summaryrefslogtreecommitdiff
path: root/Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch
diff options
context:
space:
mode:
authorCoprDistGit <infra@openeuler.org>2023-10-02 03:32:16 +0000
committerCoprDistGit <infra@openeuler.org>2023-10-02 03:32:16 +0000
commite879981f405f8810d1b0d9c1c77aea3e8be6a469 (patch)
tree8698c9791c9e77d3be587c5c7ad9d43dce7c6d30 /Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch
parent80d0cbc46bb935a925d434060b67c794844558d9 (diff)
automatic import of openssl3openeuler22.03_LTS_SP2openeuler22.03_LTSopeneuler20.03_LTS_SP1openeuler20.03
Diffstat (limited to 'Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch')
-rw-r--r--Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch1521
1 files changed, 1521 insertions, 0 deletions
diff --git a/Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch b/Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch
new file mode 100644
index 0000000..31852cb
--- /dev/null
+++ b/Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch
@@ -0,0 +1,1521 @@
+From 44b6e3d07ae5b09255710986e61035c862ec68aa Mon Sep 17 00:00:00 2001
+From: Russ Butler <russ.butler@arm.com>
+Date: Sat, 28 Aug 2021 13:57:09 -0500
+Subject: [PATCH 01/13] aarch64: support BTI and pointer authentication in
+ assembly
+
+This change adds optional support for
+- Armv8.3-A Pointer Authentication (PAuth) and
+- Armv8.5-A Branch Target Identification (BTI)
+features to the perl scripts.
+
+Both features can be enabled with additional compiler flags.
+Unless any of these are enabled explicitly there is no code change at
+all.
+
+The extensions are briefly described below. Please read the appropriate
+chapters of the Arm Architecture Reference Manual for the complete
+specification.
+
+Scope
+-----
+
+This change only affects generated assembly code.
+
+Armv8.3-A Pointer Authentication
+--------------------------------
+
+Pointer Authentication extension supports the authentication of the
+contents of registers before they are used for indirect branching
+or load.
+
+PAuth provides a probabilistic method to detect corruption of register
+values. PAuth signing instructions generate a Pointer Authentication
+Code (PAC) based on the value of a register, a seed and a key.
+The generated PAC is inserted into the original value in the register.
+A PAuth authentication instruction recomputes the PAC, and if it matches
+the PAC in the register, restores its original value. In case of a
+mismatch, an architecturally unmapped address is generated instead.
+
+With PAuth, mitigation against ROP (Return-oriented Programming) attacks
+can be implemented. This is achieved by signing the contents of the
+link-register (LR) before it is pushed to stack. Once LR is popped,
+it is authenticated. This way a stack corruption which overwrites the
+LR on the stack is detectable.
+
+The PAuth extension adds several new instructions, some of which are not
+recognized by older hardware. To support a single codebase for both pre
+Armv8.3-A targets and newer ones, only NOP-space instructions are added
+by this patch. These instructions are treated as NOPs on hardware
+which does not support Armv8.3-A. Furthermore, this patch only considers
+cases where LR is saved to the stack and then restored before branching
+to its content. There are cases in the code where LR is pushed to stack
+but it is not used later. We do not address these cases as they are not
+affected by PAuth.
+
+There are two keys available to sign an instruction address: A and B.
+PACIASP and PACIBSP only differ in the used keys: A and B, respectively.
+The keys are typically managed by the operating system.
+
+To enable generating code for PAuth compile with
+-mbranch-protection=<mode>:
+
+- standard or pac-ret: add PACIASP and AUTIASP, also enables BTI
+ (read below)
+- pac-ret+b-key: add PACIBSP and AUTIBSP
+
+Armv8.5-A Branch Target Identification
+--------------------------------------
+
+Branch Target Identification features some new instructions which
+protect the execution of instructions on guarded pages which are not
+intended branch targets.
+
+If Armv8.5-A is supported by the hardware, execution of an instruction
+changes the value of PSTATE.BTYPE field. If an indirect branch
+lands on a guarded page the target instruction must be one of the
+BTI <jc> flavors, or in case of a direct call or jump it can be any
+other instruction. If the target instruction is not compatible with the
+value of PSTATE.BTYPE a Branch Target Exception is generated.
+
+In short, indirect jumps are compatible with BTI <j> and <jc> while
+indirect calls are compatible with BTI <c> and <jc>. Please refer to the
+specification for the details.
+
+Armv8.3-A PACIASP and PACIBSP are implicit branch target
+identification instructions which are equivalent with BTI c or BTI jc
+depending on system register configuration.
+
+BTI is used to mitigate JOP (Jump-oriented Programming) attacks by
+limiting the set of instructions which can be jumped to.
+
+BTI requires active linker support to mark the pages with BTI-enabled
+code as guarded. For ELF64 files BTI compatibility is recorded in the
+.note.gnu.property section. For a shared object or static binary it is
+required that all linked units support BTI. This means that even a
+single assembly file without the required note section turns-off BTI
+for the whole binary or shared object.
+
+The new BTI instructions are treated as NOPs on hardware which does
+not support Armv8.5-A or on pages which are not guarded.
+
+To insert this new and optional instruction compile with
+-mbranch-protection=standard (also enables PAuth) or +bti.
+
+When targeting a guarded page from a non-guarded page, weaker
+compatibility restrictions apply to maintain compatibility between
+legacy and new code. For detailed rules please refer to the Arm ARM.
+
+Compiler support
+----------------
+
+Compiler support requires understanding '-mbranch-protection=<mode>'
+and emitting the appropriate feature macros (__ARM_FEATURE_BTI_DEFAULT
+and __ARM_FEATURE_PAC_DEFAULT). The current state is the following:
+
+-------------------------------------------------------
+| Compiler | -mbranch-protection | Feature macros |
++----------+---------------------+--------------------+
+| clang | 9.0.0 | 11.0.0 |
++----------+---------------------+--------------------+
+| gcc | 9 | expected in 10.1+ |
+-------------------------------------------------------
+
+Available Platforms
+------------------
+
+Arm Fast Model and QEMU support both extensions.
+
+https://developer.arm.com/tools-and-software/simulation-models/fast-models
+https://www.qemu.org/
+
+Implementation Notes
+--------------------
+
+This change adds BTI landing pads even to assembly functions which are
+likely to be directly called only. In these cases, landing pads might
+be superfluous depending on what code the linker generates.
+Code size and performance impact for these cases would be negligible.
