OpenBSD Mail Box: x11/qt5/qtwebengine: add support for IBT by merging the needed patches for boringssl

Here is a diff to add support for Indirect branch tracking (IBT) by
merging the needed patches for boringssl. It based on robert's diff:

https://github.com/openbsd/ports/commit/8485e4d8db4d9325cce4db61881648dfcfce5ef1

I tested with konqueror and 12th Gen Intel i7-1260P. Test cases: youtube and HTTPS.

cpu0 at mainbus0: apid 0 (boot processor)
cpu0: 12th Gen Intel(R) Core(TM) i7-1260P, 1995.54 MHz, 06-9a-03, patch 00000432
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,PKU,WAITPKG,PKS,MD_CLEAR,IBT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,TAA_NO,MISC_PKG_CT,ENERGY_FILT,DOITM,SBDR_SSDP_N,FBSDP_NO,PSDP_NO,RRSBA,OVERCLOCK,GDS_NO,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 10-way L2 cache, 18MB 64b/line 12-way L3 cache
cpu0: smt 0, core 0, package 0
cpu0: apic clock running at 38MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2.0.1.0.1, IBE
acpicpu0 at acpi0: C3(200@1048 mwait.1@0x60), C2(350@127 mwait.1@0x21), C1(1000@1 mwait.1), PSS
cpu0: Enhanced SpeedStep 1995 MHz: speeds: 2501, 2500, 2300, 2100, 2000, 1900, 1600, 1500, 1400, 1300, 1100, 1000, 800, 700, 500, 400 MHz

Here are a few more changes:

The patch-src_buildtools_config_linking_pri patch was a stupid leftover
for the upgrade process.

+ QMAKE_LFLAGS += -Wl,-z,nobtcfi
+ QMAKE_LFLAGS += -Wl,-z,wxneeded

This had no effect. (pre check if macos|ios)

I also removed "content/browser/tracing/BUILD.gn" by pre-configure
instead of a patch to avoid an annoying "update-patches" massages.

Feedback, OK?

diff --git a/x11/qt5/qtwebengine/Makefile b/x11/qt5/qtwebengine/Makefile
index 266270f3d81..694d5c569a9 100644
--- a/x11/qt5/qtwebengine/Makefile
+++ b/x11/qt5/qtwebengine/Makefile
@@ -4,12 +4,11 @@
# Patched with security patches up to: 119.0.6045.123

USE_WXNEEDED = Yes
-USE_NOBTCFI = Yes

QT5NAME = QtWebEngine
KDE_COMMIT = 224806a7022eed6d5c75b486bec8715a618cb314
KDE_VERSION = 5
-REVISION = 0
+REVISION = 1

