From 239dbd7dbac883d6f9b6522774a0dfd519f77fa8 Mon Sep 17 00:00:00 2001 From: Russ Cox Date: Tue, 5 Nov 2024 13:51:32 -0500 Subject: cmd/compile, cmd/link: add FIPS verification support For FIPS init-time code+data verification, we need to arrange to put the FIPS symbols into contiguous regions of the executable and then record those sections along with the expected checksum. The cmd/internal/obj changes identify the FIPS symbols and give them distinguished types, which the linker then places in contiguous regions. The linker also writes out information to use at run time to find the FIPS sections, along with the expected hash. See cmd/internal/obj/fips.go and cmd/link/internal/ld/fips.go for more details. The code is disabled in this commit. CL 625998 and 625999 adds tests. CL 626000 enables the code. For #69536. Change-Id: I48da6db94bc0bea7428c43d4abcf999527bccfcd Reviewed-on: https://go-review.googlesource.com/c/go/+/625997 Auto-Submit: Russ Cox Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI --- src/cmd/internal/obj/data.go | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src/cmd/internal/obj/data.go') diff --git a/src/cmd/internal/obj/data.go b/src/cmd/internal/obj/data.go index 361ea05a0f..fb6edd605f 100644 --- a/src/cmd/internal/obj/data.go +++ b/src/cmd/internal/obj/data.go @@ -71,8 +71,10 @@ func (s *LSym) prepwrite(ctxt *Link, off int64, siz int) { switch s.Type { case objabi.Sxxx, objabi.SBSS: s.Type = objabi.SDATA + s.setFIPSType(ctxt) case objabi.SNOPTRBSS: s.Type = objabi.SNOPTRDATA + s.setFIPSType(ctxt) case objabi.STLSBSS: ctxt.Diag("cannot supply data for %v var %v", s.Type, s.Name) } @@ -203,5 +205,8 @@ func (s *LSym) WriteBytes(ctxt *Link, off int64, b []byte) int64 { // AddRel adds the relocation rel to s. func (s *LSym) AddRel(ctxt *Link, rel Reloc) { + if s.Type.IsFIPS() { + s.checkFIPSReloc(ctxt, rel) + } s.R = append(s.R, rel) } -- cgit v1.3