From: Mark Kettenis Subject: ruby arm64 BTI To: sthen@openbsd.org, jeremy@openbsd.org Cc: deraadt@openbsd.org, ports@openbsd.org Date: Sat, 22 Jun 2024 13:41:42 +0200 Theo pointed out the NOBTCFI reversal here. Now the reason that we still see SIGILL despite fixes to the assembly code is because the -mbranch-protection=pac-ret option added by the configure script actually downgrades our default of enabling both BTI and PAC to just enabling PAC. So the necessary BTI instructrions were missing from the C code. With the diff below things seem to work fine on Apple M2. There is one failure in the testsuite: 1) Failure: TestIO_Console#test_failed_path [/home/ports/pobj/ruby-3.3.3/ruby-3.3.3/test/io/console/test_io_console.rb:46]: [Errno::ENODEV, Errno::ENOTTY, Errno::EBADF, Errno::ENXIO] exception expected, not #. but I'm pretty sure that is unrelated to BTI support. Index: lang/ruby/3.3/Makefile =================================================================== RCS file: /cvs/ports/lang/ruby/3.3/Makefile,v retrieving revision 1.8 diff -u -p -r1.8 Makefile --- lang/ruby/3.3/Makefile 21 Jun 2024 16:01:52 -0000 1.8 +++ lang/ruby/3.3/Makefile 22 Jun 2024 11:34:53 -0000 @@ -1,5 +1,4 @@ -USE_NOBTCFI-aarch64 = Yes -REVISION-main = 0 +REVISION-main = 1 VERSION = 3.3.3 DISTNAME = ruby-${VERSION} Index: lang/ruby/3.3/patches/patch-configure =================================================================== RCS file: /cvs/ports/lang/ruby/3.3/patches/patch-configure,v retrieving revision 1.3 diff -u -p -r1.3 patch-configure --- lang/ruby/3.3/patches/patch-configure 14 Jun 2024 19:41:34 -0000 1.3 +++ lang/ruby/3.3/patches/patch-configure 22 Jun 2024 11:34:53 -0000 @@ -6,6 +6,15 @@ so ports don't have to be bumped when Op Index: configure --- configure.orig +++ configure +@@ -10913,7 +10913,7 @@ esac + case "$target_cpu" in #( + aarch64) : + +- for opt in -mbranch-protection=pac-ret -msign-return-address=all ++ for opt in -mbranch-protection=standard -msign-return-address=all + do : + + @@ -31909,7 +31909,7 @@ fi ;; #( openbsd*|mirbsd*) :