+
+Interaction with C code
+-----------------------
+
+Pointer Authentication is a per-frame protection while Branch Target
+Identification can be turned on and off only for all code pages of a
+whole shared object or static binary. Because of these properties if
+C/C++ code is compiled without any of the above features but assembly
+files support any of them unconditionally there is no incompatibility
+between the two.
+
+Useful Links
+------------
+
+To fully understand the details of both PAuth and BTI it is advised to
+read the related chapters of the Arm Architecture Reference Manual
+(Arm ARM):
+https://developer.arm.com/documentation/ddi0487/latest/
+
+Additional materials:
+
+"Providing protection for complex software"
+https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software
+
+Arm Compiler Reference Guide Version 6.14: -mbranch-protection
+https://developer.arm.com/documentation/101754/0614/armclang-Reference/armclang-Command-line-Options/-mbranch-protection?lang=en
+
+Arm C Language Extensions (ACLE)
+https://developer.arm.com/docs/101028/latest
+
+Addional Notes
+--------------
+
+This patch is a copy of the work done by Tamas Petz in boringssl. It
+contains the changes from the following commits:
+
+aarch64: support BTI and pointer authentication in assembly
+ Change-Id: I4335f92e2ccc8e209c7d68a0a79f1acdf3aeb791
+ URL: https://boringssl-review.googlesource.com/c/boringssl/+/42084
+aarch64: Improve conditional compilation
+ Change-Id: I14902a64e5f403c2b6a117bc9f5fb1a4f4611ebf
+ URL: https://boringssl-review.googlesource.com/c/boringssl/+/43524
+aarch64: Fix name of gnu property note section
+ Change-Id: I6c432d1c852129e9c273f6469a8b60e3983671ec
+ URL: https://boringssl-review.googlesource.com/c/boringssl/+/44024
+
+Change-Id: I2d95ebc5e4aeb5610d3b226f9754ee80cf74a9af
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/16674)
+---
+ crypto/aes/asm/aesv8-armx.pl | 18 +++++++-
+ crypto/aes/asm/vpaes-armv8.pl | 39 ++++++++--------
+ crypto/aes/build.info | 1 +
+ crypto/arm64cpuid.pl | 10 +++++
+ crypto/arm_arch.h | 58 ++++++++++++++++++++++++
+ crypto/bn/asm/armv8-mont.pl | 19 +++++---
+ crypto/chacha/asm/chacha-armv8.pl | 18 ++++----
+ crypto/ec/asm/ecp_nistz256-armv8.pl | 64 ++++++++++++++++-----------
+ crypto/modes/asm/aes-gcm-armv8_64.pl | 6 +++
+ crypto/modes/asm/ghashv8-armx.pl | 11 +++++
+ crypto/poly1305/asm/poly1305-armv8.pl | 17 ++++++-
+ crypto/sha/asm/keccak1600-armv8.pl | 30 +++++++------
+ crypto/sha/asm/sha1-armv8.pl | 5 ++-
+ crypto/sha/asm/sha512-armv8.pl | 11 +++--
+ crypto/sha/build.info | 1 +
+ 15 files changed, 228 insertions(+), 80 deletions(-)
+
+diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl
+index 6a7bf05d1b..ed5ae4207c 100755
+--- a/crypto/aes/asm/aesv8-armx.pl
++++ b/crypto/aes/asm/aesv8-armx.pl
+@@ -120,6 +120,8 @@ ${prefix}_set_encrypt_key:
+ .Lenc_key:
+ ___
+ $code.=<<___ if ($flavour =~ /64/);
++ AARCH64_VALID_CALL_TARGET
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+ ___
+@@ -295,7 +297,7 @@ $code.=<<___;
+ ${prefix}_set_decrypt_key:
+ ___
+ $code.=<<___ if ($flavour =~ /64/);
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+ ___
+@@ -339,7 +341,7 @@ $code.=<<___ if ($flavour !~ /64/);
+ ___
+ $code.=<<___ if ($flavour =~ /64/);
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ ___
+ $code.=<<___;
+@@ -359,6 +361,11 @@ $code.=<<___;
+ .type ${prefix}_${dir}crypt,%function
+ .align 5
+ ${prefix}_${dir}crypt:
++___
++$code.=<<___ if ($flavour =~ /64/);
++ AARCH64_VALID_CALL_TARGET
++___
++$code.=<<___;
+ ldr $rounds,[$key,#240]
+ vld1.32 {$rndkey0},[$key],#16
+ vld1.8 {$inout},[$inp]
+@@ -442,6 +449,7 @@ $code.=<<___;
+ ${prefix}_ecb_encrypt:
+ ___
+ $code.=<<___ if ($flavour =~ /64/);
++ AARCH64_VALID_CALL_TARGET
+ subs $len,$len,#16
+ // Original input data size bigger than 16, jump to big size processing.
+ b.ne .Lecb_big_size
+@@ -1236,6 +1244,8 @@ $code.=<<___;
+ ${prefix}_cbc_encrypt:
+ ___
+ $code.=<<___ if ($flavour =~ /64/);
++ AARCH64_VALID_CALL_TARGET
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+ ___
+@@ -1764,6 +1774,8 @@ $code.=<<___;
+ ${prefix}_ctr32_encrypt_blocks:
+ ___
+ $code.=<<___ if ($flavour =~ /64/);
++ AARCH64_VALID_CALL_TARGET
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+ ___
+@@ -2256,6 +2268,7 @@ $code.=<<___ if ($flavour =~ /64/);
+ ${prefix}_xts_encrypt:
+ ___
+ $code.=<<___ if ($flavour =~ /64/);
++ AARCH64_VALID_CALL_TARGET
+ cmp $len,#16
+ // Original input data size bigger than 16, jump to big size processing.
