diff options
| author |   visa <visa@openbsd.org> | 2017-06-08 11:47:24 +0000 |
|---|---|---|
| committer | visa <visa@openbsd.org> | 2017-06-08 11:47:24 +0000 |
| commit | a6a40f7b8a0a2f6821bbe92b3c7ef0f679da1498 (patch) | |
| tree | dc4a5721ad669a71a5a344fa1b22c1f4e7788e68 | |
| parent | Invoke openssl with -passin file rather than -key in ca_revoke(). (diff) | |
| download | wireguard-openbsd-a6a40f7b8a0a2f6821bbe92b3c7ef0f679da1498.tar.xz wireguard-openbsd-a6a40f7b8a0a2f6821bbe92b3c7ef0f679da1498.zip | |
Split early startup code out of locore.S into locore0.S. Adjust link
run so that this locore0.o is always at the start of the executable.
But randomize the link order of all other .o files in the kernel, so
that their exec/rodata/data/bss segments land all over the place.
Late during kernel boot, smash the startup code with traps so that
it does not point to the other randomly placed code. It has be smashed,
because sgi runs in the kseg0 or xkphys space.
As a result, the internal layout of every newly build bsd kernel is
different from past kernels. Internal relative offsets are not known
to an outside attacker.
Ramdisk kernels cannot be compiled like this, because they are gzip'd.
When the internal pointer references change, the compression dictionary
bloats and results in poorer compression.
| -rw-r--r-- | sys/arch/sgi/conf/Makefile.sgi | 27 | ||||
| -rw-r--r-- | sys/arch/sgi/conf/files.sgi | 3 | ||||
| -rw-r--r-- | sys/arch/sgi/sgi/autoconf.c | 15 | ||||
| -rw-r--r-- | sys/arch/sgi/sgi/locore.S | 21 | ||||
| -rw-r--r-- | sys/arch/sgi/sgi/locore0.S | 54 |
5 files changed, 95 insertions, 25 deletions
diff --git a/sys/arch/sgi/conf/Makefile.sgi b/sys/arch/sgi/conf/Makefile.sgi index aebfb5e074e..99b7f828fc8 100644 --- a/sys/arch/sgi/conf/Makefile.sgi +++ b/sys/arch/sgi/conf/Makefile.sgi @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.sgi,v 1.80 2017/06/05 12:43:59 deraadt Exp $ +# $OpenBSD: Makefile.sgi,v 1.81 2017/06/08 11:47:24 visa Exp $ # For instructions on building kernels consult the config(8) and options(4) # manual pages. @@ -36,9 +36,13 @@ CWARNFLAGS= -Werror -Wall -Wimplicit-function-declaration \ CMACHFLAGS= -mno-abicalls ${ABI} -msoft-float -G 0 CMACHFLAGS+= -ffreestanding ${NOPIE_FLAGS} +SORTR= sort -R .if ${IDENT:M-DNO_PROPOLICE} CMACHFLAGS+= -fno-stack-protector .endif +.if ${IDENT:M-DSMALL_KERNEL} +SORTR= cat +.endif DEBUG?= -g COPTS?= -O2 @@ -72,13 +76,14 @@ NORMAL_S= ${CC} ${AFLAGS} ${CPPFLAGS} -c $< # ${SYSTEM_LD_HEAD} # ${SYSTEM_LD} swapxxx.o # ${SYSTEM_LD_TAIL} -SYSTEM_HEAD= locore.o param.o ioconf.o -SYSTEM_OBJ= ${SYSTEM_HEAD} ${OBJS} +SYSTEM_HEAD= locore0.o gap.o +SYSTEM_OBJ= ${SYSTEM_HEAD} ${OBJS} param.o ioconf.o SYSTEM_DEP= Makefile ${SYSTEM_OBJ} ld.script SYSTEM_LD_HEAD= @rm -f $@ SYSTEM_LD= @echo ${LD} ${LINKFLAGS} -o $@ '$${SYSTEM_HEAD} vers.o $${OBJS}'; \ umask 007; \ - ${LD} ${LINKFLAGS} -o $@ ${SYSTEM_HEAD} vers.o ${OBJS} + echo ${OBJS} param.o ioconf.o vers.o | tr " " "\n" | ${SORTR} > lorder; \ + ${LD} ${LINKFLAGS} -o $@ ${SYSTEM_HEAD} `cat lorder` SYSTEM_LD_TAIL= @${SIZE} $@ .if ${DEBUG} == "-g" @@ -125,8 +130,15 @@ vers.o: ${SYSTEM_DEP} ${SYSTEM_SWAP_DEP} sh $S/conf/newvers.sh ${CC} ${CFLAGS} ${CPPFLAGS} ${PROF} -c vers.c +gap.S: ${SYSTEM_SWAP_DEP} Makefile $S/conf/makegap.sh + umask 007; sh $S/conf/makegap.sh 0xef > gap.S + +gap.o: gap.S + umask 007; ${CC} ${AFLAGS} ${CPPFLAGS} ${PROF} -c gap.S + clean: - rm -f *bsd *bsd.gdb *.[dio] [a-z]*.s assym.* ${DB_STRUCTINFO} param.c + rm -f *bsd *bsd.gdb *.[dio] [a-z]*.s assym.