diff options
Diffstat (limited to 'Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch')
| -rw-r--r-- | Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch | 1521 |
1 files changed, 1521 insertions, 0 deletions
diff --git a/Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch b/Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch new file mode 100644 index 0000000..31852cb --- /dev/null +++ b/Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch @@ -0,0 +1,1521 @@ +From 44b6e3d07ae5b09255710986e61035c862ec68aa Mon Sep 17 00:00:00 2001 +From: Russ Butler <russ.butler@arm.com> +Date: Sat, 28 Aug 2021 13:57:09 -0500 +Subject: [PATCH 01/13] aarch64: support BTI and pointer authentication in + assembly + +This change adds optional support for +- Armv8.3-A Pointer Authentication (PAuth) and +- Armv8.5-A Branch Target Identification (BTI) +features to the perl scripts. + +Both features can be enabled with additional compiler flags. +Unless any of these are enabled explicitly there is no code change at +all. + +The extensions are briefly described below. Please read the appropriate +chapters of the Arm Architecture Reference Manual for the complete +specification. + +Scope +----- + +This change only affects generated assembly code. + +Armv8.3-A Pointer Authentication +-------------------------------- + +Pointer Authentication extension supports the authentication of the +contents of registers before they are used for indirect branching +or load. + +PAuth provides a probabilistic method to detect corruption of register +values. PAuth signing instructions generate a Pointer Authentication +Code (PAC) based on the value of a register, a seed and a key. +The generated PAC is inserted into the original value in the register. +A PAuth authentication instruction recomputes the PAC, and if it matches +the PAC in the register, restores its original value. In case of a +mismatch, an architecturally unmapped address is generated instead. + +With PAuth, mitigation against ROP (Return-oriented Programming) attacks +can be implemented. This is achieved by signing the contents of the +link-register (LR) before it is pushed to stack. Once LR is popped, +it is authenticated. This way a stack corruption which overwrites the +LR on the stack is detectable. + +The PAuth extension adds several new instructions, some of which are not +recognized by older hardware. To support a single codebase for both pre +Armv8.3-A targets and newer ones, only NOP-space instructions are added +by this patch. These instructions are treated as NOPs on hardware +which does not support Armv8.3-A. Furthermore, this patch only considers +cases where LR is saved to the stack and then restored before branching +to its content. There are cases in the code where LR is pushed to stack +but it is not used later. We do not address these cases as they are not +affected by PAuth. + +There are two keys available to sign an instruction address: A and B. +PACIASP and PACIBSP only differ in the used keys: A and B, respectively. +The keys are typically managed by the operating system. + +To enable generating code for PAuth compile with +-mbranch-protection=<mode>: + +- standard or pac-ret: add PACIASP and AUTIASP, also enables BTI + (read below) +- pac-ret+b-key: add PACIBSP and AUTIBSP + +Armv8.5-A Branch Target Identification +-------------------------------------- + +Branch Target Identification features some new instructions which +protect the execution of instructions on guarded pages which are not +intended branch targets. + +If Armv8.5-A is supported by the hardware, execution of an instruction +changes the value of PSTATE.BTYPE field. If an indirect branch +lands on a guarded page the target instruction must be one of the +BTI <jc> flavors, or in case of a direct call or jump it can be any +other instruction. If the target instruction is not compatible with the +value of PSTATE.BTYPE a Branch Target Exception is generated. + +In short, indirect jumps are compatible with BTI <j> and <jc> while +indirect calls are compatible with BTI <c> and <jc>. Please refer to the +specification for the details. + +Armv8.3-A PACIASP and PACIBSP are implicit branch target +identification instructions which are equivalent with BTI c or BTI jc +depending on system register configuration. + +BTI is used to mitigate JOP (Jump-oriented Programming) attacks by +limiting the set of instructions which can be jumped to. + +BTI requires active linker support to mark the pages with BTI-enabled +code as guarded. For ELF64 files BTI compatibility is recorded in the +.note.gnu.property section. For a shared object or static binary it is +required that all linked units support BTI. This means that even a +single assembly file without the required note section turns-off BTI +for the whole binary or shared object. + +The new BTI instructions are treated as NOPs on hardware which does +not support Armv8.5-A or on pages which are not guarded. + +To insert this new and optional instruction compile with +-mbranch-protection=standard (also enables PAuth) or +bti. + +When