Links:
Pointer Authentication Review URL: https://reviews.freebsd.org/D31261

Contact: Andrew Turner <andrew@FreeBSD.org>

FreeBSD has been ported to the Arm Armv8-A Architecture Envelope Model (AEM), an Armv8 architecture simulator. AEM is useful for Armv8 development and testing, because it supports different configurations, including the ability to enable or disable different extensions. As part of this work, the virtio legacy pci driver was fixed and ACPI resource parsing code was updated to work with the ACPI tables that the model provides.

Libmd(4) has been updated to use the sha256 instructions when available. This can lead to a large performance improvement when these instructions are available. For example, on the Apple M1 under a hypervisor, the time to calculate the sha256 of a 1GB file has decreased from a median of 3.46s to 0.5s.

Using an ifunc (indirect function) in a static binary is now supported. This will allow different implementations of a function to be used depending on which hardware it is being run on. Using an ifunc in dynamic binaries was already supported.

The arm64 ID register definitions have been updated to match the Armv8.5 specification and other special registers have been updated to the Armv8.7 spec.

There have been numerous cleanups in decoding the arm64 ID registers in the kernel to ensure we provide a consistent view of the hardware to userspace if it reads the emulated ID register directly, or uses an ELF HWCAP value.

There has been early work on supporting the Arm Reliability, Availability, and Serviceability (RAS) extension. The external aborts it may use are now handled in the kernel.

Support for the Arm Pointer Authentication extension is under review. This extension allows programs to use new instructions that add a hash to unused bits in a code or data pointer. They can then later check the hash in a way that will either, depending on the CPU, create an invalid pointer or raise an exception. This can be used to protect the function return address from being overwritten, making Return Oriented Programming (ROP) attacks difficult. The change supports both userspace and kernel pointer authentication. It is waiting on debugger changes to be sent upstream so lldb can clear the hash when needed, e.g., in a stack trace.

Work has started on supporting the Branch Target Identification extension. This adds a flag to the page tables to disallow unintended targets from some branch instructions. When a CPU branches to a new location from a register, the CPU will check if the instruction is correct. This will protect, e.g., against a function pointer being called when it points to the middle of a function. The kernel has been built with this feature enabled and tested in the Arm AEM.

Sponsor: The FreeBSD Foundation