+ b.ne .Lxts_enc_big_size
+@@ -2930,6 +2943,7 @@ $code.=<<___ if ($flavour =~ /64/);
+ .type ${prefix}_xts_decrypt,%function
+ .align 5
+ ${prefix}_xts_decrypt:
++ AARCH64_VALID_CALL_TARGET
+ ___
+ $code.=<<___ if ($flavour =~ /64/);
+ cmp $len,#16
+diff --git a/crypto/aes/asm/vpaes-armv8.pl b/crypto/aes/asm/vpaes-armv8.pl
+index dcd5065e68..49988e9c2b 100755
+--- a/crypto/aes/asm/vpaes-armv8.pl
++++ b/crypto/aes/asm/vpaes-armv8.pl
+@@ -53,6 +53,8 @@ open OUT,"| \"$^X\" $xlate $flavour \"$output\""
+ *STDOUT=*OUT;
+
+ $code.=<<___;
++#include "arm_arch.h"
++
+ .text
+
+ .type _vpaes_consts,%object
+@@ -259,7 +261,7 @@ _vpaes_encrypt_core:
+ .type vpaes_encrypt,%function
+ .align 4
+ vpaes_encrypt:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -269,7 +271,7 @@ vpaes_encrypt:
+ st1 {v0.16b}, [$out]
+
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size vpaes_encrypt,.-vpaes_encrypt
+
+@@ -492,7 +494,7 @@ _vpaes_decrypt_core:
+ .type vpaes_decrypt,%function
+ .align 4
+ vpaes_decrypt:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -502,7 +504,7 @@ vpaes_decrypt:
+ st1 {v0.16b}, [$out]
+
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size vpaes_decrypt,.-vpaes_decrypt
+
+@@ -673,7 +675,7 @@ _vpaes_key_preheat:
+ .type _vpaes_schedule_core,%function
+ .align 4
+ _vpaes_schedule_core:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29, x30, [sp,#-16]!
+ add x29,sp,#0
+
+@@ -838,7 +840,7 @@ _vpaes_schedule_core:
+ eor v6.16b, v6.16b, v6.16b // vpxor %xmm6, %xmm6, %xmm6
+ eor v7.16b, v7.16b, v7.16b // vpxor %xmm7, %xmm7, %xmm7
+ ldp x29, x30, [sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size _vpaes_schedule_core,.-_vpaes_schedule_core
+
+@@ -1051,7 +1053,7 @@ _vpaes_schedule_mangle:
+ .type vpaes_set_encrypt_key,%function
+ .align 4
+ vpaes_set_encrypt_key:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+ stp d8,d9,[sp,#-16]! // ABI spec says so
+@@ -1067,7 +1069,7 @@ vpaes_set_encrypt_key:
+
+ ldp d8,d9,[sp],#16
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size vpaes_set_encrypt_key,.-vpaes_set_encrypt_key
+
+@@ -1075,7 +1077,7 @@ vpaes_set_encrypt_key:
+ .type vpaes_set_decrypt_key,%function
+ .align 4
+ vpaes_set_decrypt_key:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+ stp d8,d9,[sp,#-16]! // ABI spec says so
+@@ -1095,7 +1097,7 @@ vpaes_set_decrypt_key:
+
+ ldp d8,d9,[sp],#16
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size vpaes_set_decrypt_key,.-vpaes_set_decrypt_key
+ ___
+@@ -1108,11 +1110,11 @@ $code.=<<___;
+ .type vpaes_cbc_encrypt,%function
+ .align 4
+ vpaes_cbc_encrypt:
++ AARCH64_SIGN_LINK_REGISTER
+ cbz $len, .Lcbc_abort
+ cmp w5, #0 // check direction
+ b.eq vpaes_cbc_decrypt
+
+- .inst 0xd503233f // paciasp
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -1135,15 +1137,16 @@ vpaes_cbc_encrypt:
+ st1 {v0.16b}, [$ivec] // write ivec
+
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
+ .Lcbc_abort:
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt
+
+ .type vpaes_cbc_decrypt,%function
+ .align 4
+ vpaes_cbc_decrypt:
+- .inst 0xd503233f // paciasp
++ // Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to
++ // only from vpaes_cbc_encrypt which has already signed the return address.
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+ stp d8,d9,[sp,#-16]! // ABI spec says so
+@@ -1185,7 +1188,7 @@ vpaes_cbc_decrypt:
+ ldp d10,d11,[sp],#16
+ ldp d8,d9,[sp],#16
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size vpaes_cbc_decrypt,.-vpaes_cbc_decrypt
+ ___
+@@ -1195,7 +1198,7 @@ $code.=<<___;
+ .type vpaes_ecb_encrypt,%function
+ .align 4
+ vpaes_ecb_encrypt:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+ stp d8,d9,[sp,#-16]! // ABI spec says so
+@@ -1229,7 +1232,7 @@ vpaes_ecb_encrypt:
+ ldp d10,d11,[sp],#16
+ ldp d8,d9,[sp],#16
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size vpaes_ecb_encrypt,.-vpaes_ecb_encrypt
+
+@@ -1237,7 +1240,7 @@ vpaes_ecb_encrypt:
+ .type vpaes_ecb_decrypt,%function
+ .align 4
+ vpaes_ecb_decrypt:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+ stp d8,d9,[sp,#-16]! // ABI spec says so
+@@ -1271,7 +1274,7 @@ vpaes_ecb_decrypt:
+ ldp d10,d11,[sp],#16
+ ldp d8,d9,[sp],#16
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size vpaes_ecb_decrypt,.-vpaes_ecb_decrypt
+ ___
+diff --git a/crypto/aes/build.info b/crypto/aes/build.info
+index b250903fa6..47f99fdf33 100644
+--- a/crypto/aes/build.info
++++ b/crypto/aes/build.info
+@@ -116,6 +116,7 @@ INCLUDE[aes-mips.o]=..
+ GENERATE[aesv8-armx.S]=asm/aesv8-armx.pl
+ INCLUDE[aesv8-armx.o]=..
+ GENERATE[vpaes-armv8.S]=asm/vpaes-armv8.pl
++INCLUDE[vpaes-armv8.o]=..
+
+ GENERATE[aes-armv4.S]=asm/aes-armv4.pl
+ INCLUDE[aes-armv4.o]=..