targeting a guarded page from a non-guarded page, weaker +compatibility restrictions apply to maintain compatibility between +legacy and new code. For detailed rules please refer to the Arm ARM. + +Compiler support +---------------- + +Compiler support requires understanding '-mbranch-protection=<mode>' +and emitting the appropriate feature macros (__ARM_FEATURE_BTI_DEFAULT +and __ARM_FEATURE_PAC_DEFAULT). The current state is the following: + +------------------------------------------------------- +| Compiler | -mbranch-protection | Feature macros | ++----------+---------------------+--------------------+ +| clang | 9.0.0 | 11.0.0 | ++----------+---------------------+--------------------+ +| gcc | 9 | expected in 10.1+ | +------------------------------------------------------- + +Available Platforms +------------------ + +Arm Fast Model and QEMU support both extensions. + +https://developer.arm.com/tools-and-software/simulation-models/fast-models +https://www.qemu.org/ + +Implementation Notes +-------------------- + +This change adds BTI landing pads even to assembly functions which are +likely to be directly called only. In these cases, landing pads might +be superfluous depending on what code the linker generates. +Code size and performance impact for these cases would be negligible. + +Interaction with C code +----------------------- + +Pointer Authentication is a per-frame protection while Branch Target +Identification can be turned on and off only for all code pages of a +whole shared object or static binary. Because of these properties if +C/C++ code is compiled without any of the above features but assembly +files support any of them unconditionally there is no incompatibility +between the two. + +Useful Links +------------ + +To fully understand the details of both PAuth and BTI it is advised to +read the related chapters of the Arm Architecture Reference Manual +(Arm ARM): +https://developer.arm.com/documentation/ddi0487/latest/ + +Additional materials: + +"Providing protection for complex software" +https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software + +Arm Compiler Reference Guide Version 6.14: -mbranch-protection +https://developer.arm.com/documentation/101754/0614/armclang-Reference/armclang-Command-line-Options/-mbranch-protection?lang=en + +Arm C Language Extensions (ACLE) +https://developer.arm.com/docs/101028/latest + +Addional Notes +-------------- + +This patch is a copy of the work done by Tamas Petz in boringssl. It +contains the changes from the following commits: + +aarch64: support BTI and pointer authentication in assembly + Change-Id: I4335f92e2ccc8e209c7d68a0a79f1acdf3aeb791 + URL: https://boringssl-review.googlesource.com/c/boringssl/+/42084 +aarch64: Improve conditional compilation + Change-Id: I14902a64e5f403c2b6a117bc9f5fb1a4f4611ebf + URL: https://boringssl-review.googlesource.com/c/boringssl/+/43524 +aarch64: Fix name of gnu property note section + Change-Id: I6c432d1c852129e9c273f6469a8b60e3983671ec + URL: https://boringssl-review.googlesource.com/c/boringssl/+/44024 + +Change-Id: I2d95ebc5e4aeb5610d3b226f9754ee80cf74a9af + +Reviewed-by: Paul Dale <pauli@openssl.org> +Reviewed-by: Tomas Mraz <tomas@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/16674) +--- + crypto/aes/asm/aesv8-armx.pl | 18 +++++++- + crypto/aes/asm/vpaes-armv8.pl | 39 ++++++++-------- + crypto/aes/build.info | 1 + + crypto/arm64cpuid.pl | 10 +++++ + crypto/arm_arch.h | 58 ++++++++++++++++++++++++ + crypto/bn/asm/armv8-mont.pl | 19 +++++--- + crypto/chacha/asm/chacha-armv8.pl | 18 ++++---- + crypto/ec/asm/ecp_nistz256-armv8.pl | 64 ++++++++++++++++----------- + crypto/modes/asm/aes-gcm-armv8_64.pl | 6 +++ + crypto/modes/asm/ghashv8-armx.pl | 11 +++++ + crypto/poly1305/asm/poly1305-armv8.pl | 17 ++++++- + crypto/sha/asm/keccak1600-armv8.pl | 30 +++++++------ + crypto/sha/asm/sha1-armv8.pl | 5 ++- + crypto/sha/asm/sha512-armv8.pl | 11 +++-- + crypto/sha/build.info | 1 + + 15 files changed, 228 insertions(+), 80 deletions(-) + +diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl +index 6a7bf05d1b..ed5ae4207c 100755 +--- a/crypto/aes/asm/aesv8-armx.pl ++++ b/crypto/aes/asm/aesv8-armx.pl +@@ -120,6 +120,8 @@ ${prefix}_set_encrypt_key: + .Lenc_key: + ___ + $code.=<<___ if ($flavour =~ /64/); ++ AARCH64_VALID_CALL_TARGET ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + ___ +@@ -295,7 +297,7 @@ $code.=<<___; + ${prefix}_set_decrypt_key: + ___ + $code.=<<___ if ($flavour =~ /64/); +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + ___ +@@ -339,7 +341,7 @@ $code.=<<___ if ($flavour !~ /64/); + ___ + $code.=<<___ if ($flavour =~ /64/); + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + ___ + $code.=<<___; +@@ -359,6 +361,11 @@ $code.=<<___; + .type ${prefix}_${dir}crypt,%function + .align 5 + ${prefix}_${dir}crypt: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ AARCH64_VALID_CALL_TARGET ++___ ++$code.=<<___; + ldr $rounds,[$key,#240] + vld1.32 {$rndkey0},[$key],#16 + vld1.8 {$inout},[$inp] +@@ -442,6 +449,7 @@ $code.=<<___; + ${prefix}_ecb_encrypt: + ___ + $code.