[v3] powerpc64le: _init/_fini file changes for ROP

Message ID 20241114145809.336606-1-smonga@linux.ibm.com
State Changes Requested
Headers
Series [v3] powerpc64le: _init/_fini file changes for ROP |

Checks

Context Check Description
redhat-pt-bot/TryBot-apply_patch success Patch applied to master at the time it was sent
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 success Build passed
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 success Test passed
redhat-pt-bot/TryBot-32bit success Build for i686
linaro-tcwg-bot/tcwg_glibc_build--master-arm success Build passed
linaro-tcwg-bot/tcwg_glibc_check--master-arm success Test passed

Commit Message

Sachin Monga Nov. 14, 2024, 2:58 p.m. UTC
  The ROP instructions were added in ISA 3.1 (ie, Power10), however they
were defined so that if executed on older cpus, they would behave as
nops.  This allows us to emit them on older cpus and they'd just be
ignored, but if run on a Power10, then the binary would be ROP protected.

-mrop-protect is needed to compile glibc for ROP enablement.
However, power7 and earlier files should not use it.

Hash instructions use negative offsets so the default position
of ROP pointer is FRAME_ROP_SAVE from caller's SP.

Modified FRAME_MIN_SIZE_PARM to 112 for elfAbi2 to reserve
additional 16 bytes for ROP save slot and padding.

Signed-off-by: Sachin Monga <smonga@linux.ibm.com>
---
The patch is reg tested.

>This removes using -mrop-protect from the power7 tuned files, but how does that
>stop us from using -mrop-protect on the power4 through power6 specific files?
>I believe you're currently enabling ROP in the build by adding -mrop-protect to
>CFLAGS.  Would it be better to do something similar to how we build for a specific
>cpu?  Ie, instead of adding -mcpu=XXX to CFLAGS, we use the --with-cpu=XXX config
>option.  Maybe we could do something similar via --enable-... or --with-rop={yes,no}?
>I'm unsure if that would end up being similar in the end, but it is worth checking on.
I agree. As discussed offline,I'll share a seperate patch on enablement of ROP through
configure script.

>Please don't combine FRAME_MIN_SIZE_PARM into a single entry outside the
>_CALL_ELF test.  I know the ELFv1 and ELFv2 values are now the same, but
>the plan is to eventually enable this from non ELFv2 compiles too, in which
>case we'll have to update its FRAME_MIN_SIZE_PARM and then they'll diverge
>again.  Better to just keep the separate macros for now.  Also please move
>the FRAME_ROP_SAVE definition to the ELFv2 section.  This should catch any
>current non ELFv2 usage of that and cause an error.  If the ELFv1 value of
>that ends up being the same, then we can combine it later.
This is incorporated in the below revised patch.

 sysdeps/powerpc/powerpc64/crti.S             | 6 ++++++
 sysdeps/powerpc/powerpc64/crtn.S             | 6 ++++++
 sysdeps/powerpc/powerpc64/multiarch/Makefile | 2 ++
 sysdeps/powerpc/powerpc64/sysdep.h           | 3 ++-
 4 files changed, 16 insertions(+), 1 deletion(-)
  

Patch

diff --git a/sysdeps/powerpc/powerpc64/crti.S b/sysdeps/powerpc/powerpc64/crti.S
index 71bdddfb3b..e977bc4b9c 100644
--- a/sysdeps/powerpc/powerpc64/crti.S
+++ b/sysdeps/powerpc/powerpc64/crti.S
@@ -68,6 +68,9 @@  BODY_LABEL (_init):
 	LOCALENTRY(_init)
 	mflr 0
 	std 0, FRAME_LR_SAVE(r1)
+#ifdef	__ROP_PROTECT__
+	hashst 0, FRAME_ROP_SAVE(r1)
+#endif
 	stdu r1, -FRAME_MIN_SIZE_PARM(r1)
 #if PREINIT_FUNCTION_WEAK
 	addis r9, r2, .LC0@toc@ha
@@ -87,4 +90,7 @@  BODY_LABEL (_fini):
 	LOCALENTRY(_fini)
 	mflr 0
 	std 0, FRAME_LR_SAVE(r1)
+#ifdef	__ROP_PROTECT__
+	hashst 0, FRAME_ROP_SAVE(r1)
+#endif
 	stdu r1, -FRAME_MIN_SIZE_PARM(r1)
diff --git a/sysdeps/powerpc/powerpc64/crtn.S b/sysdeps/powerpc/powerpc64/crtn.S
index 4e91231f2c..a37e159950 100644
--- a/sysdeps/powerpc/powerpc64/crtn.S
+++ b/sysdeps/powerpc/powerpc64/crtn.S
@@ -42,10 +42,16 @@ 
 	addi r1, r1, FRAME_MIN_SIZE_PARM
 	ld r0, FRAME_LR_SAVE(r1)
 	mtlr r0
+#ifdef	__ROP_PROTECT__
+	hashchk 0, FRAME_ROP_SAVE(r1)
+#endif
 	blr
 
 	.section .fini,"ax",@progbits
 	addi r1, r1, FRAME_MIN_SIZE_PARM
 	ld r0, FRAME_LR_SAVE(r1)
 	mtlr r0
+#ifdef	__ROP_PROTECT__
+	hashchk 0, FRAME_ROP_SAVE(r1)
+#endif
 	blr
diff --git a/sysdeps/powerpc/powerpc64/multiarch/Makefile b/sysdeps/powerpc/powerpc64/multiarch/Makefile
index b847c19049..840e517dad 100644
--- a/sysdeps/powerpc/powerpc64/multiarch/Makefile
+++ b/sysdeps/powerpc/powerpc64/multiarch/Makefile
@@ -38,7 +38,9 @@  sysdep_routines += memchr-power10 memcmp-power10 memcpy-power10 \
 		   strlen-power9 strncpy-power9 stpncpy-power9 strlen-power10
 endif
 CFLAGS-strncase-power7.c += -mcpu=power7 -funroll-loops
+CFLAGS-strncase-power7.c := $(filter-out -mrop-protect, $(CFLAGS-strncase-power7))
 CFLAGS-strncase_l-power7.c += -mcpu=power7 -funroll-loops
+CFLAGS-strncase_l-power7.c := $(filter-out -mrop-protect, $(CFLAGS-strncase-power7_l))
 endif
 
 # Called during static initialization
diff --git a/sysdeps/powerpc/powerpc64/sysdep.h b/sysdeps/powerpc/powerpc64/sysdep.h
index c439b06121..8467f2b4e9 100644
--- a/sysdeps/powerpc/powerpc64/sysdep.h
+++ b/sysdeps/powerpc/powerpc64/sysdep.h
@@ -31,8 +31,9 @@ 
 #define FRAME_TOC_SAVE		40
 #define FRAME_PARM_SAVE		48
 #else
+#define FRAME_ROP_SAVE		-8 /* Default ROP slot */
 #define FRAME_MIN_SIZE		32
-#define FRAME_MIN_SIZE_PARM	96
+#define FRAME_MIN_SIZE_PARM	112 /* ++ROP ++Padding for _CALL_ELF=2 */
 #define FRAME_TOC_SAVE		24
 #define FRAME_PARM_SAVE		32
 #endif