+diff --git a/crypto/arm64cpuid.pl b/crypto/arm64cpuid.pl
+index ac76dd449f..11f0e50279 100755
+--- a/crypto/arm64cpuid.pl
++++ b/crypto/arm64cpuid.pl
+@@ -31,6 +31,7 @@ $code.=<<___;
+ .globl _armv7_neon_probe
+ .type _armv7_neon_probe,%function
+ _armv7_neon_probe:
++ AARCH64_VALID_CALL_TARGET
+ orr v15.16b, v15.16b, v15.16b
+ ret
+ .size _armv7_neon_probe,.-_armv7_neon_probe
+@@ -38,6 +39,7 @@ _armv7_neon_probe:
+ .globl _armv7_tick
+ .type _armv7_tick,%function
+ _armv7_tick:
++ AARCH64_VALID_CALL_TARGET
+ #ifdef __APPLE__
+ mrs x0, CNTPCT_EL0
+ #else
+@@ -49,6 +51,7 @@ _armv7_tick:
+ .globl _armv8_aes_probe
+ .type _armv8_aes_probe,%function
+ _armv8_aes_probe:
++ AARCH64_VALID_CALL_TARGET
+ aese v0.16b, v0.16b
+ ret
+ .size _armv8_aes_probe,.-_armv8_aes_probe
+@@ -56,6 +59,7 @@ _armv8_aes_probe:
+ .globl _armv8_sha1_probe
+ .type _armv8_sha1_probe,%function
+ _armv8_sha1_probe:
++ AARCH64_VALID_CALL_TARGET
+ sha1h s0, s0
+ ret
+ .size _armv8_sha1_probe,.-_armv8_sha1_probe
+@@ -63,6 +67,7 @@ _armv8_sha1_probe:
+ .globl _armv8_sha256_probe
+ .type _armv8_sha256_probe,%function
+ _armv8_sha256_probe:
++ AARCH64_VALID_CALL_TARGET
+ sha256su0 v0.4s, v0.4s
+ ret
+ .size _armv8_sha256_probe,.-_armv8_sha256_probe
+@@ -70,6 +75,7 @@ _armv8_sha256_probe:
+ .globl _armv8_pmull_probe
+ .type _armv8_pmull_probe,%function
+ _armv8_pmull_probe:
++ AARCH64_VALID_CALL_TARGET
+ pmull v0.1q, v0.1d, v0.1d
+ ret
+ .size _armv8_pmull_probe,.-_armv8_pmull_probe
+@@ -77,6 +83,7 @@ _armv8_pmull_probe:
+ .globl _armv8_sha512_probe
+ .type _armv8_sha512_probe,%function
+ _armv8_sha512_probe:
++ AARCH64_VALID_CALL_TARGET
+ .long 0xcec08000 // sha512su0 v0.2d,v0.2d
+ ret
+ .size _armv8_sha512_probe,.-_armv8_sha512_probe
+@@ -84,6 +91,7 @@ _armv8_sha512_probe:
+ .globl _armv8_cpuid_probe
+ .type _armv8_cpuid_probe,%function
+ _armv8_cpuid_probe:
++ AARCH64_VALID_CALL_TARGET
+ mrs x0, midr_el1
+ ret
+ .size _armv8_cpuid_probe,.-_armv8_cpuid_probe
+@@ -92,6 +100,7 @@ _armv8_cpuid_probe:
+ .type OPENSSL_cleanse,%function
+ .align 5
+ OPENSSL_cleanse:
++ AARCH64_VALID_CALL_TARGET
+ cbz x1,.Lret // len==0?
+ cmp x1,#15
+ b.hi .Lot // len>15
+@@ -123,6 +132,7 @@ OPENSSL_cleanse:
+ .type CRYPTO_memcmp,%function
+ .align 4
+ CRYPTO_memcmp:
++ AARCH64_VALID_CALL_TARGET
+ eor w3,w3,w3
+ cbz x2,.Lno_data // len==0?
+ cmp x2,#16
+diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h
+index 45d7e15564..a815a5c72b 100644
+--- a/crypto/arm_arch.h
++++ b/crypto/arm_arch.h
+@@ -126,4 +126,62 @@ extern unsigned int OPENSSL_armv8_rsa_neonized;
+
+ # define MIDR_IS_CPU_MODEL(midr, imp, partnum) \
+ (((midr) & MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum))
++
++#if defined(__ASSEMBLER__)
++
++ /*
++ * Support macros for
++ * - Armv8.3-A Pointer Authentication and
++ * - Armv8.5-A Branch Target Identification
++ * features which require emitting a .note.gnu.property section with the
++ * appropriate architecture-dependent feature bits set.
++ * Read more: "ELF for the ArmĀ® 64-bit Architecture"
++ */
++
++# if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
++# define GNU_PROPERTY_AARCH64_BTI (1 << 0) /* Has Branch Target Identification */
++# define AARCH64_VALID_CALL_TARGET hint #34 /* BTI 'c' */
++# else
++# define GNU_PROPERTY_AARCH64_BTI 0 /* No Branch Target Identification */
++# define AARCH64_VALID_CALL_TARGET
++# endif
++
++# if defined(__ARM_FEATURE_PAC_DEFAULT) && \
++ (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 /* Signed with A-key */
++# define GNU_PROPERTY_AARCH64_POINTER_AUTH \
++ (1 << 1) /* Has Pointer Authentication */
++# define AARCH64_SIGN_LINK_REGISTER hint #25 /* PACIASP */
++# define AARCH64_VALIDATE_LINK_REGISTER hint #29 /* AUTIASP */
++# elif defined(__ARM_FEATURE_PAC_DEFAULT) && \
++ (__ARM_FEATURE_PAC_DEFAULT & 2) == 2 /* Signed with B-key */
++# define GNU_PROPERTY_AARCH64_POINTER_AUTH \
++ (1 << 1) /* Has Pointer Authentication */
++# define AARCH64_SIGN_LINK_REGISTER hint #27 /* PACIBSP */
++# define AARCH64_VALIDATE_LINK_REGISTER hint #31 /* AUTIBSP */
++# else
++# define GNU_PROPERTY_AARCH64_POINTER_AUTH 0 /* No Pointer Authentication */
++# if GNU_PROPERTY_AARCH64_BTI != 0
++# define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET
++# else
++# define AARCH64_SIGN_LINK_REGISTER
++# endif
++# define AARCH64_VALIDATE_LINK_REGISTER
++# endif
++
++# if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0
++ .pushsection .note.gnu.property, "a";
++ .balign 8;
++ .long 4;
++ .long 0x10;
++ .long 0x5;
++ .asciz "GNU";
++ .long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */
++ .long 4;
++ .long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI);
++ .long 0;
++ .popsection;
++# endif
++
++# endif /* defined __ASSEMBLER__ */
++
+ #endif
+diff --git a/crypto/bn/asm/armv8-mont.pl b/crypto/bn/asm/armv8-mont.pl
+index 54d2e8245f..21ab12bdf0 100755
+--- a/crypto/bn/asm/armv8-mont.pl
++++ b/crypto/bn/asm/armv8-mont.pl
+@@ -67,8 +67,8 @@ $n0="x4"; # const BN_ULONG *n0,
+ $num="x5"; # int num);
+
+ $code.=<<___;
++#include "arm_arch.h"
+ #ifndef __KERNEL__
+-# include "arm_arch.h"
+ .extern OPENSSL_armv8_rsa_neonized
+ .hidden OPENSSL_armv8_rsa_neonized
+ #endif
+@@ -78,6 +78,7 @@ $code.=<<___;
+ .type bn_mul_mont,%function
+ .align 5
+ bn_mul_mont:
++ AARCH64_SIGN_LINK_REGISTER
+ .Lbn_mul_mont:
+ tst $num,#3
+ b.ne .Lmul_mont
+@@ -288,6 +289,7 @@ bn_mul_mont:
+ mov x0,#1
+ ldp x23,x24,[x29,#48]
+ ldr x29,[sp],#64
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size bn_mul_mont,.-bn_mul_mont
+ ___
+@@ -309,6 +311,8 @@ $code.=<<___;
+ .type bn_mul8x_mont_neon,%function
+ .align 5
+ bn_mul8x_mont_neon:
++ // Not adding AARCH64_SIGN_LINK_REGISTER here because bn_mul8x_mont_neon is jumped to
++ // only from bn_mul_mont which has already signed the return address.