=<<___ if ($flavour =~ /64/); ++ AARCH64_VALID_CALL_TARGET + subs $len,$len,#16 + // Original input data size bigger than 16, jump to big size processing. + b.ne .Lecb_big_size +@@ -1236,6 +1244,8 @@ $code.=<<___; + ${prefix}_cbc_encrypt: + ___ + $code.=<<___ if ($flavour =~ /64/); ++ AARCH64_VALID_CALL_TARGET ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + ___ +@@ -1764,6 +1774,8 @@ $code.=<<___; + ${prefix}_ctr32_encrypt_blocks: + ___ + $code.=<<___ if ($flavour =~ /64/); ++ AARCH64_VALID_CALL_TARGET ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + ___ +@@ -2256,6 +2268,7 @@ $code.=<<___ if ($flavour =~ /64/); + ${prefix}_xts_encrypt: + ___ + $code.=<<___ if ($flavour =~ /64/); ++ AARCH64_VALID_CALL_TARGET + cmp $len,#16 + // Original input data size bigger than 16, jump to big size processing. + b.ne .Lxts_enc_big_size +@@ -2930,6 +2943,7 @@ $code.=<<___ if ($flavour =~ /64/); + .type ${prefix}_xts_decrypt,%function + .align 5 + ${prefix}_xts_decrypt: ++ AARCH64_VALID_CALL_TARGET + ___ + $code.=<<___ if ($flavour =~ /64/); + cmp $len,#16 +diff --git a/crypto/aes/asm/vpaes-armv8.pl b/crypto/aes/asm/vpaes-armv8.pl +index dcd5065e68..49988e9c2b 100755 +--- a/crypto/aes/asm/vpaes-armv8.pl ++++ b/crypto/aes/asm/vpaes-armv8.pl +@@ -53,6 +53,8 @@ open OUT,"| \"$^X\" $xlate $flavour \"$output\"" + *STDOUT=*OUT; + + $code.=<<___; ++#include "arm_arch.h" ++ + .text + + .type _vpaes_consts,%object +@@ -259,7 +261,7 @@ _vpaes_encrypt_core: + .type vpaes_encrypt,%function + .align 4 + vpaes_encrypt: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -269,7 +271,7 @@ vpaes_encrypt: + st1 {v0.16b}, [$out] + + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size vpaes_encrypt,.-vpaes_encrypt + +@@ -492,7 +494,7 @@ _vpaes_decrypt_core: + .type vpaes_decrypt,%function + .align 4 + vpaes_decrypt: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -502,7 +504,7 @@ vpaes_decrypt: + st1 {v0.16b}, [$out] + + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size vpaes_decrypt,.-vpaes_decrypt + +@@ -673,7 +675,7 @@ _vpaes_key_preheat: + .type _vpaes_schedule_core,%function + .align 4 + _vpaes_schedule_core: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29, x30, [sp,#-16]! + add x29,sp,#0 + +@@ -838,7 +840,7 @@ _vpaes_schedule_core: + eor v6.16b, v6.16b, v6.16b // vpxor %xmm6, %xmm6, %xmm6 + eor v7.16b, v7.16b, v7.16b // vpxor %xmm7, %xmm7, %xmm7 + ldp x29, x30, [sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size _vpaes_schedule_core,.-_vpaes_schedule_core + +@@ -1051,7 +1053,7 @@ _vpaes_schedule_mangle: + .type vpaes_set_encrypt_key,%function + .align 4 + vpaes_set_encrypt_key: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + stp d8,d9,[sp,#-16]! // ABI spec says so +@@ -1067,7 +1069,7 @@ vpaes_set_encrypt_key: + + ldp d8,d9,[sp],#16 + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size vpaes_set_encrypt_key,.-vpaes_set_encrypt_key + +@@ -1075,7 +1077,7 @@ vpaes_set_encrypt_key: + .type vpaes_set_decrypt_key,%function + .align 4 + vpaes_set_decrypt_key: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + stp d8,d9,[sp,#-16]! // ABI spec says so +@@ -1095,7 +1097,7 @@ vpaes_set_decrypt_key: + + ldp d8,d9,[sp],#16 + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size vpaes_set_decrypt_key,.-vpaes_set_decrypt_key + ___ +@@ -1108,11 +1110,11 @@ $code.=<<___; + .type vpaes_cbc_encrypt,%function + .align 4 + vpaes_cbc_encrypt: ++ AARCH64_SIGN_LINK_REGISTER + cbz $len, .Lcbc_abort + cmp w5, #0 // check direction + b.eq vpaes_cbc_decrypt + +- .inst 0xd503233f // paciasp + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -1135,15 +1137,16 @@ vpaes_cbc_encrypt: + st1 {v0.16b}, [$ivec] // write ivec + + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp + .Lcbc_abort: ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt + + .type vpaes_cbc_decrypt,%function + .align 4 + vpaes_cbc_decrypt: +- .inst 0xd503233f // paciasp ++ // Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to ++ // only from vpaes_cbc_encrypt which has already signed the return address. + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + stp d8,d9,[sp,#-16]! // ABI spec says so +@@ -1185,7 +1188,7 @@ vpaes_cbc_decrypt: + ldp d10,d11,[sp],#16 + ldp d8,d9,[sp],#16 + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size vpaes_cbc_decrypt,.-vpaes_cbc_decrypt + ___ +@@ -1195,7 +1198,7 @@ $code.=<<___; + .type vpaes_ecb_encrypt,%function + .align 4 + vpaes_ecb_encrypt: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + stp d8,d9,[sp,#-16]! // ABI spec says so +@@ -1229,7 +1232,7 @@ vpaes_ecb_encrypt: + ldp d10,d11,[sp],#16 + ldp d8,d9,[sp],#16 + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size vpaes_ecb_encrypt,.-vpaes_ecb_encrypt + +@@ -1237,7 +1240,7 @@ vpaes_ecb_encrypt: + .type vpaes_ecb_decrypt,%function + .align 4 + vpaes_ecb_decrypt: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + stp d8,d9,[sp,#-16]! // ABI spec says so +@@ -1271,7 +1274,7 @@ vpaes_ecb_decrypt: + ldp d10,d11,[sp],#16 + ldp d8,d9,[sp],#16 + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size vpaes_ecb_decrypt,.