* ${DB_STRUCTINFO} \ + gap.S lorder param.c cleandir: clean rm -f Makefile *.h ioconf.c options machine ${_mach} vers.c @@ -142,9 +154,10 @@ db_structinfo.h: $S/ddb/db_structinfo.c $S/ddb/parse_structinfo.pl objdump -g db_structinfo.o | perl $S/ddb/parse_structinfo.pl > $@ rm -f db_structinfo.o -locore.o: ${_machdir}/${_mach}/locore.S assym.h +locore0.o: ${_machdir}/${_mach}/locore0.S assym.h context.o cp0access.o exception.o exception_tfp.o: assym.h -lcore_access.o lcore_ddb.o lcore_float.o tlb_tfp.o tlbhandler.o: assym.h +lcore_access.o lcore_ddb.o lcore_float.o locore.o: assym.h +tlb_tfp.o tlbhandler.o: assym.h cache_tfp_subr.o ip30_nmi.o: assym.h # The install target can be redefined by putting a diff --git a/sys/arch/sgi/conf/files.sgi b/sys/arch/sgi/conf/files.sgi index d7d9863987c..d07bd820d87 100644 --- a/sys/arch/sgi/conf/files.sgi +++ b/sys/arch/sgi/conf/files.sgi @@ -1,4 +1,4 @@ -# $OpenBSD: files.sgi,v 1.55 2016/01/08 15:54:13 jcs Exp $ +# $OpenBSD: files.sgi,v 1.56 2017/06/08 11:47:24 visa Exp $ # # maxpartitions must be first item in files.${ARCH} # @@ -20,6 +20,7 @@ file arch/sgi/sgi/ip30_machdep.c tgt_octane file arch/sgi/sgi/ip30_nmi.S tgt_octane & ddb file arch/sgi/sgi/ip32_machdep.c tgt_o2 file arch/sgi/sgi/l1.c tgt_origin +file arch/sgi/sgi/locore.S file arch/sgi/sgi/machdep.c file arch/sgi/sgi/mainbus.c file arch/sgi/sgi/sginode.c tgt_origin diff --git a/sys/arch/sgi/sgi/autoconf.c b/sys/arch/sgi/sgi/autoconf.c index 215985a9ed8..4120664448a 100644 --- a/sys/arch/sgi/sgi/autoconf.c +++ b/sys/arch/sgi/sgi/autoconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: autoconf.c,v 1.40 2015/01/02 22:38:46 sebastia Exp $ */ +/* $OpenBSD: autoconf.c,v 1.41 2017/06/08 11:47:25 visa Exp $ */ /* * Copyright (c) 2009, 2010 Miodrag Vallat. * @@ -129,6 +129,17 @@ int16_t currentnasid = 0; char osloadpartition[256]; char osloadoptions[129]; +void +unmap_startup(void) +{ + extern uint32_t kernel_text[], endboot[]; + uint32_t *word = kernel_text; + + /* Cannot unmap kseg0 or xkphys; smash with trap. */ + while (word < endboot) + *word++ = 0x00000034u; /* TEQ zero, zero */ +} + /* * Configure all devices found that we know about. * This is done at boot time. @@ -144,6 +155,8 @@ cpu_configure(void) panic("no mainbus found"); } + unmap_startup(); + splinit(); /* Initialized, fire up interrupt system */ cold = 0; } diff --git a/sys/arch/sgi/sgi/locore.S b/sys/arch/sgi/sgi/locore.S index 96a094b42bd..46b3109d771 100644 --- a/sys/arch/sgi/sgi/locore.S +++ b/sys/arch/sgi/sgi/locore.S @@ -1,4 +1,4 @@ -/* $OpenBSD: locore.S,v 1.17 2015/12/25 09:02:57 visa Exp $ */ +/* $OpenBSD: locore.S,v 1.18 2017/06/08 11:47:25 visa Exp $ */ /* * Copyright (c) 2001-2004 Opsycon AB (www.opsycon.se / www.opsycon.com) @@ -40,21 +40,9 @@ .set mips3 .set noreorder # Noreorder is default style! - .globl start - .globl kernel_text -kernel_text = start -start: - /* - * On at least the O2, when netbooting the bsd.rd kernel, the - * kernel image gets loaded in CKSEG1, which causes the kernel - * text to be uncached. Just to be on the safe side, jump to - * our intended execution address. - */ - LA v0, 1f - jr v0 - NOP -1: - + .globl locore_start + .ent locore_start, 0 +locore_start: MFC0 v0, COP_0_STATUS_REG LI v1, ~SR_INT_ENAB and v0, v1 @@ -75,6 +63,7 @@ start: jal main # main(regs) move a0, zero PANIC("Startup failed!") + .end locore_start #if defined(MULTIPROCESSOR) LEAF(hw_cpu_spinup_trampoline, 0) diff --git a/sys/arch/sgi/sgi/locore0.S b/sys/arch/sgi/sgi/locore0.S new file mode 100644 index 00000000000..af2af43deb3 --- /dev/null +++ b/sys/arch/sgi/sgi/locore0.S @@ -0,0 +1,54 @@ +/* $OpenBSD: locore0.S,v 1.1 2017/06/08 11:47:25 visa Exp $ */ + +/* + * Copyright (c) 2001-2004 Opsycon AB (www.opsycon.se / www.opsycon.com) + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS + * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ + +#include <machine/param.h> +#include <machine/asm.h> + +#include "assym.h" + + .set mips3 + .set noreorder # Noreorder is default style! + + .globl kernel_text + .globl start + .ent start, 0 +kernel_text = start +start: + /* + * On at least the O2, when netbooting the bsd.rd kernel, the + * kernel image gets loaded in CKSEG1, which causes the kernel + * text to be uncached. Just to be on the safe side, jump to + * our intended execution address. + */ + LA v0, 1f + jr v0 + NOP +1: + j locore_start + NOP + .end start |