+ stp x29,x30,[sp,#-80]!
+ mov x16,sp
+ stp d8,d9,[sp,#16]
+@@ -649,6 +653,7 @@ $code.=<<___;
+ ldp d10,d11,[sp,#32]
+ ldp d8,d9,[sp,#16]
+ ldr x29,[sp],#80
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret // bx lr
+
+ .size bn_mul8x_mont_neon,.-bn_mul8x_mont_neon
+@@ -671,7 +676,8 @@ __bn_sqr8x_mont:
+ cmp $ap,$bp
+ b.ne __bn_mul4x_mont
+ .Lsqr8x_mont:
+- .inst 0xd503233f // paciasp
++ // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to
++ // only from bn_mul_mont which has already signed the return address.
+ stp x29,x30,[sp,#-128]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -1425,7 +1431,8 @@ $code.=<<___;
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldr x29,[sp],#128
+- .inst 0xd50323bf // autiasp
++ // x30 is loaded earlier
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size __bn_sqr8x_mont,.-__bn_sqr8x_mont
+ ___
+@@ -1449,7 +1456,8 @@ $code.=<<___;
+ .type __bn_mul4x_mont,%function
+ .align 5
+ __bn_mul4x_mont:
+- .inst 0xd503233f // paciasp
++ // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to
++ // only from bn_mul_mont (or __bn_sqr8x_mont from bn_mul_mont) which has already signed the return address.
+ stp x29,x30,[sp,#-128]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -1883,7 +1891,8 @@ __bn_mul4x_mont:
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldr x29,[sp],#128
+- .inst 0xd50323bf // autiasp
++ // x30 loaded earlier
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size __bn_mul4x_mont,.-__bn_mul4x_mont
+ ___
+diff --git a/crypto/chacha/asm/chacha-armv8.pl b/crypto/chacha/asm/chacha-armv8.pl
+index dcdc4a04e3..e1a8b81594 100755
+--- a/crypto/chacha/asm/chacha-armv8.pl
++++ b/crypto/chacha/asm/chacha-armv8.pl
+@@ -132,8 +132,8 @@ my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
+ }
+
+ $code.=<<___;
++#include "arm_arch.h"
+ #ifndef __KERNEL__
+-# include "arm_arch.h"
+ .extern OPENSSL_armcap_P
+ .hidden OPENSSL_armcap_P
+ #endif
+@@ -153,6 +153,7 @@ $code.=<<___;
+ .type ChaCha20_ctr32,%function
+ .align 5
+ ChaCha20_ctr32:
++ AARCH64_SIGN_LINK_REGISTER
+ cbz $len,.Labort
+ cmp $len,#192
+ b.lo .Lshort
+@@ -165,7 +166,6 @@ ChaCha20_ctr32:
+ #endif
+
+ .Lshort:
+- .inst 0xd503233f // paciasp
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+
+@@ -285,8 +285,8 @@ $code.=<<___;
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#96
+- .inst 0xd50323bf // autiasp
+ .Labort:
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+ .align 4
+@@ -342,7 +342,7 @@ $code.=<<___;
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#96
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ChaCha20_ctr32,.-ChaCha20_ctr32
+ ___
+@@ -432,8 +432,8 @@ $code.=<<___;
+ .type ChaCha20_neon,%function
+ .align 5
+ ChaCha20_neon:
++ AARCH64_SIGN_LINK_REGISTER
+ .LChaCha20_neon:
+- .inst 0xd503233f // paciasp
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+
+@@ -667,7 +667,7 @@ $code.=<<___;
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#96
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+
+ .align 4
+@@ -799,7 +799,7 @@ $code.=<<___;
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#96
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ChaCha20_neon,.-ChaCha20_neon
+ ___
+@@ -844,7 +844,7 @@ $code.=<<___;
+ .type ChaCha20_512_neon,%function
+ .align 5
+ ChaCha20_512_neon:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+
+@@ -1268,7 +1268,7 @@ $code.=<<___;
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#96
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ChaCha20_512_neon,.-ChaCha20_512_neon
+ ___
+diff --git a/crypto/ec/asm/ecp_nistz256-armv8.pl b/crypto/ec/asm/ecp_nistz256-armv8.pl
+index 81ee3947d7..6c5d0e8b3c 100644
+--- a/crypto/ec/asm/ecp_nistz256-armv8.pl
++++ b/crypto/ec/asm/ecp_nistz256-armv8.pl
+@@ -122,7 +122,7 @@ $code.=<<___;
+ .type ecp_nistz256_to_mont,%function
+ .align 6
+ ecp_nistz256_to_mont:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -138,7 +138,7 @@ ecp_nistz256_to_mont:
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont
+
+@@ -147,7 +147,7 @@ ecp_nistz256_to_mont:
+ .type ecp_nistz256_from_mont,%function
+ .align 4
+ ecp_nistz256_from_mont:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -163,7 +163,7 @@ ecp_nistz256_from_mont:
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont
+
+@@ -173,7 +173,7 @@ ecp_nistz256_from_mont:
+ .type ecp_nistz256_mul_mont,%function
+ .align 4
+ ecp_nistz256_mul_mont:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -188,7 +188,7 @@ ecp_nistz256_mul_mont:
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont
+
+@@ -197,7 +197,7 @@ ecp_nistz256_mul_mont:
+ .type ecp_nistz256_sqr_mont,%function
+ .align 4
+ ecp_nistz256_sqr_mont:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-32]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -211,7 +211,7 @@ ecp_nistz256_sqr_mont:
+
+ ldp x19,x20,[sp,#16]
+ ldp x29,x30,[sp],#32
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont
+
+@@ -221,7 +221,7 @@ ecp_nistz256_sqr_mont:
+ .type ecp_nistz256_add,%function
+ .align 4
+ ecp_nistz256_add:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -235,7 +235,7 @@ ecp_nistz256_add:
