guix: Pointer Authentication and Branch Target Identification for aarch64 Linux (Guix) #24123
+57
−474
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code CoverageFor detailed information about the code coverage, see the test coverage report. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
This was referenced Jan 21, 2022
|
Concept ACK. From reading docs it's still unclear to me whether |
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
9313bf6
to
c98b6eb
Compare
|
Concept ACK. We might want to wait with doing this until hardware supporting BTI and PAC is available to test on, though. |
luke-jr
reviewed
Jan 29, 2022
Vic23M
approved these changes
Feb 12, 2022
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
c98b6eb
to
b51e648
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
b51e648
to
616e9b9
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
616e9b9
to
f4a72a1
Compare
|
I've changed the approach here, and this is now based on #25437 and parts of #25484. This adds |
|
Concept ACK |
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
2 times, most recently
from
17ae4aa
to
4f74122
Compare
Closed
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
1cbc3ce
to
8d5f24b
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
7af2c21
to
6e5b86d
Compare
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Mar 22, 2024
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Mar 22, 2024
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Mar 26, 2024
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Mar 26, 2024
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Mar 26, 2024
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Mar 26, 2024
This includes lief-project/LIEF#975, which I'd like to use in bitcoin#24123.
fanquake
added a commit
that referenced
this pull request
Mar 26, 2024
7850c5f guix: build GCC with --enable-standard-branch-protection (fanquake) Pull request description: This is one change extracted from #24123 (which now produces fully BTI & PAC enabled bins), which will mean that everything in depends, for Guix builds, is compiled using `-mbranch-protection=standard`. Turning this on by default, is similar to what we already do with `--enable-default-ssp`, `--enable-default-pie` etc. See: https://gcc.gnu.org/install/specific.html#aarch64-x-x > To enable Branch Target Identification Mechanism and Return Address Signing by default at configure time use the `--enable-standard-branch-protection` option. > This is equivalent to having `-mbranch-protection=standard` during compilation. This can be explicitly disabled during compilation by passing the `-mbranch-protection=none` option which turns off all types of branch protections. ACKs for top commit: TheCharlatan: ACK 7850c5f Tree-SHA512: 18f898da27021bab502e708ea5fa9b325352f8f6e23d9488a2a0feda87e0af2ac0e4f87b3af9ad6a9a37bbfc99ab0285de4f0bdc174dcd38163d92c122e958e2
fanquake
changed the title
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
6e5b86d
to
67a9b54
Compare
Merged
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
67a9b54
to
5cd6df7
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
5cd6df7
to
9d1f717
Compare
Set minimum required glibc to 2.31. The glibc 2.31 branch is still maintained: https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/release/2.31/master. Remove the stack-protector check from test-security-check, as the test no-longer fails, and given the control we have of the end, the actual security-check test seems sufficient (this might also be applied to some of the other checks).
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
9d1f717
to
3eb5220
Compare
|
Rebased on #29987. |
glibc 2.32 was the first to ship with support for branch protection when compiled with a compatible compiler. glibc 2.32 release notes: https://lwn.net/Articles/828210/ * AArch64 now supports standard branch protection security hardening in glibc when it is built with a GCC that is configured with --enable-standard-branch-protection (or if -mbranch-protection=standard flag is passed when building both GCC target libraries and glibc, in either case a custom GCC is needed). This includes branch target identification (BTI) and pointer authentication for return addresses (PAC-RET). They require armv8.5-a and armv8.3-a architecture extensions respectively for the protection to be effective, otherwise the used instructions are nops. User code can use PAC-RET without libc support, but BTI requires a libc that is built with BTI support, otherwise runtime objects linked into user code will not be BTI compatible.
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
3eb5220
to
146633b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on #29987.
Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the
-mbranch-protection=flagavailable in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible toarmv8.0code sequences that activate onv8.3(PAC) &v8.5(BTI) enabled Arm machines. (taken from Fedora).Requirements for building/running with these features:
-mbranch-protection=flag:msign-return-addressflag.-force-bti&&-pac-plt:--pac-plt, which became-z,pac-pltin LLVM 10. More info.Creation of a BTI enabled binary also requires that everything being linked in be BTI enabled. This means you currently cannot, for example, cross-compile using a Ubuntu based aarch64 toolchain, if you're wanting to use this feature. This can be shown using
-Wl,z,force-bti, which will emit warnings for linked objects that are not BTI enabled (this is used in configure to detect when to disable using the flags). i.e:However, if you compile on a system where the toolchain has been built with the additional hardening, i.e Fedora 33 and onwards:
Note the BTI and PAC properties. More about Fedora use of
-mbranch-protection=standardby throughout it's packages can be seen in the rpc repos. i.e:Part of the base compiler flags for aarch64 && Used by default when building glibc.
I've built and tested binaries on an aarch64 machine, (Neoverse-N1, Armv8.2-A) running Fedora 34.
Unit and functional tests pass. Note section contains (not no PAC):
readelf -n src/bitcoind ... Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: AArch64 feature: BTII am running a sync with
-assumevalid=0. However given that this machine does not support PAC or BTI, as it'sArmv8.2, I'll have to find some newer aarch64 hardware to test other things on. Although this is still a demonstration that the PAC / BTI instructions are nops when running on older hardware.Further reading:
https://fedoraproject.org/wiki/Changes/Aarch64_PointerAuthentication
https://developer.arm.com/documentation/102433/latest/Return-oriented-programming
https://lwn.net/Articles/789370/
Related to #19075.