-vpaes_ecb_decrypt + ___ +diff --git a/crypto/aes/build.info b/crypto/aes/build.info +index b250903fa6..47f99fdf33 100644 +--- a/crypto/aes/build.info ++++ b/crypto/aes/build.info +@@ -116,6 +116,7 @@ INCLUDE[aes-mips.o]=.. + GENERATE[aesv8-armx.S]=asm/aesv8-armx.pl + INCLUDE[aesv8-armx.o]=.. + GENERATE[vpaes-armv8.S]=asm/vpaes-armv8.pl ++INCLUDE[vpaes-armv8.o]=.. + + GENERATE[aes-armv4.S]=asm/aes-armv4.pl + INCLUDE[aes-armv4.o]=.. +diff --git a/crypto/arm64cpuid.pl b/crypto/arm64cpuid.pl +index ac76dd449f..11f0e50279 100755 +--- a/crypto/arm64cpuid.pl ++++ b/crypto/arm64cpuid.pl +@@ -31,6 +31,7 @@ $code.=<<___; + .globl _armv7_neon_probe + .type _armv7_neon_probe,%function + _armv7_neon_probe: ++ AARCH64_VALID_CALL_TARGET + orr v15.16b, v15.16b, v15.16b + ret + .size _armv7_neon_probe,.-_armv7_neon_probe +@@ -38,6 +39,7 @@ _armv7_neon_probe: + .globl _armv7_tick + .type _armv7_tick,%function + _armv7_tick: ++ AARCH64_VALID_CALL_TARGET + #ifdef __APPLE__ + mrs x0, CNTPCT_EL0 + #else +@@ -49,6 +51,7 @@ _armv7_tick: + .globl _armv8_aes_probe + .type _armv8_aes_probe,%function + _armv8_aes_probe: ++ AARCH64_VALID_CALL_TARGET + aese v0.16b, v0.16b + ret + .size _armv8_aes_probe,.-_armv8_aes_probe +@@ -56,6 +59,7 @@ _armv8_aes_probe: + .globl _armv8_sha1_probe + .type _armv8_sha1_probe,%function + _armv8_sha1_probe: ++ AARCH64_VALID_CALL_TARGET + sha1h s0, s0 + ret + .size _armv8_sha1_probe,.-_armv8_sha1_probe +@@ -63,6 +67,7 @@ _armv8_sha1_probe: + .globl _armv8_sha256_probe + .type _armv8_sha256_probe,%function + _armv8_sha256_probe: ++ AARCH64_VALID_CALL_TARGET + sha256su0 v0.4s, v0.4s + ret + .size _armv8_sha256_probe,.-_armv8_sha256_probe +@@ -70,6 +75,7 @@ _armv8_sha256_probe: + .globl _armv8_pmull_probe + .type _armv8_pmull_probe,%function + _armv8_pmull_probe: ++ AARCH64_VALID_CALL_TARGET + pmull v0.1q, v0.1d, v0.1d + ret + .size _armv8_pmull_probe,.-_armv8_pmull_probe +@@ -77,6 +83,7 @@ _armv8_pmull_probe: + .globl _armv8_sha512_probe + .type _armv8_sha512_probe,%function + _armv8_sha512_probe: ++ AARCH64_VALID_CALL_TARGET + .long 0xcec08000 // sha512su0 v0.2d,v0.2d + ret + .size _armv8_sha512_probe,.-_armv8_sha512_probe +@@ -84,6 +91,7 @@ _armv8_sha512_probe: + .globl _armv8_cpuid_probe + .type _armv8_cpuid_probe,%function + _armv8_cpuid_probe: ++ AARCH64_VALID_CALL_TARGET + mrs x0, midr_el1 + ret + .size _armv8_cpuid_probe,.-_armv8_cpuid_probe +@@ -92,6 +100,7 @@ _armv8_cpuid_probe: + .type OPENSSL_cleanse,%function + .align 5 + OPENSSL_cleanse: ++ AARCH64_VALID_CALL_TARGET + cbz x1,.Lret // len==0? + cmp x1,#15 + b.hi .Lot // len>15 +@@ -123,6 +132,7 @@ OPENSSL_cleanse: + .type CRYPTO_memcmp,%function + .align 4 + CRYPTO_memcmp: ++ AARCH64_VALID_CALL_TARGET + eor w3,w3,w3 + cbz x2,.Lno_data // len==0? + cmp x2,#16 +diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h +index 45d7e15564..a815a5c72b 100644 +--- a/crypto/arm_arch.h ++++ b/crypto/arm_arch.h +@@ -126,4 +126,62 @@ extern unsigned int OPENSSL_armv8_rsa_neonized; + + # define MIDR_IS_CPU_MODEL(midr, imp, partnum) \ + (((midr) & MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum)) ++ ++#if defined(__ASSEMBLER__) ++ ++ /* ++ * Support macros for ++ * - Armv8.3-A Pointer Authentication and ++ * - Armv8.5-A Branch Target Identification ++ * features which require emitting a .note.gnu.property section with the ++ * appropriate architecture-dependent feature bits set. ++ * Read more: "ELF for the ArmĀ® 64-bit Architecture" ++ */ ++ ++# if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 ++# define GNU_PROPERTY_AARCH64_BTI (1 << 0) /* Has Branch Target Identification */ ++# define AARCH64_VALID_CALL_TARGET hint #34 /* BTI 'c' */ ++# else ++# define GNU_PROPERTY_AARCH64_BTI 0 /* No Branch Target Identification */ ++# define AARCH64_VALID_CALL_TARGET ++# endif ++ ++# if defined(__ARM_FEATURE_PAC_DEFAULT) && \ ++ (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 /* Signed with A-key */ ++# define GNU_PROPERTY_AARCH64_POINTER_AUTH \ ++ (1 << 1) /* Has Pointer Authentication */ ++# define AARCH64_SIGN_LINK_REGISTER hint #25 /* PACIASP */ ++# define AARCH64_VALIDATE_LINK_REGISTER hint #29 /* AUTIASP */ ++# elif defined(__ARM_FEATURE_PAC_DEFAULT) && \ ++ (__ARM_FEATURE_PAC_DEFAULT & 2) == 2 /* Signed with B-key */ ++# define GNU_PROPERTY_AARCH64_POINTER_AUTH \ ++ (1 << 1) /* Has Pointer Authentication */ ++# define AARCH64_SIGN_LINK_REGISTER hint #27 /* PACIBSP */ ++# define AARCH64_VALIDATE_LINK_REGISTER hint #31 /* AUTIBSP */ ++# else ++# define GNU_PROPERTY_AARCH64_POINTER_AUTH 0 /* No Pointer Authentication */ ++# if GNU_PROPERTY_AARCH64_BTI != 0 ++# define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET ++# else ++# define AARCH64_SIGN_LINK_REGISTER ++# endif ++# define AARCH64_VALIDATE_LINK_REGISTER ++# endif ++ ++# if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0 ++ .pushsection .note.gnu.property, "a"; ++ .balign 8; ++ .long 4; ++ .long 0x10; ++ .long 0x5; ++ .asciz "GNU"; ++ .long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */ ++ .long 4; ++ .long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI); ++ .long 0; ++ .popsection; ++# endif ++ ++# endif /* defined __ASSEMBLER__ */ ++ + #endif +diff --git a/crypto/bn/asm/armv8-mont.pl b/crypto/bn/asm/armv8-mont.pl +index 54d2e8245f..21ab12bdf0 100755 +--- a/crypto/bn/asm/armv8-mont.pl ++++ b/crypto/bn/asm/armv8-mont.pl +@@ -67,8 +67,8 @@ $n0="x4"; # const BN_ULONG *n0, + $num="x5"; # int num); + + $code.