2 files changed, 62 insertions, 7 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/bti.patch b/meta/recipes-connectivity/openssl/openssl/bti.patch
new file mode 100644
index 0000000000..748576c30c
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/bti.patch
@@ -0,0 +1,58 @@
+From ba8a599395f8b770c76316b5f5b0f3838567014f Mon Sep 17 00:00:00 2001
+From: Tom Cosgrove <tom.cosgrove@arm.com>
+Date: Tue, 26 Mar 2024 13:18:00 +0000
+Subject: [PATCH] aarch64: fix BTI in bsaes assembly code
+In Arm systems where BTI is enabled but the Crypto extensions are not (more
+likely in FVPs than in real hardware), the bit-sliced assembler code will
+be used. However, this wasn't annotated with BTI instructions when BTI was
+enabled, so the moment libssl jumps into this code it (correctly) aborts.
+Solve this by adding the missing BTI landing pads.
+Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/23982]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ crypto/aes/asm/bsaes-armv8.pl | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl
+index b3c97e439f..c3c5ff3e05 100644
+--- a/crypto/aes/asm/bsaes-armv8.pl
+++ b/crypto/aes/asm/bsaes-armv8.pl
+@@ -1018,6 +1018,7 @@ _bsaes_key_convert:
+ //   Initialisation vector overwritten with last quadword of ciphertext
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_cbc_encrypt:
+        AARCH64_VALID_CALL_TARGET
+         cmp     x2, #128
+         bhs     .Lcbc_do_bsaes
+         b       AES_cbc_encrypt
+@@ -1270,7 +1271,7 @@ ossl_bsaes_cbc_encrypt:
+ //   Output text filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_ctr32_encrypt_blocks:
+-
+        AARCH64_VALID_CALL_TARGET
+         cmp     x2, #8                      // use plain AES for
+         blo     .Lctr_enc_short             // small sizes
+ 
+@@ -1476,6 +1477,7 @@ ossl_bsaes_ctr32_encrypt_blocks:
+ //   Output ciphertext filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_xts_encrypt:
+        AARCH64_VALID_CALL_TARGET
+         // Stack layout:
+         // sp ->
+         //        nrounds*128-96 bytes: key schedule
+@@ -1921,6 +1923,7 @@ ossl_bsaes_xts_encrypt:
+ //   Output plaintext filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_xts_decrypt:
+        AARCH64_VALID_CALL_TARGET
+         // Stack layout:
+         // sp ->
+         //        nrounds*128-96 bytes: key schedule
+-- 
+2.34.1
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb b/meta/recipes-connectivity/openssl/openssl_3.3.0.bb
index 1682b6f8cc..113ed4bf95 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.3.0.bb
@@ -12,13 +12,14 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
           file://0001-Configure-do-not-tweak-mips-cflags.patch \
           file://0001-Added-handshake-history-reporting-when-test-fails.patch \
+           file://bti.patch \
           "
 SRC_URI:append:class-nativesdk = " \
           file://environment.d-openssl.sh \
           "
-SRC_URI[sha256sum] = "83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39"
+SRC_URI[sha256sum] = "53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02"
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -135,16 +136,12 @@ do_configure () {
                ;;
        esac
-        useprefix=${prefix}
-        if [ "x$useprefix" = "x" ]; then
-                useprefix=/
-        fi
        # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
        # environment variables set by bitbake. Adjust the environment variables instead.
        PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
        test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
        HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
-        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
+        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target
        perl ${B}/configdata.pm --dump
 }
@@ -180,7 +177,7 @@ do_install:append:class-native () {
 do_install:append:class-nativesdk () {
        mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
-        install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+        install -m 644 ${UNPACKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
        sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
 }

diff --git a/meta/recipes-connectivity/openssl/openssl/bti.patch b/meta/recipes-connectivity/openssl/openssl/bti.patch new file mode 100644 index 0000000000..748576c30c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/bti.patch
@@ -0,0 +1,58 @@
		1	From ba8a599395f8b770c76316b5f5b0f3838567014f Mon Sep 17 00:00:00 2001
		2	From: Tom Cosgrove <tom.cosgrove@arm.com>
		3	Date: Tue, 26 Mar 2024 13:18:00 +0000
		4	Subject: [PATCH] aarch64: fix BTI in bsaes assembly code
		5
		6	In Arm systems where BTI is enabled but the Crypto extensions are not (more
		7	likely in FVPs than in real hardware), the bit-sliced assembler code will
		8	be used. However, this wasn't annotated with BTI instructions when BTI was
		9	enabled, so the moment libssl jumps into this code it (correctly) aborts.
