CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2023/06/12 04:06:30
Modified files:
infrastructure/mk: bsd.port.mk
databases/sqlports: Makefile
databases/sqlports/files: Info.pm
Log message:
Support USE_NOBTCFI in ports to add -z nobtcfi to linker command lines and
record this information in the sqlports db. ok kn@ tb@
OpenBSD is starting to support branch target identification on amd64 and
arm64 (part of the features on Apple m2, and on Intel 11th gen/newer CPUs
with "control-flow enhancement technology").
On amd64 it is currently being enabled/disabled in snapshot kernels at
various times while we gain more information about which software in
ports is working/not.
This works by placing certain opcodes at legitimate targets of branch
instructions (which are ignored on earlier CPUs as they are NOPs there)
and trapping if an indirect call/jump is attempted to a location which
does not contain such an opcode. This makes it harder for an attacker
to jump to a location containing code of their choosing.
For more details on the Intel implementatios See chapter 17 of SDM vol.1
https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html
Our system compilers on amd64/arm64 add the required opcodes at valid
targets, but some code in ports is built with a compiler which does not
do that, also some ports have asm code which has not had the required
instructions added at those points yet (i.e. endbr64 on amd64).
In those cases, the whole binary can be annotated with a segment type
PT_OPENBSD_NOBTCFI as an indicator to the kernel not to enforce branch
target control flow integrity for the produced binary.
The relevant compiler options to enable (default on OpenBSD)/disable are:
amd64: -fcf-protection=branch, -fcf-protection=none
arm64: -mbranch-protection=bti, -mbranch-protection=none
