From f3ada4f45904919d5b2d6c99d9e9098b62a60a35 Mon Sep 17 00:00:00 2001
From: dkostic <dkostic@amazon.com>
Date: Wed, 31 Jul 2024 15:27:39 -0700
Subject: [PATCH] Read FIPS hash address using adrp instead of adr to increase
 reach

This change extends https://github.com/aws/aws-lc/pull/1332
to `BORINGSSL_bcm_text_hash` symbol.
---
 util/fipstools/delocate/delocate.go           | 17 +++++++++-------
 .../delocate/testdata/aarch64-Basic/in.s      |  1 +
 .../delocate/testdata/aarch64-Basic/out.s     | 20 +++++++++++++++++++
 3 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/util/fipstools/delocate/delocate.go b/util/fipstools/delocate/delocate.go
index 010b857576..9ff66b7b94 100644
--- a/util/fipstools/delocate/delocate.go
+++ b/util/fipstools/delocate/delocate.go
@@ -595,7 +595,7 @@ func (d *delocation) processAarch64Instruction(statement, instruction *node32) (
 				symbol, offset, _, didChange, symbolIsLocal, _ := d.parseMemRef(arg.up)
 				changed = didChange
 
-				if isFipsScopeMarkers(symbol) {
+				if isFipsMarker(symbol) {
 					// fips scope markers are known. But they challenge the adr
 					// reach, so go through GOT via an adrp outside the scope.
 					redirector := redirectorName(symbol)
@@ -1953,9 +1953,12 @@ func transform(w stringWriter, includes []string, inputs []inputFile, startEndDe
 		w.WriteString(fmt.Sprintf(".loc %d 1 0\n", maxObservedFileNumber+1))
 	}
 	if d.processor == aarch64 {
-		// Grab the address of BORINGSSL_bcm_test_[start,end] via a relocation
+		// Grab the address of BORINGSSL_bcm_text_[start,end,hash] via a relocation
 		// from a redirector function. For this to work, need to add the markers
 		// to the symbol table.
+		w.WriteString(fmt.Sprintf(".global BORINGSSL_bcm_text_hash\n"))
+		w.WriteString(fmt.Sprintf(".type BORINGSSL_bcm_text_hash, @function\n"))
+
 		w.WriteString(fmt.Sprintf(".global BORINGSSL_bcm_text_start\n"))
 		w.WriteString(fmt.Sprintf(".type BORINGSSL_bcm_text_start, @function\n"))
 	}
@@ -2410,10 +2413,9 @@ func localEntryName(name string) string {
 
 func isSynthesized(symbol string, processor processorType) bool {
 	SymbolisSynthesized := strings.HasSuffix(symbol, "_bss_get") ||
-		symbol == "OPENSSL_ia32cap_get" ||
-		symbol == "BORINGSSL_bcm_text_hash"
+		symbol == "OPENSSL_ia32cap_get"
 
-	// While BORINGSSL_bcm_text_[start,end] are known symbols, on aarch64 we go
+	// While BORINGSSL_bcm_text_[start,end,hash] are known symbols, on aarch64 we go
 	// through the GOT because adr doesn't have adequate reach.
 	if processor != aarch64 {
 		SymbolisSynthesized = SymbolisSynthesized || strings.HasPrefix(symbol, "BORINGSSL_bcm_text_")
@@ -2422,9 +2424,10 @@ func isSynthesized(symbol string, processor processorType) bool {
 	return SymbolisSynthesized
 }
 
-func isFipsScopeMarkers(symbol string) bool {
+func isFipsMarker(symbol string) bool {
 	return symbol == "BORINGSSL_bcm_text_start" ||
-		symbol == "BORINGSSL_bcm_text_end"
+		symbol == "BORINGSSL_bcm_text_end" ||
+		symbol == "BORINGSSL_bcm_text_hash"
 }
 
 func redirectorName(symbol string) string {
diff --git a/util/fipstools/delocate/testdata/aarch64-Basic/in.s b/util/fipstools/delocate/testdata/aarch64-Basic/in.s
index c65a88f0c7..db589ed6d5 100644
--- a/util/fipstools/delocate/testdata/aarch64-Basic/in.s
+++ b/util/fipstools/delocate/testdata/aarch64-Basic/in.s
@@ -90,6 +90,7 @@ foo:
 	// Ensure BORINGSSL_bcm_text_[end,start] are loaded through GOT
 	adrp x4, :got:BORINGSSL_bcm_text_start
 	adrp x5, :got:BORINGSSL_bcm_text_end
+	adrp x6, :got:BORINGSSL_bcm_text_hash
 
 local_function:
 
diff --git a/util/fipstools/delocate/testdata/aarch64-Basic/out.s b/util/fipstools/delocate/testdata/aarch64-Basic/out.s
index dafe5d2a9b..69c7673124 100644
--- a/util/fipstools/delocate/testdata/aarch64-Basic/out.s
+++ b/util/fipstools/delocate/testdata/aarch64-Basic/out.s
@@ -1,6 +1,8 @@
 .text
 .file 1 "inserted_by_delocate.c"
 .loc 1 1 0
+.global BORINGSSL_bcm_text_hash
+.type BORINGSSL_bcm_text_hash, @function
 .global BORINGSSL_bcm_text_start
 .type BORINGSSL_bcm_text_start, @function
 BORINGSSL_bcm_text_start:
@@ -158,6 +160,13 @@ foo:
 	mov x5, x0
 	ldp x0, x30, [sp], #16
 	add sp, sp, 128
+// WAS adrp x6, :got:BORINGSSL_bcm_text_hash
+	sub sp, sp, 128
+	stp x0, x30, [sp, #-16]!
+	bl .Lboringssl_loadgot_BORINGSSL_bcm_text_hash
+	mov x6, x0
+	ldp x0, x30, [sp], #16
+	add sp, sp, 128
 
 .Llocal_function_local_target:
 local_function:
@@ -225,6 +234,17 @@ bss_symbol_bss_get:
 .cfi_endproc
 .size .Lboringssl_loadgot_BORINGSSL_bcm_text_end, .-.Lboringssl_loadgot_BORINGSSL_bcm_text_end
 .p2align 2
+.hidden .Lboringssl_loadgot_BORINGSSL_bcm_text_hash
+.type .Lboringssl_loadgot_BORINGSSL_bcm_text_hash, @function
+.Lboringssl_loadgot_BORINGSSL_bcm_text_hash:
+.cfi_startproc
+	hint #34 // bti c
+	adrp x0, :got:BORINGSSL_bcm_text_hash
+	ldr x0, [x0, :got_lo12:BORINGSSL_bcm_text_hash]
+	ret
+.cfi_endproc
+.size .Lboringssl_loadgot_BORINGSSL_bcm_text_hash, .-.Lboringssl_loadgot_BORINGSSL_bcm_text_hash
+.p2align 2
 .hidden .Lboringssl_loadgot_BORINGSSL_bcm_text_start
 .type .Lboringssl_loadgot_BORINGSSL_bcm_text_start, @function
 .Lboringssl_loadgot_BORINGSSL_bcm_text_start: