File _service:obs_scm:backport-rng-tools-6.17-intel-... of Package rng-tools

File _service:obs_scm:backport-rng-tools-6.17-intel-cet-ibt-instrumentation.patch of Package rng-tools

From 33a6f962cd9a03a2741017a6b8eb5cd75a2ca13b Mon Sep 17 00:00:00 2001
From: Vladis Dronov <vdronov@redhat.com>
Date: Mon, 17 Jun 2024 20:34:31 +0200
Subject: [PATCH] Add Intel CET IBT instrumentation to assembly code

Add endbr64/endbr32 instruction to a function prologue. This enables
IBT (Indirect Branch Tracking) feature of the Intel CET (Control-flow
Enforcement Technology). All the calls and jumps in this assembly code
are direct. Only functions can potentially be called indirectly. So
adjusting a function prologue is enough. Add a section to indicate
that this code supports IBT to linkers and security analysers.
---
 rdrand_asm.S | 55 +++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 50 insertions(+), 5 deletions(-)

diff --git a/rdrand_asm.S b/rdrand_asm.S
index 7811cf2..d84433d 100644
--- a/rdrand_asm.S
+++ b/rdrand_asm.S
@@ -19,10 +19,27 @@
  *
  */
 
-#define ENTRY(x)	  \
-	.balign	64	; \
-	.globl	x	; \
-x:
+/* Add Intel CET IBT instrumentation */
+#if defined __CET__ && (__CET__ & 1)
+#ifdef __x86_64__
+	#define ENTRY(x)	  \
+		.balign	64	; \
+		.globl	x	; \
+	x:			  \
+		endbr64
+#elif defined(__i386__)
+	#define ENTRY(x)	  \
+		.balign	64	; \
+		.globl	x	; \
+	x:			  \
+		endbr32
+#endif /* __x86_64__ */
+#else /* __CET__ */
+	#define ENTRY(x)	  \
+		.balign	64	; \
+		.globl	x	; \
+	x:
+#endif /* __CET__ */
 
 #define ENDPROC(x)		  \
 	.size	x, .-x		; \
@@ -374,8 +391,36 @@ aes_round_keys:
 	.space	11*16
 	.size	aes_round_keys, .-aes_round_keys
 
+/*
+ * This is necessary to inform a linker that this code has IBT (Indirect
+ * Branch Tracking) feature of the Intel CET (Control-flow Enforcement
+ * Technology) enabled.
+ * See: https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fcf-protection
+ */
+#if defined __CET__ && (__CET__ & 1)
+	.section	.note.gnu.property,"a"
+	.align	8
+	.long	1f - 0f		/* name length */
+	.long	4f - 1f		/* data length */
+	/* NT_GNU_PROPERTY_TYPE_0 */
+	.long	5		/* note type */
+0:
+	.string	"GNU"		/* vendor name */
+1:
+	.align	8
+	/* GNU_PROPERTY_X86_FEATURE_1_AND */
+	.long	0xc0000002	/* pr_type */
+	.long	3f - 2f		/* pr_datasz */
+2:
+	/* GNU_PROPERTY_X86_FEATURE_1_XXX */
+	.long	0x3
+3:
+	.align	8
+4:
+#endif
+
 /*
  * This is necessary to keep the whole executable
  * from needing a writable stack.
  */
-                .section        .note.GNU-stack,"",%progbits
+	.section	.note.GNU-stack,"",%progbits