+ bl __ecp_nistz256_add
+
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_add,.-ecp_nistz256_add
+
+@@ -244,7 +244,7 @@ ecp_nistz256_add:
+ .type ecp_nistz256_div_by_2,%function
+ .align 4
+ ecp_nistz256_div_by_2:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -256,7 +256,7 @@ ecp_nistz256_div_by_2:
+ bl __ecp_nistz256_div_by_2
+
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2
+
+@@ -265,7 +265,7 @@ ecp_nistz256_div_by_2:
+ .type ecp_nistz256_mul_by_2,%function
+ .align 4
+ ecp_nistz256_mul_by_2:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -281,7 +281,7 @@ ecp_nistz256_mul_by_2:
+ bl __ecp_nistz256_add // ret = a+a // 2*a
+
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2
+
+@@ -290,7 +290,7 @@ ecp_nistz256_mul_by_2:
+ .type ecp_nistz256_mul_by_3,%function
+ .align 4
+ ecp_nistz256_mul_by_3:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -317,7 +317,7 @@ ecp_nistz256_mul_by_3:
+ bl __ecp_nistz256_add // ret += a // 2*a+a=3*a
+
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3
+
+@@ -327,7 +327,7 @@ ecp_nistz256_mul_by_3:
+ .type ecp_nistz256_sub,%function
+ .align 4
+ ecp_nistz256_sub:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -339,7 +339,7 @@ ecp_nistz256_sub:
+ bl __ecp_nistz256_sub_from
+
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_sub,.-ecp_nistz256_sub
+
+@@ -348,7 +348,7 @@ ecp_nistz256_sub:
+ .type ecp_nistz256_neg,%function
+ .align 4
+ ecp_nistz256_neg:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -363,7 +363,7 @@ ecp_nistz256_neg:
+ bl __ecp_nistz256_sub_from
+
+ ldp x29,x30,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_neg,.-ecp_nistz256_neg
+
+@@ -724,7 +724,7 @@ $code.=<<___;
+ .type ecp_nistz256_point_double,%function
+ .align 5
+ ecp_nistz256_point_double:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -859,7 +859,7 @@ ecp_nistz256_point_double:
+ ldp x19,x20,[x29,#16]
+ ldp x21,x22,[x29,#32]
+ ldp x29,x30,[sp],#96
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_point_double,.-ecp_nistz256_point_double
+ ___
+@@ -882,7 +882,7 @@ $code.=<<___;
+ .type ecp_nistz256_point_add,%function
+ .align 5
+ ecp_nistz256_point_add:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -1117,7 +1117,7 @@ $code.=<<___;
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#96
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_point_add,.-ecp_nistz256_point_add
+ ___
+@@ -1139,7 +1139,7 @@ $code.=<<___;
+ .type ecp_nistz256_point_add_affine,%function
+ .align 5
+ ecp_nistz256_point_add_affine:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-80]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -1328,7 +1328,7 @@ $code.=<<___;
+ ldp x23,x24,[x29,#48]
+ ldp x25,x26,[x29,#64]
+ ldp x29,x30,[sp],#80
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine
+ ___
+@@ -1346,6 +1346,8 @@ $code.=<<___;
+ .type ecp_nistz256_ord_mul_mont,%function
+ .align 4
+ ecp_nistz256_ord_mul_mont:
++ AARCH64_VALID_CALL_TARGET
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-64]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -1487,6 +1489,8 @@ $code.=<<___;
+ .type ecp_nistz256_ord_sqr_mont,%function
+ .align 4
+ ecp_nistz256_ord_sqr_mont:
++ AARCH64_VALID_CALL_TARGET
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-64]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -1641,6 +1645,8 @@ $code.=<<___;
+ .type ecp_nistz256_scatter_w5,%function
+ .align 4
+ ecp_nistz256_scatter_w5:
++ AARCH64_VALID_CALL_TARGET
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -1703,6 +1709,8 @@ ecp_nistz256_scatter_w5:
+ .type ecp_nistz256_gather_w5,%function
+ .align 4
+ ecp_nistz256_gather_w5:
++ AARCH64_VALID_CALL_TARGET
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -1780,6 +1788,8 @@ ecp_nistz256_gather_w5:
+ .type ecp_nistz256_scatter_w7,%function
+ .align 4
+ ecp_nistz256_scatter_w7:
++ AARCH64_VALID_CALL_TARGET
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -1824,6 +1834,8 @@ ecp_nistz256_scatter_w7:
+ .type ecp_nistz256_gather_w7,%function
+ .align 4
+ ecp_nistz256_gather_w7:
++ AARCH64_VALID_CALL_TARGET
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+diff --git a/crypto/modes/asm/aes-gcm-armv8_64.pl b/crypto/modes/asm/aes-gcm-armv8_64.pl
+index 3b9d5b6511..ff5809ec22 100755
+--- a/crypto/modes/asm/aes-gcm-armv8_64.pl
++++ b/crypto/modes/asm/aes-gcm-armv8_64.pl
+@@ -256,6 +256,7 @@ $code.=<<___;
+ .type aes_gcm_enc_128_kernel,%function
+ .align 4
+ aes_gcm_enc_128_kernel:
++ AARCH64_VALID_CALL_TARGET
+ cbz x1, .L128_enc_ret
+ stp x19, x20, [sp, #-112]!
+ mov x16, x4
+@@ -1089,6 +1090,7 @@ $code.=<<___;
+ .type aes_gcm_dec_128_kernel,%function
+ .align 4
+ aes_gcm_dec_128_kernel:
++ AARCH64_VALID_CALL_TARGET
+ cbz x1, .L128_dec_ret
+ stp x19, x20, [sp, #-112]!
+ mov x16, x4
+@@ -1973,6 +1975,7 @@ $code.=<<___;
+ .type aes_gcm_enc_192_kernel,%function
+ .align 4
+ aes_gcm_enc_192_kernel:
++ AARCH64_VALID_CALL_TARGET
+ cbz x1, .L192_enc_ret
+ stp x19, x20, [sp, #-112]!
+ mov x16, x4
+@@ -2858,6 +2861,7 @@ $code.=<<___;
+ .type aes_gcm_dec_192_kernel,%function
+ .align 4
+ aes_gcm_dec_192_kernel:
++ AARCH64_VALID_CALL_TARGET
+ cbz x1, .L192_dec_ret
+ stp x19, x20, [sp, #-112]!
