Address fips hash using adrp instead of adr to increase reach (aws#2053)

Extends aws#1332 to FIPS integrity hash.
samuel40791765 · Dec 11, 2024 · c21a05c · c21a05c
1 parent 1be42a3
commit c21a05c
Show file tree

Hide file tree

Showing 18 changed files with 545 additions and 536 deletions.
diff --git a/util/fipstools/delocate/delocate.go b/util/fipstools/delocate/delocate.go
@@ -1959,8 +1959,24 @@ func transform(w stringWriter, includes []string, inputs []inputFile, startEndDe
 		w.WriteString(fmt.Sprintf(".file %d \"inserted_by_delocate.c\"%s\n", maxObservedFileNumber+1, fileTrailing))
 		w.WriteString(fmt.Sprintf(".loc %d 1 0\n", maxObservedFileNumber+1))
 	}
+
+	if d.processor == aarch64 {
+		// Grab the address of BORINGSSL_bcm_text_hash via a relocation
+		// from a redirector function. For this to work, need to add the markers
+		// to the symbol table.
+		w.WriteString(".global BORINGSSL_bcm_text_hash\n")
+		w.WriteString(".type BORINGSSL_bcm_text_hash, @function\n")
+ 	} else {
+		w.WriteString(".type BORINGSSL_bcm_text_hash, @object\n")
+		w.WriteString(".size BORINGSSL_bcm_text_hash, 32\n")
+ 	}
+	w.WriteString("BORINGSSL_bcm_text_hash:\n")
+	for _, b := range fipscommon.UninitHashValue {
+		w.WriteString(".byte 0x" + strconv.FormatUint(uint64(b), 16) + "\n")
+	}
+
 	if d.processor == aarch64 {
-		// Grab the address of BORINGSSL_bcm_test_[start,end] via a relocation
+		// Grab the address of BORINGSSL_bcm_text_[start,end] via a relocation
 		// from a redirector function. For this to work, need to add the markers
 		// to the symbol table.
 		w.WriteString(fmt.Sprintf(".global BORINGSSL_bcm_text_start\n"))
@@ -2139,13 +2155,6 @@ func transform(w stringWriter, includes []string, inputs []inputFile, startEndDe
 		}
 	}
 
-	w.WriteString(".type BORINGSSL_bcm_text_hash, @object\n")
-	w.WriteString(".size BORINGSSL_bcm_text_hash, 32\n")
-	w.WriteString("BORINGSSL_bcm_text_hash:\n")
-	for _, b := range fipscommon.UninitHashValue {
-		w.WriteString(".byte 0x" + strconv.FormatUint(uint64(b), 16) + "\n")
-	}
-
 	return nil
 }
 
@@ -2417,8 +2426,7 @@ func localEntryName(name string) string {
 
 func isSynthesized(symbol string, processor processorType) bool {
 	SymbolisSynthesized := strings.HasSuffix(symbol, "_bss_get") ||
-		symbol == "OPENSSL_ia32cap_get" ||
-		symbol == "BORINGSSL_bcm_text_hash"
+		symbol == "OPENSSL_ia32cap_get"
 
 	// While BORINGSSL_bcm_text_[start,end] are known symbols, on aarch64 we go
 	// through the GOT because adr doesn't have adequate reach.
@@ -2431,7 +2439,8 @@ func isSynthesized(symbol string, processor processorType) bool {
 
 func isFipsScopeMarkers(symbol string) bool {
 	return symbol == "BORINGSSL_bcm_text_start" ||
-		symbol == "BORINGSSL_bcm_text_end"
+		symbol == "BORINGSSL_bcm_text_end" ||
+		symbol == "BORINGSSL_bcm_text_hash"
 }
 