=<<___; ++#include "arm_arch.h" + #ifndef __KERNEL__ +-# include "arm_arch.h" + .extern OPENSSL_armv8_rsa_neonized + .hidden OPENSSL_armv8_rsa_neonized + #endif +@@ -78,6 +78,7 @@ $code.=<<___; + .type bn_mul_mont,%function + .align 5 + bn_mul_mont: ++ AARCH64_SIGN_LINK_REGISTER + .Lbn_mul_mont: + tst $num,#3 + b.ne .Lmul_mont +@@ -288,6 +289,7 @@ bn_mul_mont: + mov x0,#1 + ldp x23,x24,[x29,#48] + ldr x29,[sp],#64 ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size bn_mul_mont,.-bn_mul_mont + ___ +@@ -309,6 +311,8 @@ $code.=<<___; + .type bn_mul8x_mont_neon,%function + .align 5 + bn_mul8x_mont_neon: ++ // Not adding AARCH64_SIGN_LINK_REGISTER here because bn_mul8x_mont_neon is jumped to ++ // only from bn_mul_mont which has already signed the return address. + stp x29,x30,[sp,#-80]! + mov x16,sp + stp d8,d9,[sp,#16] +@@ -649,6 +653,7 @@ $code.=<<___; + ldp d10,d11,[sp,#32] + ldp d8,d9,[sp,#16] + ldr x29,[sp],#80 ++ AARCH64_VALIDATE_LINK_REGISTER + ret // bx lr + + .size bn_mul8x_mont_neon,.-bn_mul8x_mont_neon +@@ -671,7 +676,8 @@ __bn_sqr8x_mont: + cmp $ap,$bp + b.ne __bn_mul4x_mont + .Lsqr8x_mont: +- .inst 0xd503233f // paciasp ++ // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to ++ // only from bn_mul_mont which has already signed the return address. + stp x29,x30,[sp,#-128]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -1425,7 +1431,8 @@ $code.=<<___; + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldr x29,[sp],#128 +- .inst 0xd50323bf // autiasp ++ // x30 is loaded earlier ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size __bn_sqr8x_mont,.-__bn_sqr8x_mont + ___ +@@ -1449,7 +1456,8 @@ $code.=<<___; + .type __bn_mul4x_mont,%function + .align 5 + __bn_mul4x_mont: +- .inst 0xd503233f // paciasp ++ // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to ++ // only from bn_mul_mont (or __bn_sqr8x_mont from bn_mul_mont) which has already signed the return address. + stp x29,x30,[sp,#-128]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -1883,7 +1891,8 @@ __bn_mul4x_mont: + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldr x29,[sp],#128 +- .inst 0xd50323bf // autiasp ++ // x30 loaded earlier ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size __bn_mul4x_mont,.-__bn_mul4x_mont + ___ +diff --git a/crypto/chacha/asm/chacha-armv8.pl b/crypto/chacha/asm/chacha-armv8.pl +index dcdc4a04e3..e1a8b81594 100755 +--- a/crypto/chacha/asm/chacha-armv8.pl ++++ b/crypto/chacha/asm/chacha-armv8.pl +@@ -132,8 +132,8 @@ my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); + } + + $code.=<<___; ++#include "arm_arch.h" + #ifndef __KERNEL__ +-# include "arm_arch.h" + .extern OPENSSL_armcap_P + .hidden OPENSSL_armcap_P + #endif +@@ -153,6 +153,7 @@ $code.=<<___; + .type ChaCha20_ctr32,%function + .align 5 + ChaCha20_ctr32: ++ AARCH64_SIGN_LINK_REGISTER + cbz $len,.Labort + cmp $len,#192 + b.lo .Lshort +@@ -165,7 +166,6 @@ ChaCha20_ctr32: + #endif + + .Lshort: +- .inst 0xd503233f // paciasp + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + +@@ -285,8 +285,8 @@ $code.=<<___; + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 +- .inst 0xd50323bf // autiasp + .Labort: ++ AARCH64_VALIDATE_LINK_REGISTER + ret + + .align 4 +@@ -342,7 +342,7 @@ $code.=<<___; + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ChaCha20_ctr32,.-ChaCha20_ctr32 + ___ +@@ -432,8 +432,8 @@ $code.=<<___; + .type ChaCha20_neon,%function + .align 5 + ChaCha20_neon: ++ AARCH64_SIGN_LINK_REGISTER + .LChaCha20_neon: +- .inst 0xd503233f // paciasp + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + +@@ -667,7 +667,7 @@ $code.=<<___; + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + + .align 4 +@@ -799,7 +799,7 @@ $code.=<<___; + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ChaCha20_neon,.-ChaCha20_neon + ___ +@@ -844,7 +844,7 @@ $code.=<<___; + .type ChaCha20_512_neon,%function + .align 5 + ChaCha20_512_neon: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + +@@ -1268,7 +1268,7 @@ $code.=<<___; + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ChaCha20_512_neon,.-ChaCha20_512_neon + ___ +diff --git a/crypto/ec/asm/ecp_nistz256-armv8.pl b/crypto/ec/asm/ecp_nistz256-armv8.pl +index 81ee3947d7..6c5d0e8b3c 100644 +--- a/crypto/ec/asm/ecp_nistz256-armv8.pl ++++ b/crypto/ec/asm/ecp_nistz256-armv8.pl +@@ -122,7 +122,7 @@ $code.