+ mov x16, x4
+@@ -3797,6 +3801,7 @@ $code.=<<___;
+ .type aes_gcm_enc_256_kernel,%function
+ .align 4
+ aes_gcm_enc_256_kernel:
++ AARCH64_VALID_CALL_TARGET
+ cbz x1, .L256_enc_ret
+ stp x19, x20, [sp, #-112]!
+ mov x16, x4
+@@ -4729,6 +4734,7 @@ $code.=<<___;
+ .type aes_gcm_dec_256_kernel,%function
+ .align 4
+ aes_gcm_dec_256_kernel:
++ AARCH64_VALID_CALL_TARGET
+ cbz x1, .L256_dec_ret
+ stp x19, x20, [sp, #-112]!
+ mov x16, x4
+diff --git a/crypto/modes/asm/ghashv8-armx.pl b/crypto/modes/asm/ghashv8-armx.pl
+index b1d35d25b5..57f893e77c 100644
+--- a/crypto/modes/asm/ghashv8-armx.pl
++++ b/crypto/modes/asm/ghashv8-armx.pl
+@@ -107,6 +107,11 @@ $code.=<<___;
+ .type gcm_init_v8,%function
+ .align 4
+ gcm_init_v8:
++___
++$code.=<<___ if ($flavour =~ /64/);
++ AARCH64_VALID_CALL_TARGET
++___
++$code.=<<___;
+ vld1.64 {$t1},[x1] @ load input H
+ vmov.i8 $xC2,#0xe1
+ vshl.i64 $xC2,$xC2,#57 @ 0xc2.0
+@@ -214,6 +219,11 @@ $code.=<<___;
+ .type gcm_gmult_v8,%function
+ .align 4
+ gcm_gmult_v8:
++___
++$code.=<<___ if ($flavour =~ /64/);
++ AARCH64_VALID_CALL_TARGET
++___
++$code.=<<___;
+ vld1.64 {$t1},[$Xi] @ load Xi
+ vmov.i8 $xC2,#0xe1
+ vld1.64 {$H-$Hhl},[$Htbl] @ load twisted H, ...
+@@ -268,6 +278,7 @@ $code.=<<___;
+ gcm_ghash_v8:
+ ___
+ $code.=<<___ if ($flavour =~ /64/);
++ AARCH64_VALID_CALL_TARGET
+ cmp $len,#64
+ b.hs .Lgcm_ghash_v8_4x
+ ___
+diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl
+index 113a2151b6..20816c4283 100755
+--- a/crypto/poly1305/asm/poly1305-armv8.pl
++++ b/crypto/poly1305/asm/poly1305-armv8.pl
+@@ -72,6 +72,7 @@ $code.=<<___;
+ .type poly1305_init,%function
+ .align 5
+ poly1305_init:
++ AARCH64_VALID_CALL_TARGET
+ cmp $inp,xzr
+ stp xzr,xzr,[$ctx] // zero hash value
+ stp xzr,xzr,[$ctx,#16] // [along with is_base2_26]
+@@ -119,6 +120,9 @@ poly1305_init:
+ .align 5
+ poly1305_blocks:
+ .Lpoly1305_blocks:
++ // The symbol .Lpoly1305_blocks is not a .globl symbol
++ // but a pointer to it is returned by poly1305_init
++ AARCH64_VALID_CALL_TARGET
+ ands $len,$len,#-16
+ b.eq .Lno_data
+
+@@ -184,6 +188,9 @@ poly1305_blocks:
+ .align 5
+ poly1305_emit:
+ .Lpoly1305_emit:
++ // The symbol .poly1305_emit is not a .globl symbol
++ // but a pointer to it is returned by poly1305_init
++ AARCH64_VALID_CALL_TARGET
+ ldp $h0,$h1,[$ctx] // load hash base 2^64
+ ldr $h2,[$ctx,#16]
+ ldp $t0,$t1,[$nonce] // load nonce
+@@ -291,13 +298,16 @@ poly1305_splat:
+ .align 5
+ poly1305_blocks_neon:
+ .Lpoly1305_blocks_neon:
++ // The symbol .Lpoly1305_blocks_neon is not a .globl symbol
++ // but a pointer to it is returned by poly1305_init
++ AARCH64_VALID_CALL_TARGET
+ ldr $is_base2_26,[$ctx,#24]
+ cmp $len,#128
+ b.hs .Lblocks_neon
+ cbz $is_base2_26,.Lpoly1305_blocks
+
+ .Lblocks_neon:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-80]!
+ add x29,sp,#0
+
+@@ -867,7 +877,7 @@ poly1305_blocks_neon:
+
+ .Lno_data_neon:
+ ldr x29,[sp],#80
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size poly1305_blocks_neon,.-poly1305_blocks_neon
+
+@@ -875,6 +885,9 @@ poly1305_blocks_neon:
+ .align 5
+ poly1305_emit_neon:
+ .Lpoly1305_emit_neon:
++ // The symbol .Lpoly1305_emit_neon is not a .globl symbol
++ // but a pointer to it is returned by poly1305_init
++ AARCH64_VALID_CALL_TARGET
+ ldr $is_base2_26,[$ctx,#24]
+ cbz $is_base2_26,poly1305_emit
+
+diff --git a/crypto/sha/asm/keccak1600-armv8.pl b/crypto/sha/asm/keccak1600-armv8.pl
+index 65102e7c29..cf54b62c63 100755
+--- a/crypto/sha/asm/keccak1600-armv8.pl
++++ b/crypto/sha/asm/keccak1600-armv8.pl
+@@ -80,6 +80,8 @@ my @rhotates = ([ 0, 1, 62, 28, 27 ],
+ [ 18, 2, 61, 56, 14 ]);
+
+ $code.=<<___;
++#include "arm_arch.h"
++
+ .text
+
+ .align 8 // strategic alignment and padding that allows to use
+@@ -125,7 +127,7 @@ $code.=<<___;
+ .align 5
+ KeccakF1600_int:
+ adr $C[2],iotas
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp $C[2],x30,[sp,#16] // 32 bytes on top are mine
+ b .Loop
+ .align 4
+@@ -297,14 +299,14 @@ $code.=<<___;
+ bne .Loop
+
+ ldr x30,[sp,#24]
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size KeccakF1600_int,.-KeccakF1600_int
+
+ .type KeccakF1600,%function
+ .align 5
+ KeccakF1600:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-128]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -354,7 +356,7 @@ KeccakF1600:
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#128
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size KeccakF1600,.-KeccakF1600
+
+@@ -362,7 +364,7 @@ KeccakF1600:
+ .type SHA3_absorb,%function
+ .align 5
+ SHA3_absorb:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-128]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -460,7 +462,7 @@ $code.=<<___;
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#128
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size SHA3_absorb,.-SHA3_absorb
+ ___
+@@ -471,7 +473,7 @@ $code.=<<___;
+ .type SHA3_squeeze,%function
+ .align 5
+ SHA3_squeeze:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-48]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -534,7 +536,7 @@ SHA3_squeeze:
+ ldp x19,x20,[sp,#16]
+ ldp x21,x22,[sp,#32]
+ ldp x29,x30,[sp],#48
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size SHA3_squeeze,.-SHA3_squeeze
+ ___
+@@ -653,7 +655,7 @@ KeccakF1600_ce:
+ .type KeccakF1600_cext,%function
+ .align 5
+ KeccakF1600_cext:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-80]!