 func redirectorName(symbol string) string {

diff --git a/util/fipstools/delocate/testdata/aarch64-Basic/out.s b/util/fipstools/delocate/testdata/aarch64-Basic/out.s
@@ -1,6 +1,41 @@
 .text
 .file 1 "inserted_by_delocate.c"
 .loc 1 1 0
+.global BORINGSSL_bcm_text_hash
+.type BORINGSSL_bcm_text_hash, @function
+BORINGSSL_bcm_text_hash:
+.byte 0xae
+.byte 0x2c
+.byte 0xea
+.byte 0x2a
+.byte 0xbd
+.byte 0xa6
+.byte 0xf3
+.byte 0xec
+.byte 0x97
+.byte 0x7f
+.byte 0x9b
+.byte 0xf6
+.byte 0x94
+.byte 0x9a
+.byte 0xfc
+.byte 0x83
+.byte 0x68
+.byte 0x27
+.byte 0xcb
+.byte 0xa0
+.byte 0xa0
+.byte 0x9f
+.byte 0x6b
+.byte 0x6f
+.byte 0xde
+.byte 0x52
+.byte 0xcd
+.byte 0xe2
+.byte 0xcd
+.byte 0xff
+.byte 0x31
+.byte 0x80
 .global BORINGSSL_bcm_text_start
 .type BORINGSSL_bcm_text_start, @function
 BORINGSSL_bcm_text_start:
@@ -261,38 +296,3 @@ bss_symbol_bss_get:
 	ret
 .cfi_endproc
 .size .LOPENSSL_armcap_P_addr, .-.LOPENSSL_armcap_P_addr
-.type BORINGSSL_bcm_text_hash, @object
-.size BORINGSSL_bcm_text_hash, 32
-BORINGSSL_bcm_text_hash:
-.byte 0xae
-.byte 0x2c
-.byte 0xea
-.byte 0x2a
-.byte 0xbd
-.byte 0xa6
-.byte 0xf3
-.byte 0xec
-.byte 0x97
-.byte 0x7f
-.byte 0x9b
-.byte 0xf6
-.byte 0x94
-.byte 0x9a
-.byte 0xfc
-.byte 0x83
-.byte 0x68
-.byte 0x27
-.byte 0xcb
-.byte 0xa0
-.byte 0xa0
-.byte 0x9f
-.byte 0x6b
-.byte 0x6f
-.byte 0xde
-.byte 0x52
-.byte 0xcd
-.byte 0xe2
-.byte 0xcd
-.byte 0xff
-.byte 0x31
-.byte 0x80
diff --git a/util/fipstools/delocate/testdata/generic-FileDirectives-no-start-end/out.s b/util/fipstools/delocate/testdata/generic-FileDirectives-no-start-end/out.s
@@ -1,19 +1,4 @@
 .text
-BORINGSSL_bcm_text_start:
-.file 10 "some/path/file.c" "file.c"
-.file 1000 "some/path/file2.c" "file2.c"
-.file 1001 "some/path/file_with_md5.c" "other_name.c" md5 0x5eba7844df6449a7f2fff1556fe7ba8d239f8e2f
-
-# An instruction is needed to satisfy the architecture auto-detection.
-        movq %rax, %rbx
-.text
-BORINGSSL_bcm_text_end:
-.type OPENSSL_ia32cap_get, @function
-.globl OPENSSL_ia32cap_get
-.LOPENSSL_ia32cap_get_local_target:
-OPENSSL_ia32cap_get:
-	leaq OPENSSL_ia32cap_P(%rip), %rax
-	ret
 .type BORINGSSL_bcm_text_hash, @object
 .size BORINGSSL_bcm_text_hash, 32
 BORINGSSL_bcm_text_hash:
@@ -49,3 +34,18 @@ BORINGSSL_bcm_text_hash:
 .byte 0xff
 .byte 0x31
 .byte 0x80
+BORINGSSL_bcm_text_start:
+.file 10 "some/path/file.c" "file.c"
+.file 1000 "some/path/file2.c" "file2.c"
+.file 1001 "some/path/file_with_md5.c" "other_name.c" md5 0x5eba7844df6449a7f2fff1556fe7ba8d239f8e2f
+
+# An instruction is needed to satisfy the architecture auto-detection.
+        movq %rax, %rbx
+.text
+BORINGSSL_bcm_text_end:
+.type OPENSSL_ia32cap_get, @function
+.globl OPENSSL_ia32cap_get
+.LOPENSSL_ia32cap_get_local_target:
+OPENSSL_ia32cap_get:
+	leaq OPENSSL_ia32cap_P(%rip), %rax
+	ret
diff --git a/util/fipstools/delocate/testdata/generic-FileDirectives/out.s b/util/fipstools/delocate/testdata/generic-FileDirectives/out.s
@@ -1,22 +1,6 @@
 .text
 .file 1002 "inserted_by_delocate.c" md5 0x00000000000000000000000000000000
 .loc 1002 1 0
-BORINGSSL_bcm_text_start:
-.file 10 "some/path/file.c" "file.c"
-.file 1000 "some/path/file2.c" "file2.c"
-.file 1001 "some/path/file_with_md5.c" "other_name.c" md5 0x5eba7844df6449a7f2fff1556fe7ba8d239f8e2f
-
-# An instruction is needed to satisfy the architecture auto-detection.
-        movq %rax, %rbx
-.text
-.loc 1002 2 0
-BORINGSSL_bcm_text_end:
-.type OPENSSL_ia32cap_get, @function
-.globl OPENSSL_ia32cap_get
