cmd/link,debug/elf: mark Go binaries with no branch target CFI on openbsd

OpenBSD enables Indirect Branch Tracking (IBT) on amd64 and Branch Target Identification (BTI) on arm64, where hardware permits. Since Go generated binaries do not currently support IBT or BTI, temporarily mark them with PT_OPENBSD_NOBTCFI which prevents branch target CFI from being enforced on execution. This should be removed as soon asn IBT and BTI support are available. Fixes #66040 Updates #66054 Change-Id: I91ac05736e6942c54502bef4b8815eb8740d2d5e Reviewed-on: https://go-review.googlesource.com/c/go/+/568435 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Josh Rickmar <jrick@zettaport.com> Reviewed-by: Keith Randall <khr@golang.org> Run-TryBot: Joel Sing <joel@sing.id.au> Reviewed-by: Keith Randall <khr@google.com> Reviewed-by: Than McIntosh <thanm@google.com>
2024-09-23 11:20:17 -06:00 · 2024-02-21 23:29:12 +11:00 · 2024-02-21 23:29:12 +11:00 · 1e433915ce
commit 1e433915ce
parent 47d4295f92
5 changed files with 15 additions and 0 deletions
--- a/api/next/66054.txt
+++ b/api/next/66054.txt
@ -0,0 +1,2 @@
+pkg debug/elf, const PT_OPENBSD_NOBTCFI = 1705237480 #66054
+pkg debug/elf, const PT_OPENBSD_NOBTCFI ProgType #66054
--- a/doc/next/6-stdlib/99-minor/debug/elf/66054.md
+++ b/doc/next/6-stdlib/99-minor/debug/elf/66054.md
@ -0,0 +1,3 @@
+The debug/elf package now defines PT_OPENBSD_NOBTCFI. This elf.ProgType is
+used to disable Branch Tracking Control Flow Integrity (BTCFI) enforcement
+on OpenBSD binaries.
--- a/src/cmd/link/internal/ld/elf.go
+++ b/src/cmd/link/internal/ld/elf.go
@ -2185,6 +2185,10 @@ func asmbElf(ctxt *Link) {
 		ph.Type = elf.PT_GNU_STACK
 		ph.Flags = elf.PF_W + elf.PF_R
 		ph.Align = uint64(ctxt.Arch.RegSize)
+	} else if ctxt.HeadType == objabi.Hopenbsd {
+		ph := newElfPhdr()
+		ph.Type = elf.PT_OPENBSD_NOBTCFI
+		ph.Flags = elf.PF_X
 	} else if ctxt.HeadType == objabi.Hsolaris {
 		ph := newElfPhdr()
 		ph.Type = elf.PT_SUNWSTACK
--- a/src/cmd/link/internal/ld/lib.go
+++ b/src/cmd/link/internal/ld/lib.go
@ -1437,6 +1437,11 @@ func (ctxt *Link) hostlink() {
 		}
 	case objabi.Hopenbsd:
 		argv = append(argv, "-Wl,-nopie")
+		if linkerFlagSupported(ctxt.Arch, argv[0], "", "-Wl,-z,nobtcfi") {
+			// -Wl,-z,nobtcfi is only supported on OpenBSD 7.4+, remove guard
+			// when OpenBSD 7.5 is released and 7.3 is no longer supported.
+			argv = append(argv, "-Wl,-z,nobtcfi")
+		}
 		argv = append(argv, "-pthread")
 		if ctxt.Arch.InFamily(sys.ARM64) {
 			// Disable execute-only on openbsd/arm64 - the Go arm64 assembler
--- a/src/debug/elf/elf.go
+++ b/src/debug/elf/elf.go
@ -773,6 +773,7 @@ const (

 	PT_OPENBSD_RANDOMIZE ProgType = 0x65a3dbe6 /* Random data */
 	PT_OPENBSD_WXNEEDED  ProgType = 0x65a3dbe7 /* W^X violations */
+	PT_OPENBSD_NOBTCFI   ProgType = 0x65a3dbe8 /* No branch target CFI */
 	PT_OPENBSD_BOOTDATA  ProgType = 0x65a41be6 /* Boot arguments */

 	PT_SUNW_EH_FRAME ProgType = 0x6474e550 /* Frame unwind information */