		10
		11	Solve this by adding the missing BTI landing pads.
		12
		13	Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/23982]
		14	Signed-off-by: Ross Burton <ross.burton@arm.com>
		15	---
		16	crypto/aes/asm/bsaes-armv8.pl \| 5 ++++-
		17	1 file changed, 4 insertions(+), 1 deletion(-)
		18
		19	diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl
		20	index b3c97e439f..c3c5ff3e05 100644
		21	--- a/crypto/aes/asm/bsaes-armv8.pl
		22	+++ b/crypto/aes/asm/bsaes-armv8.pl
		23	@@ -1018,6 +1018,7 @@ _bsaes_key_convert:
		24	// Initialisation vector overwritten with last quadword of ciphertext
		25	// No output registers, usual AAPCS64 register preservation
		26	ossl_bsaes_cbc_encrypt:
		27	+ AARCH64_VALID_CALL_TARGET
		28	cmp x2, #128
		29	bhs .Lcbc_do_bsaes
		30	b AES_cbc_encrypt
		31	@@ -1270,7 +1271,7 @@ ossl_bsaes_cbc_encrypt:
		32	// Output text filled in
		33	// No output registers, usual AAPCS64 register preservation
		34	ossl_bsaes_ctr32_encrypt_blocks:
		35	-
		36	+ AARCH64_VALID_CALL_TARGET
		37	cmp x2, #8 // use plain AES for
		38	blo .Lctr_enc_short // small sizes
		39
		40	@@ -1476,6 +1477,7 @@ ossl_bsaes_ctr32_encrypt_blocks:
		41	// Output ciphertext filled in
		42	// No output registers, usual AAPCS64 register preservation
		43	ossl_bsaes_xts_encrypt:
		44	+ AARCH64_VALID_CALL_TARGET
		45	// Stack layout:
		46	// sp ->
		47	// nrounds*128-96 bytes: key schedule
		48	@@ -1921,6 +1923,7 @@ ossl_bsaes_xts_encrypt:
		49	// Output plaintext filled in
		50	// No output registers, usual AAPCS64 register preservation
		51	ossl_bsaes_xts_decrypt:
		52	+ AARCH64_VALID_CALL_TARGET
		53	// Stack layout:
		54	// sp ->
		55	// nrounds*128-96 bytes: key schedule
		56	--
		57	2.34.1
		58


diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb b/meta/recipes-connectivity/openssl/openssl_3.3.0.bb index 1682b6f8cc..113ed4bf95 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.3.0.bb
@@ -12,13 +12,14 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \	12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
13	file://0001-Configure-do-not-tweak-mips-cflags.patch \	13	file://0001-Configure-do-not-tweak-mips-cflags.patch \
14	file://0001-Added-handshake-history-reporting-when-test-fails.patch \	14	file://0001-Added-handshake-history-reporting-when-test-fails.patch \
		15	file://bti.patch \
15	"	16	"
16		17
17	SRC_URI:append:class-nativesdk = " \	18	SRC_URI:append:class-nativesdk = " \
18	file://environment.d-openssl.sh \	19	file://environment.d-openssl.sh \
19	"	20	"
20		21
21	SRC_URI[sha256sum] = "83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39"	22	SRC_URI[sha256sum] = "53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02"
22		23
23	inherit lib_package multilib_header multilib_script ptest perlnative manpages	24	inherit lib_package multilib_header multilib_script ptest perlnative manpages
24	MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"	25	MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -135,16 +136,12 @@ do_configure () {
135	;;	136	;;
136	esac	137	esac
137		138
138	useprefix=${prefix}
139	if [ "x$useprefix" = "x" ]; then
140	useprefix=/
141	fi
142	# WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the	139	# WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
143	# environment variables set by bitbake. Adjust the environment variables instead.	140	# environment variables set by bitbake. Adjust the environment variables instead.
144	PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"	141	PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
145	test -d "$PERLEXTERNAL" \|\| bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"	142	test -d "$PERLEXTERNAL" \|\| bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
146	HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \	143	HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
147	perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target	144	perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target
148	perl ${B}/configdata.pm --dump	145	perl ${B}/configdata.pm --dump
149	}	146	}
150		147
@@ -180,7 +177,7 @@ do_install:append:class-native () {
180		177
181	do_install:append:class-nativesdk () {	178	do_install:append:class-nativesdk () {
182	mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d	179	mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
183	install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh	180	install -m 644 ${UNPACKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
184	sed 's\|/usr/lib/ssl/\|/usr/lib/ssl-3/\|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh	181	sed 's\|/usr/lib/ssl/\|/usr/lib/ssl-3/\|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
185	}	182	}
186		183