 +59,8 @@
.globl abi_test_trampoline
.align 4
abi_test_trampoline:
+.Labi_test_trampoline_begin:
+ AARCH64_SIGN_LINK_REGISTER
// Stack layout (low to high addresses)
// x29,x30 (16 bytes)
// d8-d15 (64 bytes)
@@ -159,6 +163,7 @@
ldp x27, x28, [sp, #144]
ldp x29, x30, [sp], #176
+ AARCH64_VALIDATE_LINK_REGISTER
ret
.size abi_test_trampoline,.-abi_test_trampoline
____
@@ -173,6 +178,7 @@
.globl abi_test_clobber_x$_
.align 4
abi_test_clobber_x$_:
+ AARCH64_VALID_CALL_TARGET
mov x$_, xzr
ret
.size abi_test_clobber_x$_,.-abi_test_clobber_x$_
@@ -184,6 +190,7 @@
.globl abi_test_clobber_d$_
.align 4
abi_test_clobber_d$_:
+ AARCH64_VALID_CALL_TARGET
fmov d$_, xzr
ret
.size abi_test_clobber_d$_,.-abi_test_clobber_d$_
@@ -198,6 +205,7 @@
.globl abi_test_clobber_v${_}_upper
.align 4
abi_test_clobber_v${_}_upper:
+ AARCH64_VALID_CALL_TARGET
fmov v${_}.d[1], xzr
ret
.size abi_test_clobber_v${_}_upper,.-abi_test_clobber_v${_}_upper
diff --git a/include/openssl/arm_arch.h b/include/openssl/arm_arch.h
index faa2655..1f16799 100644
--- a/include/openssl/arm_arch.h
+++ b/include/openssl/arm_arch.h
@@ -117,5 +117,57 @@
// ARMV8_PMULL indicates support for carryless multiplication.
#define ARMV8_PMULL (1 << 5)
+#if defined(__ASSEMBLER__)
+
+// Support macros for
+// - Armv8.3-A Pointer Authentication and
+// - Armv8.5-A Branch Target Identification
+// features which require emitting a .note.gnu.property section with the
+// appropriate architecture-dependent feature bits set.
+// Read more: "ELF for the Arm® 64-bit Architecture"
+
+#if (__ARM_FEATURE_BTI_DEFAULT == 1)
+#define GNU_PROPERTY_AARCH64_BTI (1 << 0) // Has Branch Target Identification
+#define AARCH64_VALID_CALL_TARGET hint #34 // BTI 'c'
+#else
+#define GNU_PROPERTY_AARCH64_BTI 0 // No Branch Target Identification
+#define AARCH64_VALID_CALL_TARGET
+#endif
+
+#if ((__ARM_FEATURE_PAC_DEFAULT & 1) == 1) // Signed with A-key
+#define GNU_PROPERTY_AARCH64_POINTER_AUTH \
+ (1 << 1) // Has Pointer Authentication
+#define AARCH64_SIGN_LINK_REGISTER hint #25 // PACIASP
+#define AARCH64_VALIDATE_LINK_REGISTER hint #29 // AUTIASP
+#elif ((__ARM_FEATURE_PAC_DEFAULT & 2) == 2) // Signed with B-key
+#define GNU_PROPERTY_AARCH64_POINTER_AUTH \
+ (1 << 1) // Has Pointer Authentication
+#define AARCH64_SIGN_LINK_REGISTER hint #27 // PACIBSP
+#define AARCH64_VALIDATE_LINK_REGISTER hint #31 // AUTIBSP
+#else
+#define GNU_PROPERTY_AARCH64_POINTER_AUTH 0 // No Pointer Authentication
+#if defined(__ARM_FEATURE_BTI_DEFAULT)
+#define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET
+#else
+#define AARCH64_SIGN_LINK_REGISTER
+#endif
+#define AARCH64_VALIDATE_LINK_REGISTER
+#endif
+
+#if (GNU_PROPERTY_AARCH64_POINTER_AUTH != 0) || (GNU_PROPERTY_AARCH64_BTI != 0)
+.pushsection note.gnu.property, "a";
+.balign 8;
+.long 4;
+.long 0x10;
+.long 0x5;
+.asciz "GNU";
+.long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */
+.long 4;
+.long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI);
+.long 0
+.popsection
+#endif
+
+#endif /* defined __ASSEMBLER__ */
#endif // OPENSSL_HEADER_ARM_ARCH_H