-.LOPENSSL_ia32cap_get_local_target:
-OPENSSL_ia32cap_get:
-	leaq OPENSSL_ia32cap_P(%rip), %rax
-	ret
 .type BORINGSSL_bcm_text_hash, @object
 .size BORINGSSL_bcm_text_hash, 32
 BORINGSSL_bcm_text_hash:
@@ -52,3 +36,19 @@ BORINGSSL_bcm_text_hash:
 .byte 0xff
 .byte 0x31
 .byte 0x80
+BORINGSSL_bcm_text_start:
+.file 10 "some/path/file.c" "file.c"
+.file 1000 "some/path/file2.c" "file2.c"
+.file 1001 "some/path/file_with_md5.c" "other_name.c" md5 0x5eba7844df6449a7f2fff1556fe7ba8d239f8e2f
+
+# An instruction is needed to satisfy the architecture auto-detection.
+        movq %rax, %rbx
+.text
+.loc 1002 2 0
+BORINGSSL_bcm_text_end:
+.type OPENSSL_ia32cap_get, @function
+.globl OPENSSL_ia32cap_get
+.LOPENSSL_ia32cap_get_local_target:
+OPENSSL_ia32cap_get:
+	leaq OPENSSL_ia32cap_P(%rip), %rax
+	ret
diff --git a/util/fipstools/delocate/testdata/generic-Includes/out.s b/util/fipstools/delocate/testdata/generic-Includes/out.s
@@ -3,22 +3,6 @@
 .text
 .file 1002 "inserted_by_delocate.c" md5 0x00000000000000000000000000000000
 .loc 1002 1 0
-BORINGSSL_bcm_text_start:
-.file 10 "some/path/file.c" "file.c"
-.file 1000 "some/path/file2.c" "file2.c"
-.file 1001 "some/path/file_with_md5.c" "other_name.c" md5 0x5eba7844df6449a7f2fff1556fe7ba8d239f8e2f
-
-# An instruction is needed to satisfy the architecture auto-detection.
-        movq %rax, %rbx
-.text
-.loc 1002 2 0
-BORINGSSL_bcm_text_end:
-.type OPENSSL_ia32cap_get, @function
-.globl OPENSSL_ia32cap_get
-.LOPENSSL_ia32cap_get_local_target:
-OPENSSL_ia32cap_get:
-	leaq OPENSSL_ia32cap_P(%rip), %rax
-	ret
 .type BORINGSSL_bcm_text_hash, @object
 .size BORINGSSL_bcm_text_hash, 32
 BORINGSSL_bcm_text_hash:
@@ -54,3 +38,19 @@ BORINGSSL_bcm_text_hash:
 .byte 0xff
 .byte 0x31
 .byte 0x80
+BORINGSSL_bcm_text_start:
+.file 10 "some/path/file.c" "file.c"
+.file 1000 "some/path/file2.c" "file2.c"
+.file 1001 "some/path/file_with_md5.c" "other_name.c" md5 0x5eba7844df6449a7f2fff1556fe7ba8d239f8e2f
+
+# An instruction is needed to satisfy the architecture auto-detection.
+        movq %rax, %rbx
+.text
+.loc 1002 2 0
+BORINGSSL_bcm_text_end:
+.type OPENSSL_ia32cap_get, @function
+.globl OPENSSL_ia32cap_get
+.LOPENSSL_ia32cap_get_local_target:
+OPENSSL_ia32cap_get:
+	leaq OPENSSL_ia32cap_P(%rip), %rax
+	ret
diff --git a/util/fipstools/delocate/testdata/ppc64le-GlobalEntry/out.s b/util/fipstools/delocate/testdata/ppc64le-GlobalEntry/out.s
@@ -1,30 +1,6 @@
 .text
 .file 1 "inserted_by_delocate.c"
 .loc 1 1 0
-BORINGSSL_bcm_text_start:
-	.text
-.Lfoo_local_target:
-foo:
-.LCF0:
-
-0:
-
-999:
-	addis 2, 12, .LBORINGSSL_external_toc-999b@ha
-	addi 2, 2, .LBORINGSSL_external_toc-999b@l
-	ld 12, 0(2)
-	add 2, 2, 12
-# WAS addi 2,2,.TOC.-.LCF0@l
-	.localentry foo,.-foo
-.Lfoo_local_entry:
-.LVL0:
-
-	bl
-.text
-.loc 1 2 0
-BORINGSSL_bcm_text_end:
-.LBORINGSSL_external_toc:
-.quad .TOC.-.LBORINGSSL_external_toc
 .type BORINGSSL_bcm_text_hash, @object
 .size BORINGSSL_bcm_text_hash, 32
 BORINGSSL_bcm_text_hash:
@@ -60,3 +36,27 @@ BORINGSSL_bcm_text_hash:
 .byte 0xff
 .byte 0x31
 .byte 0x80
+BORINGSSL_bcm_text_start:
+	.text
+.Lfoo_local_target:
+foo:
+.LCF0:
+
+0:
+
+999:
+	addis 2, 12, .LBORINGSSL_external_toc-999b@ha
+	addi 2, 2, .LBORINGSSL_external_toc-999b@l
+	ld 12, 0(2)
+	add 2, 2, 12
+# WAS addi 2,2,.TOC.-.LCF0@l
+	.localentry foo,.-foo
+.Lfoo_local_entry:
+.LVL0:
+
+	bl
+.text
+.loc 1 2 0
+BORINGSSL_bcm_text_end:
+.LBORINGSSL_external_toc:
+.quad .TOC.-.LBORINGSSL_external_toc