=<<___; + .type ecp_nistz256_to_mont,%function + .align 6 + ecp_nistz256_to_mont: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -138,7 +138,7 @@ ecp_nistz256_to_mont: + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont + +@@ -147,7 +147,7 @@ ecp_nistz256_to_mont: + .type ecp_nistz256_from_mont,%function + .align 4 + ecp_nistz256_from_mont: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -163,7 +163,7 @@ ecp_nistz256_from_mont: + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont + +@@ -173,7 +173,7 @@ ecp_nistz256_from_mont: + .type ecp_nistz256_mul_mont,%function + .align 4 + ecp_nistz256_mul_mont: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -188,7 +188,7 @@ ecp_nistz256_mul_mont: + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont + +@@ -197,7 +197,7 @@ ecp_nistz256_mul_mont: + .type ecp_nistz256_sqr_mont,%function + .align 4 + ecp_nistz256_sqr_mont: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -211,7 +211,7 @@ ecp_nistz256_sqr_mont: + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont + +@@ -221,7 +221,7 @@ ecp_nistz256_sqr_mont: + .type ecp_nistz256_add,%function + .align 4 + ecp_nistz256_add: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -235,7 +235,7 @@ ecp_nistz256_add: + bl __ecp_nistz256_add + + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_add,.-ecp_nistz256_add + +@@ -244,7 +244,7 @@ ecp_nistz256_add: + .type ecp_nistz256_div_by_2,%function + .align 4 + ecp_nistz256_div_by_2: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -256,7 +256,7 @@ ecp_nistz256_div_by_2: + bl __ecp_nistz256_div_by_2 + + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2 + +@@ -265,7 +265,7 @@ ecp_nistz256_div_by_2: + .type ecp_nistz256_mul_by_2,%function + .align 4 + ecp_nistz256_mul_by_2: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -281,7 +281,7 @@ ecp_nistz256_mul_by_2: + bl __ecp_nistz256_add // ret = a+a // 2*a + + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2 + +@@ -290,7 +290,7 @@ ecp_nistz256_mul_by_2: + .type ecp_nistz256_mul_by_3,%function + .align 4 + ecp_nistz256_mul_by_3: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -317,7 +317,7 @@ ecp_nistz256_mul_by_3: + bl __ecp_nistz256_add // ret += a // 2*a+a=3*a + + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3 + +@@ -327,7 +327,7 @@ ecp_nistz256_mul_by_3: + .type ecp_nistz256_sub,%function + .align 4 + ecp_nistz256_sub: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -339,7 +339,7 @@ ecp_nistz256_sub: + bl __ecp_nistz256_sub_from + + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_sub,.-ecp_nistz256_sub + +@@ -348,7 +348,7 @@ ecp_nistz256_sub: + .type ecp_nistz256_neg,%function + .align 4 + ecp_nistz256_neg: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -363,7 +363,7 @@ ecp_nistz256_neg: + bl __ecp_nistz256_sub_from + + ldp x29,x30,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_neg,.-ecp_nistz256_neg + +@@ -724,7 +724,7 @@ $code.=<<___; + .type ecp_nistz256_point_double,%function + .align 5 + ecp_nistz256_point_double: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -859,7 +859,7 @@ ecp_nistz256_point_double: + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x29,x30,[sp],#96 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_point_double,.-ecp_nistz256_point_double + ___ +@@ -882,7 +882,7 @@ $code.=<<___; + .type ecp_nistz256_point_add,%function + .align 5 + ecp_nistz256_point_add: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -1117,7 +1117,7 @@ $code.=<<___; + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_point_add,.-ecp_nistz256_point_add + ___ +@@ -1139,7 +1139,7 @@ $code.=<<___; + .type ecp_nistz256_point_add_affine,%function + .align 5 + ecp_nistz256_point_add_affine: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-80]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -1328,7 +1328,7 @@ $code.=<<___; + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x29,x30,[sp],#80 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine + ___ +@@ -1346,6 +1346,8 @@ $code.=<<___; + .type ecp_nistz256_ord_mul_mont,%function + .align 4 + ecp_nistz256_ord_mul_mont: ++ AARCH64_VALID_CALL_TARGET ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-64]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -1487,6 +1489,8 @@ $code.=<<___; + .type ecp_nistz256_ord_sqr_mont,%function + .align 4 + ecp_nistz256_ord_sqr_mont: ++ AARCH64_VALID_CALL_TARGET ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-64]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -1641,6 +1645,8 @@ $code.=<<___; + .type ecp_nistz256_scatter_w5,%function + .align 4 + ecp_nistz256_scatter_w5: ++ AARCH64_VALID_CALL_TARGET ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -1703,6 +1709,8 @@ ecp_nistz256_scatter_w5: + .type ecp_nistz256_gather_w5,%function + .align 4 + ecp_nistz256_gather_w5: ++ AARCH64_VALID_CALL_TARGET ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -1780,6 +1788,8 @@ ecp_nistz256_gather_w5: + .type ecp_nistz256_scatter_w7,%function + .align 4 + ecp_nistz256_scatter_w7: ++ AARCH64_VALID_CALL_TARGET ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -1824,6 +1834,8 @@ ecp_nistz256_scatter_w7: + .type ecp_nistz256_gather_w7,%function + .align 4 + ecp_nistz256_gather_w7: ++ AARCH64_VALID_CALL_TARGET ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +diff --git a/crypto/modes/asm/aes-gcm-armv8_64.pl b/crypto/modes/asm/aes-gcm-armv8_64.pl +index 3b9d5b6511..ff5809ec22 100755 +--- a/crypto/modes/asm/aes-gcm-armv8_64.pl ++++ b/crypto/modes/asm/aes-gcm-armv8_64.pl +@@ -256,6 +256,7 @@ $code.