aarch64: enable PAC and BTI#39
Conversation
billatarm
force-pushed
the
aarch64-add-pac-bti-support
branch
from
0b06a3e to
4ce8337
Compare
Enable Pointer Authentication Codes (PAC) and Branch Target Identification (BTI) support for ARM 64 targets. Since the code base has no indirect branches or indirect jumps to any of the assembly code, no need to mark up any of the assembly with PAC or BTI instructions. For BTI to work, all object files linked for a unit of execution, whether an executable or a library must have the GNU Notes section of the ELF file marked to indicate BTI support. This is so loader/linkers can apply the proper permission bits (PROT_BRI) on the memory region. PAC can also be annotated in the GNU ELF notes section, but it's not required for enablement, as interleaved PAC and non-pac code works as expected since it's the callee that performs all the checking. Signed-off-by: Bill Roberts <bill.roberts@arm.com>
billatarm
force-pushed
the
aarch64-add-pac-bti-support
branch
from
4ce8337 to
aac367a
Compare
|
@ip7z: What do you think about this PR? |
|
bump |
gyurix
left a comment
gyurix
left a comment
There was a problem hiding this comment.
Security-hardening direction is good, but implementation looks incomplete.
Adding GNU property notes in one assembly file does not show whole-binary PAC/BTI coverage by itself. There are no matching build-flag/toolchain changes here, and no proof from linked binaries that final artifacts get desired properties.
Merge readiness: 5/10. Before merge: show readelf/linked-binary evidence, explain interaction with other objects, and include whatever build/docs changes are required for end-to-end enablement.
You don't need to do anything for C files, it just works. It's only the one asm file, and per the comment:
TL;DR Exactly where would I add these? These makefiles are pretty non-standard and don't respect the standard CFLAGS or CXXFLAGS env vars. I am not really sure where it would be appropriate to add any flags. Additionally, over in Fedora, we just patch the Makefile to support these env vars for building the package. The specific flag to add would be:
Sure
What exactly would I describe that isn't in the commit message or is that you want that in some text file under DOC?
Sure |
3 participants
Enable Pointer Authentication Codes (PAC) and Branch Target Identification (BTI) support for ARM 64 targets.
PAC works by signing the LR with either an A key or B key and verifying the return address. There are quite a few instructions capable of doing this, however, the Linux ARM ABI is to use hint compatible instructions that can be safely NOP'd on older hardware and can be assembled and linked with older binutils. This limits the instruction set to paciasp, pacibsp, autiasp and autibsp. Instructions prefixed with pac are for signing and instructions prefixed with aut are for signing. Both instructions are then followed with an a or b to indicate which signing key they are using. The keys can be controlled using -mbranch-protection=pac-ret for the A key and
-mbranch-protection=pac-ret+b-key for the B key.
BTI works by marking all call and jump positions with bti c and bti j instructions. If execution control transfers to an instruction other than a BTI instruction, the execution is killed via SIGILL. Note that to remove one instruction, the aforementioned pac instructions will also work as a BTI landing pad for bti c usages.
For BTI to work, all object files linked for a unit of execution, whether an executable or a library must have the GNU Notes section of the ELF file marked to indicate BTI support. This is so loader/linkers can apply the proper permission bits (PROT_BRI) on the memory region.
PAC can also be annotated in the GNU ELF notes section, but it's not required for enablement, as interleaved PAC and non-pac code works as expected since it's the callee that performs all the checking.