# Override
VERSION = ${QT5_WEBENGINE_VERSION}
@@ -130,6 +129,8 @@ pre-configure:
@cp ${FILESDIR}/openbsd.pri ${WRKDIST}/src/core/config/openbsd.pri
@mkdir -p ${CHROMESRC}/third_party/node/openbsd/node-openbsd/bin
@ln -sf ${TRUEPREFIX}/bin/node ${CHROMESRC}/third_party/node/openbsd/node-openbsd/bin/node
+ # build with python3 (remove catapult)
+ @rm ${CHROMESRC}/content/browser/tracing/BUILD.gn
# Regenerate build and perlasm files (force json to not overwrite our local gn patches)
@cd ${CHROMESRC}/third_party/boringssl && ${MODPY_BIN} src/util/generate_build_files.py json
@cd ${WRKSRC} && env -i ${MAKE_ENV} ${CHROMESRC}/build/linux/unbundle/replace_gn_files.py \
diff --git a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_build_config_compiler_BUILD_gn b/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_build_config_compiler_BUILD_gn
index eeb43e95503..3c3fe671c76 100644
--- a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_build_config_compiler_BUILD_gn
+++ b/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_build_config_compiler_BUILD_gn
@@ -32,7 +32,7 @@ Index: src/3rdparty/chromium/build/config/compiler/BUILD.gn
+ }
+
+ if (is_openbsd) {
-+ ldflags += [ "-Wl,-z,wxneeded", "-Wl,-z,nobtcfi" ]
++ ldflags += [ "-Wl,-z,wxneeded" ]
+ }
+
if (use_qt && is_clang) {
diff --git a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_content_browser_tracing_BUILD_gn b/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_content_browser_tracing_BUILD_gn
deleted file mode 100644
index 21249a2897b..00000000000
--- a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_content_browser_tracing_BUILD_gn
+++ /dev/null
@@ -1,56 +0,0 @@
-build with python3 (remove catapult)
-Index: src/3rdparty/chromium/content/browser/tracing/BUILD.gn
---- src/3rdparty/chromium/content/browser/tracing/BUILD.gn.orig
-+++ src/3rdparty/chromium/content/browser/tracing/BUILD.gn
-@@ -1,51 +0,0 @@
--# Copyright 2014 The Chromium Authors. All rights reserved.
--# Use of this source code is governed by a BSD-style license that can be
--# found in the LICENSE file.
--
--import("//tools/grit/grit_rule.gni")
--
--# generate_about_tracing puts its files in this directory
--tracing_gen_dir = "$root_gen_dir/content/browser/tracing"
--
--# The script just writes filename with no dirs to the .grd, so we always need
--# this file to be in the same directory as the inputs.
--tracing_grd = "$tracing_gen_dir/tracing_resources.grd"
--
--action("generate_tracing_grd") {
-- visibility = [ ":*" ] # Depend on ":resources" to get this.
-- script = "generate_trace_viewer_grd.py"
--
-- input_pages = [
-- "$tracing_gen_dir/about_tracing.html",
-- "$tracing_gen_dir/about_tracing.js",
-- ]
-- inputs = input_pages
-- outputs = [ tracing_grd ]
--
-- args = rebase_path(input_pages, target_gen_dir) + [
-- "--output",
-- rebase_path(tracing_grd, root_build_dir),
-- ]
--
-- deps = [ "//third_party/catapult/tracing:generate_about_tracing" ]
--}
--
--grit("resources") {
-- source = tracing_grd
--
-- # Required because the .grd is generated.
-- enable_input_discovery_for_gn_analyze = false
--
-- outputs = [
-- "grit/tracing_resources.h",
-- "tracing_resources.pak",
-- ]
--
-- # resource_ids has an entry for our .grd file that looks like:
-- # "<(SHARED_INTERMEDIATE_DIR)/content/browser/tracing/tracing_resources.grd"
-- # and what we pass here should make that resolve to our .grd file.
-- defines =
-- [ "SHARED_INTERMEDIATE_DIR=" + rebase_path(root_gen_dir, root_build_dir) ]
--
-- deps = [ ":generate_tracing_grd" ]
--}
diff --git a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_chacha_asm_chacha-x86_64_pl b/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_chacha_asm_chacha-x86_64_pl
index bf7da3fd6ed..960065598b1 100644
--- a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_chacha_asm_chacha-x86_64_pl
+++ b/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_chacha_asm_chacha-x86_64_pl
@@ -17,3 +17,11 @@ Index: src/3rdparty/chromium/third_party/boringssl/src/crypto/chacha/asm/chacha-
___

sub AUTOLOAD() # thunk [simplified] 32-bit style perlasm
+@@ -229,6 +231,7 @@ $code.=<<___;
+ .align 64
+ ChaCha20_ctr32:
+ .cfi_startproc
++ _CET_ENDBR
+ cmp \$0,$len
+ je .Lno_data
+ mov OPENSSL_ia32cap_P+4(%rip),%r10
diff --git a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_cipher_extra_asm_aes128gcmsiv-x86_64_pl b/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_cipher_extra_asm_aes128gcmsiv-x86_64_pl
index 2c7307a4845..e53de5920ad 100644
--- a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_cipher_extra_asm_aes128gcmsiv-x86_64_pl
+++ b/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_cipher_extra_asm_aes128gcmsiv-x86_64_pl
@@ -18,3 +18,139 @@ Index: src/3rdparty/chromium/third_party/boringssl/src/crypto/cipher_extra/asm/a
___