=<<___; + .type aes_gcm_enc_128_kernel,%function + .align 4 + aes_gcm_enc_128_kernel: ++ AARCH64_VALID_CALL_TARGET + cbz x1, .L128_enc_ret + stp x19, x20, [sp, #-112]! + mov x16, x4 +@@ -1089,6 +1090,7 @@ $code.=<<___; + .type aes_gcm_dec_128_kernel,%function + .align 4 + aes_gcm_dec_128_kernel: ++ AARCH64_VALID_CALL_TARGET + cbz x1, .L128_dec_ret + stp x19, x20, [sp, #-112]! + mov x16, x4 +@@ -1973,6 +1975,7 @@ $code.=<<___; + .type aes_gcm_enc_192_kernel,%function + .align 4 + aes_gcm_enc_192_kernel: ++ AARCH64_VALID_CALL_TARGET + cbz x1, .L192_enc_ret + stp x19, x20, [sp, #-112]! + mov x16, x4 +@@ -2858,6 +2861,7 @@ $code.=<<___; + .type aes_gcm_dec_192_kernel,%function + .align 4 + aes_gcm_dec_192_kernel: ++ AARCH64_VALID_CALL_TARGET + cbz x1, .L192_dec_ret + stp x19, x20, [sp, #-112]! + mov x16, x4 +@@ -3797,6 +3801,7 @@ $code.=<<___; + .type aes_gcm_enc_256_kernel,%function + .align 4 + aes_gcm_enc_256_kernel: ++ AARCH64_VALID_CALL_TARGET + cbz x1, .L256_enc_ret + stp x19, x20, [sp, #-112]! + mov x16, x4 +@@ -4729,6 +4734,7 @@ $code.=<<___; + .type aes_gcm_dec_256_kernel,%function + .align 4 + aes_gcm_dec_256_kernel: ++ AARCH64_VALID_CALL_TARGET + cbz x1, .L256_dec_ret + stp x19, x20, [sp, #-112]! + mov x16, x4 +diff --git a/crypto/modes/asm/ghashv8-armx.pl b/crypto/modes/asm/ghashv8-armx.pl +index b1d35d25b5..57f893e77c 100644 +--- a/crypto/modes/asm/ghashv8-armx.pl ++++ b/crypto/modes/asm/ghashv8-armx.pl +@@ -107,6 +107,11 @@ $code.=<<___; + .type gcm_init_v8,%function + .align 4 + gcm_init_v8: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ AARCH64_VALID_CALL_TARGET ++___ ++$code.=<<___; + vld1.64 {$t1},[x1] @ load input H + vmov.i8 $xC2,#0xe1 + vshl.i64 $xC2,$xC2,#57 @ 0xc2.0 +@@ -214,6 +219,11 @@ $code.=<<___; + .type gcm_gmult_v8,%function + .align 4 + gcm_gmult_v8: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ AARCH64_VALID_CALL_TARGET ++___ ++$code.=<<___; + vld1.64 {$t1},[$Xi] @ load Xi + vmov.i8 $xC2,#0xe1 + vld1.64 {$H-$Hhl},[$Htbl] @ load twisted H, ... +@@ -268,6 +278,7 @@ $code.=<<___; + gcm_ghash_v8: + ___ + $code.=<<___ if ($flavour =~ /64/); ++ AARCH64_VALID_CALL_TARGET + cmp $len,#64 + b.hs .Lgcm_ghash_v8_4x + ___ +diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl +index 113a2151b6..20816c4283 100755 +--- a/crypto/poly1305/asm/poly1305-armv8.pl ++++ b/crypto/poly1305/asm/poly1305-armv8.pl +@@ -72,6 +72,7 @@ $code.=<<___; + .type poly1305_init,%function + .align 5 + poly1305_init: ++ AARCH64_VALID_CALL_TARGET + cmp $inp,xzr + stp xzr,xzr,[$ctx] // zero hash value + stp xzr,xzr,[$ctx,#16] // [along with is_base2_26] +@@ -119,6 +120,9 @@ poly1305_init: + .align 5 + poly1305_blocks: + .Lpoly1305_blocks: ++ // The symbol .Lpoly1305_blocks is not a .globl symbol ++ // but a pointer to it is returned by poly1305_init ++ AARCH64_VALID_CALL_TARGET + ands $len,$len,#-16 + b.eq .Lno_data + +@@ -184,6 +188,9 @@ poly1305_blocks: + .align 5 + poly1305_emit: + .Lpoly1305_emit: ++ // The symbol .poly1305_emit is not a .globl symbol ++ // but a pointer to it is returned by poly1305_init ++ AARCH64_VALID_CALL_TARGET + ldp $h0,$h1,[$ctx] // load hash base 2^64 + ldr $h2,[$ctx,#16] + ldp $t0,$t1,[$nonce] // load nonce +@@ -291,13 +298,16 @@ poly1305_splat: + .align 5 + poly1305_blocks_neon: + .Lpoly1305_blocks_neon: ++ // The symbol .Lpoly1305_blocks_neon is not a .globl symbol ++ // but a pointer to it is returned by poly1305_init ++ AARCH64_VALID_CALL_TARGET + ldr $is_base2_26,[$ctx,#24] + cmp $len,#128 + b.hs .Lblocks_neon + cbz $is_base2_26,.Lpoly1305_blocks + + .Lblocks_neon: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-80]! + add x29,sp,#0 + +@@ -867,7 +877,7 @@ poly1305_blocks_neon: + + .Lno_data_neon: + ldr x29,[sp],#80 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size poly1305_blocks_neon,.-poly1305_blocks_neon + +@@ -875,6 +885,9 @@ poly1305_blocks_neon: + .align 5 + poly1305_emit_neon: + .Lpoly1305_emit_neon: ++ // The symbol .Lpoly1305_emit_neon is not a .globl symbol ++ // but a pointer to it is returned by poly1305_init ++ AARCH64_VALID_CALL_TARGET + ldr $is_base2_26,[$ctx,#24] + cbz $is_base2_26,poly1305_emit + +diff --git a/crypto/sha/asm/keccak1600-armv8.pl b/crypto/sha/asm/keccak1600-armv8.pl +index 65102e7c29..cf54b62c63 100755 +--- a/crypto/sha/asm/keccak1600-armv8.pl ++++ b/crypto/sha/asm/keccak1600-armv8.pl +@@ -80,6 +80,8 @@ my @rhotates = ([ 0, 1, 62, 28, 27 ], + [ 18, 2, 61, 56, 14 ]); + + $code.=<<___; ++#include "arm_arch.h" ++ + .text + + .align 8 // strategic alignment and padding that allows to use +@@ -125,7 +127,7 @@ $code.=<<___; + .align 5 + KeccakF1600_int: + adr $C[2],iotas +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp $C[2],x30,[sp,#16] // 32 bytes on top are mine + b .Loop + .align 4 +@@ -297,14 +299,14 @@ $code.=<<___; + bne .Loop + + ldr x30,[sp,#24] +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size KeccakF1600_int,.