+ add x29,sp,#0
+ stp d8,d9,[sp,#16] // per ABI requirement
+@@ -686,7 +688,7 @@ $code.=<<___;
+ ldp d12,d13,[sp,#48]
+ ldp d14,d15,[sp,#64]
+ ldr x29,[sp],#80
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size KeccakF1600_cext,.-KeccakF1600_cext
+ ___
+@@ -699,7 +701,7 @@ $code.=<<___;
+ .type SHA3_absorb_cext,%function
+ .align 5
+ SHA3_absorb_cext:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-80]!
+ add x29,sp,#0
+ stp d8,d9,[sp,#16] // per ABI requirement
+@@ -771,7 +773,7 @@ $code.=<<___;
+ ldp d12,d13,[sp,#48]
+ ldp d14,d15,[sp,#64]
+ ldp x29,x30,[sp],#80
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size SHA3_absorb_cext,.-SHA3_absorb_cext
+ ___
+@@ -783,7 +785,7 @@ $code.=<<___;
+ .type SHA3_squeeze_cext,%function
+ .align 5
+ SHA3_squeeze_cext:
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+ mov x9,$ctx
+@@ -839,7 +841,7 @@ SHA3_squeeze_cext:
+
+ .Lsqueeze_done_ce:
+ ldr x29,[sp],#16
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size SHA3_squeeze_cext,.-SHA3_squeeze_cext
+ ___
+diff --git a/crypto/sha/asm/sha1-armv8.pl b/crypto/sha/asm/sha1-armv8.pl
+index cdea8845af..5f23a20c1a 100644
+--- a/crypto/sha/asm/sha1-armv8.pl
++++ b/crypto/sha/asm/sha1-armv8.pl
+@@ -175,8 +175,8 @@ ___
+ }
+
+ $code.=<<___;
++#include "arm_arch.h"
+ #ifndef __KERNEL__
+-# include "arm_arch.h"
+ .extern OPENSSL_armcap_P
+ .hidden OPENSSL_armcap_P
+ #endif
+@@ -187,11 +187,13 @@ $code.=<<___;
+ .type sha1_block_data_order,%function
+ .align 6
+ sha1_block_data_order:
++ AARCH64_VALID_CALL_TARGET
+ adrp x16,OPENSSL_armcap_P
+ ldr w16,[x16,#:lo12:OPENSSL_armcap_P]
+ tst w16,#ARMV8_SHA1
+ b.ne .Lv8_entry
+
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+ stp x19,x20,[sp,#16]
+@@ -253,6 +255,7 @@ $code.=<<___;
+ .align 6
+ sha1_block_armv8:
+ .Lv8_entry:
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+diff --git a/crypto/sha/asm/sha512-armv8.pl b/crypto/sha/asm/sha512-armv8.pl
+index 6bcff0b7d3..f900882fee 100644
+--- a/crypto/sha/asm/sha512-armv8.pl
++++ b/crypto/sha/asm/sha512-armv8.pl
+@@ -190,8 +190,8 @@ ___
+ }
+
+ $code.=<<___;
++#include "arm_arch.h"
+ #ifndef __KERNEL__
+-# include "arm_arch.h"
+ .extern OPENSSL_armcap_P
+ .hidden OPENSSL_armcap_P
+ #endif
+@@ -202,6 +202,7 @@ $code.=<<___;
+ .type $func,%function
+ .align 6
+ $func:
++ AARCH64_VALID_CALL_TARGET
+ #ifndef __KERNEL__
+ adrp x16,OPENSSL_armcap_P
+ ldr w16,[x16,#:lo12:OPENSSL_armcap_P]
+@@ -218,7 +219,7 @@ $code.=<<___ if ($SZ==8);
+ ___
+ $code.=<<___;
+ #endif
+- .inst 0xd503233f // paciasp
++ AARCH64_SIGN_LINK_REGISTER
+ stp x29,x30,[sp,#-128]!
+ add x29,sp,#0
+
+@@ -280,7 +281,7 @@ $code.=<<___;
+ ldp x25,x26,[x29,#64]
+ ldp x27,x28,[x29,#80]
+ ldp x29,x30,[sp],#128
+- .inst 0xd50323bf // autiasp
++ AARCH64_VALIDATE_LINK_REGISTER
+ ret
+ .size $func,.-$func
+
+@@ -370,6 +371,7 @@ $code.=<<___;
+ .align 6
+ sha256_block_armv8:
+ .Lv8_entry:
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+@@ -632,7 +634,9 @@ $code.=<<___;
+ .type sha256_block_neon,%function
+ .align 4
+ sha256_block_neon:
++ AARCH64_VALID_CALL_TARGET
+ .Lneon_entry:
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+ sub sp,sp,#16*4
+@@ -743,6 +747,7 @@ $code.=<<___;
+ .align 6
+ sha512_block_armv8:
+ .Lv8_entry:
++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later
+ stp x29,x30,[sp,#-16]!
+ add x29,sp,#0
+
+diff --git a/crypto/sha/build.info b/crypto/sha/build.info
+index d61f7de9b6..556a658d8b 100644
+--- a/crypto/sha/build.info
++++ b/crypto/sha/build.info
+@@ -153,6 +153,7 @@ INCLUDE[sha256-armv8.o]=..
+ GENERATE[sha512-armv8.S]=asm/sha512-armv8.pl
+ INCLUDE[sha512-armv8.o]=..
+ GENERATE[keccak1600-armv8.S]=asm/keccak1600-armv8.pl
++INCLUDE[keccak1600-armv8.o]=..
+
+ GENERATE[sha1-s390x.S]=asm/sha1-s390x.pl
+ INCLUDE[sha1-s390x.o]=..
+--
+2.37.3.windows.1
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-26 09:29:26 +0000