guix: Pointer Authentication and Branch Target Identification for aarch64 Linux#24123
guix: Pointer Authentication and Branch Target Identification for aarch64 Linux#24123fanquake wants to merge 1 commit intobitcoin:masterfrom
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code Coverage & BenchmarksFor details see: https://corecheck.dev/bitcoin/bitcoin/pulls/24123. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
|
Concept ACK. From reading docs it's still unclear to me whether |
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
9313bf6 to
c98b6eb
Compare
|
Concept ACK. We might want to wait with doing this until hardware supporting BTI and PAC is available to test on, though. |
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
c98b6eb to
b51e648
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
b51e648 to
616e9b9
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
616e9b9 to
f4a72a1
Compare
|
I've changed the approach here, and this is now based on #25437 and parts of #25484. This adds |
|
Concept ACK |
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
2 times, most recently
from
17ae4aa to
4f74122
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
1cbc3ce to
8d5f24b
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
7af2c21 to
6e5b86d
Compare
|
Rebased on #29987. |
|
🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the Possibly this is due to a silent merge conflict (the changes in this pull request being Leave a comment here, if you need help tracking down a confusing failure. |
|
Rebased on master and dropped a commit, also bumped the glibc 2.33 branch to the latest commit. Still based on #30433, but the main blocker here remains the glibc bump. |
|
For now, the Guix built bins could be inspected with: # bitcoin/guix-build-30af1c56da93/output/aarch64-linux-gnu/bitcoin-30af1c56da93/bin# readelf -n * | grep "AArch64"
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC |
|
It would be helpful if someone with BTI-enabled hardware could test the binaries and verified BTI during runtime. Unfortunately, I'm unable to do it by myself, as my hardware supports only PAC, not BTI. |
|
Rebased for #30433, and updated to add an export allowance for |
glibc 2.32 was the first to ship with support for branch protection when compiled with a compatible compiler, see below. However a number of bugfixes/improvements shipped in glibc 2.33, so use that, rather than trying to backport all relevant changes. glibc 2.32 release notes: https://lwn.net/Articles/828210/ * AArch64 now supports standard branch protection security hardening in glibc when it is built with a GCC that is configured with --enable-standard-branch-protection (or if -mbranch-protection=standard flag is passed when building both GCC target libraries and glibc, in either case a custom GCC is needed). This includes branch target identification (BTI) and pointer authentication for return addresses (PAC-RET). They require armv8.5-a and armv8.3-a architecture extensions respectively for the protection to be effective, otherwise the used instructions are nops. User code can use PAC-RET without libc support, but BTI requires a libc that is built with BTI support, otherwise runtime objects linked into user code will not be BTI compatible. `__libc_single_threaded` added as it is now exported from at least `bitcoin-wallet` and `test_bitcoin`.
|
Ideally #25573 will happen soon, which essentially includes this. So closing for now. |
9 participants
Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the
-mbranch-protection=flagavailable in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible toarmv8.0code sequences that activate onv8.3(PAC) &v8.5(BTI) enabled Arm machines. (taken from Fedora).Creation of a BTI enabled binary also requires that everything being linked in be BTI enabled. This means you currently cannot, for example, cross-compile using a Ubuntu based aarch64 toolchain, if you're wanting to use this feature. This can be shown using
-Wl,z,force-bti, which will emit warnings for linked objects that are not BTI enabled (this is used in configure to detect when to disable using the flags). i.e:Closes #19075.