$code.=<<___;
+@@ -134,6 +135,7 @@ $code.=<<___;
+ .align 16
+ aesgcmsiv_htable_init:
+ .cfi_startproc
++ _CET_ENDBR
+ vmovdqa ($H), $T
+ vmovdqa $T, $TMP0
+ vmovdqa $T, ($Htbl) # H
+@@ -174,6 +176,7 @@ sub aesgcmsiv_htable6_init {
+ .align 16
+ aesgcmsiv_htable6_init:
+ .cfi_startproc
++ _CET_ENDBR
+ vmovdqa ($H), $T
+ vmovdqa $T, $TMP0
+ vmovdqa $T, ($Htbl) # H
+@@ -235,6 +238,7 @@ ___
+ .align 16
+ aesgcmsiv_htable_polyval:
+ .cfi_startproc
++ _CET_ENDBR
+ test $len, $len
+ jnz .Lhtable_polyval_start
+ ret
+@@ -420,6 +424,7 @@ sub aesgcmsiv_polyval_horner {
+ .align 16
+ aesgcmsiv_polyval_horner:
+ .cfi_startproc
++ _CET_ENDBR
+ test $L, $L
+ jnz .Lpolyval_horner_start
+ ret
+@@ -460,6 +465,7 @@ $code.=<<___;
+ .align 16
+ aes128gcmsiv_aes_ks:
+ .cfi_startproc
++ _CET_ENDBR
+ vmovdqu (%rdi), %xmm1 # xmm1 = user key
+ vmovdqa %xmm1, (%rsi) # rsi points to output
+
+@@ -521,6 +527,7 @@ $code.=<<___;
+ .align 16
+ aes256gcmsiv_aes_ks:
+ .cfi_startproc
++ _CET_ENDBR
+ vmovdqu (%rdi), %xmm1
+ vmovdqu 16(%rdi), %xmm3
+ vmovdqa %xmm1, (%rsi)
+@@ -614,6 +621,7 @@ ___
+ .align 16
+ aes128gcmsiv_aes_ks_enc_x1:
+ .cfi_startproc
++ _CET_ENDBR
+ vmovdqa (%rcx), %xmm1 # xmm1 = first 16 bytes of random key
+ vmovdqa 0*16(%rdi), $BLOCK1
+
+@@ -687,6 +695,7 @@ ___
+ .align 16
+ aes128gcmsiv_kdf:
+ .cfi_startproc
++ _CET_ENDBR
+ # parameter 1: %rdi Pointer to NONCE
+ # parameter 2: %rsi Pointer to CT
+ # parameter 4: %rdx Pointer to keys
+@@ -787,6 +796,7 @@ ___
+ .align 16
+ aes128gcmsiv_enc_msg_x4:
+ .cfi_startproc
++ _CET_ENDBR
+ test $LEN, $LEN
+ jnz .L128_enc_msg_x4_start
+ ret
+@@ -984,6 +994,7 @@ ___
+ .align 16
+ aes128gcmsiv_enc_msg_x8:
+ .cfi_startproc
++ _CET_ENDBR
+ test $LEN, $LEN
+ jnz .L128_enc_msg_x8_start
+ ret
+@@ -1239,6 +1250,7 @@ ___
+
+ $code.=<<___;
+ .cfi_startproc
++ _CET_ENDBR
+ test \$~15, $LEN
+ jnz .L${labelPrefix}_dec_start
+ ret
+@@ -1578,6 +1590,7 @@ sub aes128gcmsiv_ecb_enc_block {
+ .align 16
+ aes128gcmsiv_ecb_enc_block:
+ .cfi_startproc
++ _CET_ENDBR
+ vmovdqa (%rdi), $STATE_1
+
+ vpxor ($KSp), $STATE_1, $STATE_1
+@@ -1670,6 +1683,7 @@ ___
+ .align 16
+ aes256gcmsiv_aes_ks_enc_x1:
+ .cfi_startproc
++ _CET_ENDBR
+ vmovdqa con1(%rip), $CON_MASK # CON_MASK = 1,1,1,1
+ vmovdqa mask(%rip), $MASK_256 # MASK_256
+ vmovdqa ($PT), $BLOCK1
+@@ -1711,6 +1725,7 @@ sub aes256gcmsiv_ecb_enc_block {
+ .align 16
+ aes256gcmsiv_ecb_enc_block:
+ .cfi_startproc
++ _CET_ENDBR
+ vmovdqa (%rdi), $STATE_1
+ vpxor ($KSp), $STATE_1, $STATE_1
+ vaesenc 1*16($KSp), $STATE_1, $STATE_1
+@@ -1794,6 +1809,7 @@ ___
+ .align 16
+ aes256gcmsiv_enc_msg_x4:
+ .cfi_startproc
++ _CET_ENDBR
+ test $LEN, $LEN
+ jnz .L256_enc_msg_x4_start
+ ret
+@@ -1994,6 +2010,7 @@ ___
+ .align 16
+ aes256gcmsiv_enc_msg_x8:
+ .cfi_startproc
++ _CET_ENDBR
+ test $LEN, $LEN
+ jnz .L256_enc_msg_x8_start
+ ret
+@@ -2200,6 +2217,7 @@ ___
+ .align 16
+ aes256gcmsiv_kdf:
+ .cfi_startproc
++ _CET_ENDBR
+ # parameter 1: %rdi Pointer to NONCE
+ # parameter 2: %rsi Pointer to CT
+ # parameter 4: %rdx Pointer to keys
diff --git a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_cipher_extra_asm_chacha20_poly1305_x86_64_pl b/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_cipher_extra_asm_chacha20_poly1305_x86_64_pl
index b38ccbafb04..2b5b6074588 100644
--- a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_cipher_extra_asm_chacha20_poly1305_x86_64_pl
+++ b/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_cipher_extra_asm_chacha20_poly1305_x86_64_pl
@@ -17,3 +17,19 @@ Index: src/3rdparty/chromium/third_party/boringssl/src/crypto/cipher_extra/asm/c
___

