diff --git a/cddl/lib/libicp/Makefile b/cddl/lib/libicp/Makefile --- a/cddl/lib/libicp/Makefile +++ b/cddl/lib/libicp/Makefile @@ -139,4 +139,7 @@ LDFLAGS.bfd+= -Wl,-znoexecstack +# sha256-armv8.S and sha512-armv8.S are missing the BTI elf note +MK_BRANCH_PROTECTION=no + .include diff --git a/cddl/lib/libicp_rescue/Makefile b/cddl/lib/libicp_rescue/Makefile --- a/cddl/lib/libicp_rescue/Makefile +++ b/cddl/lib/libicp_rescue/Makefile @@ -136,4 +136,7 @@ LDFLAGS.bfd+= -Wl,-znoexecstack +# sha256-armv8.S and sha512-armv8.S are missing the BTI elf note +MK_BRANCH_PROTECTION=no + .include diff --git a/lib/libomp/Makefile b/lib/libomp/Makefile --- a/lib/libomp/Makefile +++ b/lib/libomp/Makefile @@ -1,4 +1,7 @@ +# z_Linux_asm.S is missing BTI support +MK_BRANCH_PROTECTION=no + .include SHLIB_NAME= libomp.so diff --git a/rescue/rescue/Makefile b/rescue/rescue/Makefile --- a/rescue/rescue/Makefile +++ b/rescue/rescue/Makefile @@ -1,5 +1,8 @@ # @(#)Makefile 8.1 (Berkeley) 6/2/93 +# libicp is built without BTI support +MK_BRANCH_PROTECTION=no + .include .include diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk --- a/share/mk/bsd.lib.mk +++ b/share/mk/bsd.lib.mk @@ -99,6 +99,12 @@ .endif # LLD sensibly defaults to -znoexecstack, so do the same for BFD LDFLAGS.bfd+= -Wl,-znoexecstack +.if ${MK_BRANCH_PROTECTION} != "no" +CFLAGS+= -mbranch-protection=standard +.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR) +LDFLAGS+= -Wl,-zbti-report=error +.endif +.endif # Initialize stack variables on function entry .if ${OPT_INIT_ALL} != "none" diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk --- a/share/mk/bsd.opts.mk +++ b/share/mk/bsd.opts.mk @@ -52,6 +52,7 @@ __DEFAULT_YES_OPTIONS = \ ASSERT_DEBUG \ + BRANCH_PROTECTION \ DEBUG_FILES \ DOCCOMPRESS \ INCLUDES \ @@ -101,6 +102,10 @@ __DEFAULT_YES_OPTIONS+=PIE .endif +.if ${MACHINE} != "arm64" +BROKEN_OPTIONS+=BRANCH_PROTECTION +.endif + __SINGLE_OPTIONS = \ INIT_ALL diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk --- a/share/mk/bsd.prog.mk +++ b/share/mk/bsd.prog.mk @@ -69,6 +69,12 @@ .endif # LLD sensibly defaults to -znoexecstack, so do the same for BFD LDFLAGS.bfd+= -Wl,-znoexecstack +.if ${MK_BRANCH_PROTECTION} != "no" +CFLAGS+= -mbranch-protection=standard +.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR) +LDFLAGS+= -Wl,-zbti-report=error +.endif +.endif # Initialize stack variables on function entry .if ${OPT_INIT_ALL} != "none" diff --git a/stand/Makefile.inc b/stand/Makefile.inc --- a/stand/Makefile.inc +++ b/stand/Makefile.inc @@ -1,4 +1,7 @@ SUBDIR_PARALLEL= yes +# Firmware may not be able to handle branch protection failures +MK_BRANCH_PROTECTION= no + .include "defs.mk"