-KeccakF1600_int + + .type KeccakF1600,%function + .align 5 + KeccakF1600: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-128]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -354,7 +356,7 @@ KeccakF1600: + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#128 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size KeccakF1600,.-KeccakF1600 + +@@ -362,7 +364,7 @@ KeccakF1600: + .type SHA3_absorb,%function + .align 5 + SHA3_absorb: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-128]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -460,7 +462,7 @@ $code.=<<___; + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#128 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size SHA3_absorb,.-SHA3_absorb + ___ +@@ -471,7 +473,7 @@ $code.=<<___; + .type SHA3_squeeze,%function + .align 5 + SHA3_squeeze: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-48]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -534,7 +536,7 @@ SHA3_squeeze: + ldp x19,x20,[sp,#16] + ldp x21,x22,[sp,#32] + ldp x29,x30,[sp],#48 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size SHA3_squeeze,.-SHA3_squeeze + ___ +@@ -653,7 +655,7 @@ KeccakF1600_ce: + .type KeccakF1600_cext,%function + .align 5 + KeccakF1600_cext: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-80]! + add x29,sp,#0 + stp d8,d9,[sp,#16] // per ABI requirement +@@ -686,7 +688,7 @@ $code.=<<___; + ldp d12,d13,[sp,#48] + ldp d14,d15,[sp,#64] + ldr x29,[sp],#80 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size KeccakF1600_cext,.-KeccakF1600_cext + ___ +@@ -699,7 +701,7 @@ $code.=<<___; + .type SHA3_absorb_cext,%function + .align 5 + SHA3_absorb_cext: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-80]! + add x29,sp,#0 + stp d8,d9,[sp,#16] // per ABI requirement +@@ -771,7 +773,7 @@ $code.=<<___; + ldp d12,d13,[sp,#48] + ldp d14,d15,[sp,#64] + ldp x29,x30,[sp],#80 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size SHA3_absorb_cext,.-SHA3_absorb_cext + ___ +@@ -783,7 +785,7 @@ $code.=<<___; + .type SHA3_squeeze_cext,%function + .align 5 + SHA3_squeeze_cext: +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + mov x9,$ctx +@@ -839,7 +841,7 @@ SHA3_squeeze_cext: + + .Lsqueeze_done_ce: + ldr x29,[sp],#16 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size SHA3_squeeze_cext,.-SHA3_squeeze_cext + ___ +diff --git a/crypto/sha/asm/sha1-armv8.pl b/crypto/sha/asm/sha1-armv8.pl +index cdea8845af..5f23a20c1a 100644 +--- a/crypto/sha/asm/sha1-armv8.pl ++++ b/crypto/sha/asm/sha1-armv8.pl +@@ -175,8 +175,8 @@ ___ + } + + $code.=<<___; ++#include "arm_arch.h" + #ifndef __KERNEL__ +-# include "arm_arch.h" + .extern OPENSSL_armcap_P + .hidden OPENSSL_armcap_P + #endif +@@ -187,11 +187,13 @@ $code.=<<___; + .type sha1_block_data_order,%function + .align 6 + sha1_block_data_order: ++ AARCH64_VALID_CALL_TARGET + adrp x16,OPENSSL_armcap_P + ldr w16,[x16,#:lo12:OPENSSL_armcap_P] + tst w16,#ARMV8_SHA1 + b.ne .Lv8_entry + ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + stp x19,x20,[sp,#16] +@@ -253,6 +255,7 @@ $code.=<<___; + .align 6 + sha1_block_armv8: + .Lv8_entry: ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +diff --git a/crypto/sha/asm/sha512-armv8.pl b/crypto/sha/asm/sha512-armv8.pl +index 6bcff0b7d3..f900882fee 100644 +--- a/crypto/sha/asm/sha512-armv8.pl ++++ b/crypto/sha/asm/sha512-armv8.pl +@@ -190,8 +190,8 @@ ___ + } + + $code.=<<___; ++#include "arm_arch.h" + #ifndef __KERNEL__ +-# include "arm_arch.h" + .extern OPENSSL_armcap_P + .hidden OPENSSL_armcap_P + #endif +@@ -202,6 +202,7 @@ $code.=<<___; + .type $func,%function + .align 6 + $func: ++ AARCH64_VALID_CALL_TARGET + #ifndef __KERNEL__ + adrp x16,OPENSSL_armcap_P + ldr w16,[x16,#:lo12:OPENSSL_armcap_P] +@@ -218,7 +219,7 @@ $code.=<<___ if ($SZ==8); + ___ + $code.=<<___; + #endif +- .inst 0xd503233f // paciasp ++ AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-128]! + add x29,sp,#0 + +@@ -280,7 +281,7 @@ $code.=<<___; + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#128 +- .inst 0xd50323bf // autiasp ++ AARCH64_VALIDATE_LINK_REGISTER + ret + .size $func,.-$func + +@@ -370,6 +371,7 @@ $code.=<<___; + .align 6 + sha256_block_armv8: + .Lv8_entry: ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +@@ -632,7 +634,9 @@ $code.=<<___; + .type sha256_block_neon,%function + .align 4 + sha256_block_neon: ++ AARCH64_VALID_CALL_TARGET + .Lneon_entry: ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later + stp x29, x30, [sp, #-16]! + mov x29, sp + sub sp,sp,#16*4 +@@ -743,6 +747,7 @@ $code.=<<___; + .align 6 + sha512_block_armv8: + .Lv8_entry: ++ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + +diff --git a/crypto/sha/build.info b/crypto/sha/build.info +index d61f7de9b6..556a658d8b 100644 +--- a/crypto/sha/build.info ++++ b/crypto/sha/build.info +@@ -153,6 +153,7 @@ INCLUDE[sha256-armv8.o]=.. + GENERATE[sha512-armv8.S]=asm/sha512-armv8.pl + INCLUDE[sha512-armv8.o]=.. + GENERATE[keccak1600-armv8.S]=asm/keccak1600-armv8.pl ++INCLUDE[keccak1600-armv8.o]=.. + + GENERATE[sha1-s390x.S]=asm/sha1-s390x.pl + INCLUDE[sha1-s390x.o]=.. +-- +2.37.3.windows.1 + |