my ($oup,$inp,$inl,$adp,$keyp,$itr1,$itr2)=("%rdi","%rsi","%rbx","%rcx","%r9","%rcx","%r8");
+@@ -433,6 +435,7 @@ $code.="
+ .align 64
+ chacha20_poly1305_open:
+ .cfi_startproc
++ _CET_ENDBR
+ push %rbp
+ .cfi_adjust_cfa_offset 8
+ push %rbx
+@@ -831,6 +834,7 @@ open_sse_128:
+ .align 64
+ chacha20_poly1305_seal:
+ .cfi_startproc
++ _CET_ENDBR
+ push %rbp
+ .cfi_adjust_cfa_offset 8
+ push %rbx
diff --git a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_fipsmodule_aes_asm_aesni-x86_64_pl b/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_fipsmodule_aes_asm_aesni-x86_64_pl
index 38df3b79a15..f60212b2884 100644
--- a/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_fipsmodule_aes_asm_aesni-x86_64_pl
+++ b/x11/qt5/qtwebengine/patches/patch-src_3rdparty_chromium_third_party_boringssl_src_crypto_fipsmodule_aes_asm_aesni-x86_64_pl
@@ -1,7 +1,79 @@
Index: src/3rdparty/chromium/third_party/boringssl/src/crypto/fipsmodule/aes/asm/aesni-x86_64.pl
--- src/3rdparty/chromium/third_party/boringssl/src/crypto/fipsmodule/aes/asm/aesni-x86_64.pl.orig
+++ src/3rdparty/chromium/third_party/boringssl/src/crypto/fipsmodule/aes/asm/aesni-x86_64.pl
-@@ -4727,6 +4727,7 @@ ___
+@@ -275,6 +275,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_encrypt:
+ .cfi_startproc
++ _CET_ENDBR
+ #ifdef BORINGSSL_DISPATCH_TEST
+ .extern BORINGSSL_function_hit
+ movb \$1,BORINGSSL_function_hit+1(%rip)
+@@ -297,6 +298,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_decrypt:
+ .cfi_startproc
++ _CET_ENDBR
+ movups ($inp),$inout0 # load input
+ mov 240($key),$rounds # key->rounds
+ ___
+@@ -617,6 +619,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_ecb_encrypt:
+ .cfi_startproc
++ _CET_ENDBR
+ ___
+ $code.=<<___ if ($win64);
+ lea -0x58(%rsp),%rsp
+@@ -1203,6 +1206,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_ctr32_encrypt_blocks:
+ .cfi_startproc
++ _CET_ENDBR
+ #ifdef BORINGSSL_DISPATCH_TEST
+ movb \$1,BORINGSSL_function_hit(%rip)
+

OpenBSD Mail Box

Friday, February 23, 2024

x11/qt5/qtwebengine: add support for IBT by merging the needed patches for boringssl

No comments:

Post a Comment