This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH 0/2] aarch64: Enable pointer auth in PLT
On 25/06/2019 12:11, Mark Rutland wrote:
> On Tue, Jun 25, 2019 at 11:40:43AM +0100, Ramana Radhakrishnan wrote:
>> On Fri, Jun 21, 2019 at 12:33 PM Szabolcs Nagy <Szabolcs.Nagy@arm.com> wrote:
>>> On 21/06/2019 11:46, Florian Weimer wrote:
>>>> * Szabolcs Nagy:
>>>>> On 21/06/2019 10:12, Florian Weimer wrote:
>>>>>> * Szabolcs Nagy:
>>>>>>> Pointer authentication is an armv8.3-a extension and it can be used
>>>>>>> to harden PLTGOT entries when that is not read-only protected.
>>>>>>>
>>>>>>> binutils bfd linker now supports creating binaries with -z pac-plt
>>>>>>> and then PLT entries authenticate the pointers loaded from PLTGOT.
>>>>>>>
>>>>>>> To support such binaries the glibc dynamic linker has to "sign" the
>>>>>>> pointers in the PLTGOT. On cpus without pointer authentication support,
>>>>>>> both the sign and authentication operations are nops, so such binaries
>>>>>>> may appear to work now, but on a new cpu they will crash without glibc
>>>>>>> support.
>>>>>>
>>>>>> I think you need to enable this feature in a different way, similar to
>>>>>> the non-executable stack. Otherwise, people will have to decide whether
>>>>>> they want to build portable binaries or binaries with security
>>>>>> hardening, which is not desirable.
>>>>>
>>>>> with non-executable stack, a hardened binary works on
>>>>> an old system that uses executable stack.
>>>>>
>>>>> in this case a hardened binary does not work on an old
>>>>> system that's unaware of pointer auth.
>>>>
>>>> Does it work on an old system without kernel support for pointer
>>>> authentication? With just support in the CPU?
>>>
>>> the binaries work on an old system if pauth is not
>>> enabled by the kernel.
>>>
>>> i think we don't have prctl or other control
>>> in linux to enable/disable pauth per process
>>> right now so it is not opt-in, the kernel just
>>> informs userspace with a HWCAP that it is enabled.
>>
>> There was certainly talk about a prctl call for pauth with the Android
>> guys as they were interested in a model with zygote.
>
> There's a prctl (PR_PAC_RESET_KEYS) which can be used to re-initialize
> keys to new random values, but there's no kernel-provided mechanism to
> NOP out the instructions.
>
> Worknig on an old CPU but crashing on a new one seems especially
> problematic. Is it possible to make the binaries depend on a glibc with
> the necessary support, using the usual library versioning/dependency
> mechanisms?
i can fix glibc, i'm more worried about the unwinder
(especially in situations where that's runtime loaded)
performance and debug experience regression is a problem
too. (for which we can give no workaround now on armv8.3-a
hardware)