-
Notifications
You must be signed in to change notification settings - Fork 35.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
guix: Pointer Authentication and Branch Target Identification for aarch64 Linux (Guix) #24123
base: master
Are you sure you want to change the base?
guix: Pointer Authentication and Branch Target Identification for aarch64 Linux (Guix) #24123
Conversation
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code CoverageFor detailed information about the code coverage, see the test coverage report. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
Concept ACK. From reading docs it's still unclear to me whether
|
9313bf6
to
c98b6eb
Compare
Concept ACK. We might want to wait with doing this until hardware supporting BTI and PAC is available to test on, though. |
c98b6eb
to
b51e648
Compare
b51e648
to
616e9b9
Compare
616e9b9
to
f4a72a1
Compare
I've changed the approach here, and this is now based on #25437 and parts of #25484. This adds |
Concept ACK |
17ae4aa
to
4f74122
Compare
1cbc3ce
to
8d5f24b
Compare
7af2c21
to
6e5b86d
Compare
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
7850c5f guix: build GCC with --enable-standard-branch-protection (fanquake) Pull request description: This is one change extracted from #24123 (which now produces fully BTI & PAC enabled bins), which will mean that everything in depends, for Guix builds, is compiled using `-mbranch-protection=standard`. Turning this on by default, is similar to what we already do with `--enable-default-ssp`, `--enable-default-pie` etc. See: https://gcc.gnu.org/install/specific.html#aarch64-x-x > To enable Branch Target Identification Mechanism and Return Address Signing by default at configure time use the `--enable-standard-branch-protection` option. > This is equivalent to having `-mbranch-protection=standard` during compilation. This can be explicitly disabled during compilation by passing the `-mbranch-protection=none` option which turns off all types of branch protections. ACKs for top commit: TheCharlatan: ACK 7850c5f Tree-SHA512: 18f898da27021bab502e708ea5fa9b325352f8f6e23d9488a2a0feda87e0af2ac0e4f87b3af9ad6a9a37bbfc99ab0285de4f0bdc174dcd38163d92c122e958e2
6e5b86d
to
67a9b54
Compare
67a9b54
to
5cd6df7
Compare
5cd6df7
to
9d1f717
Compare
Set minimum required glibc to 2.31. The glibc 2.31 branch is still maintained: https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/release/2.31/master. Remove the stack-protector check from test-security-check, as the test no-longer fails, and given the control we have of the end, the actual security-check test seems sufficient (this might also be applied to some of the other checks).
9d1f717
to
3eb5220
Compare
Rebased on #29987. |
glibc 2.32 was the first to ship with support for branch protection when compiled with a compatible compiler. glibc 2.32 release notes: https://lwn.net/Articles/828210/ * AArch64 now supports standard branch protection security hardening in glibc when it is built with a GCC that is configured with --enable-standard-branch-protection (or if -mbranch-protection=standard flag is passed when building both GCC target libraries and glibc, in either case a custom GCC is needed). This includes branch target identification (BTI) and pointer authentication for return addresses (PAC-RET). They require armv8.5-a and armv8.3-a architecture extensions respectively for the protection to be effective, otherwise the used instructions are nops. User code can use PAC-RET without libc support, but BTI requires a libc that is built with BTI support, otherwise runtime objects linked into user code will not be BTI compatible.
3eb5220
to
146633b
Compare
Based on #29987.
Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the
-mbranch-protection=flag
available in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible toarmv8.0
code sequences that activate onv8.3
(PAC) &v8.5
(BTI) enabled Arm machines. (taken from Fedora).Requirements for building/running with these features:
-mbranch-protection=
flag:msign-return-address
flag.-force-bti
&&-pac-plt
:--pac-plt
, which became-z,pac-plt
in LLVM 10. More info.Creation of a BTI enabled binary also requires that everything being linked in be BTI enabled. This means you currently cannot, for example, cross-compile using a Ubuntu based aarch64 toolchain, if you're wanting to use this feature. This can be shown using
-Wl,z,force-bti
, which will emit warnings for linked objects that are not BTI enabled (this is used in configure to detect when to disable using the flags). i.e:However, if you compile on a system where the toolchain has been built with the additional hardening, i.e Fedora 33 and onwards:
Note the BTI and PAC properties. More about Fedora use of
-mbranch-protection=standard
by throughout it's packages can be seen in the rpc repos. i.e:Part of the base compiler flags for aarch64 && Used by default when building glibc.
I've built and tested binaries on an aarch64 machine, (Neoverse-N1, Armv8.2-A) running Fedora 34.
Unit and functional tests pass. Note section contains (not no PAC):
I am running a sync with
-assumevalid=0
. However given that this machine does not support PAC or BTI, as it'sArmv8.2
, I'll have to find some newer aarch64 hardware to test other things on. Although this is still a demonstration that the PAC / BTI instructions are nops when running on older hardware.Further reading:
https://fedoraproject.org/wiki/Changes/Aarch64_PointerAuthentication
https://developer.arm.com/documentation/102433/latest/Return-oriented-programming
https://lwn.net/Articles/789370/
Related to #19075.