Problem: Unprotected AArch64 binaries are vulnerable to ROP/JOP style attacks Fix By: Compile with -mbranch-protection=standard Waive If: Not running on AArch64 Waive If: The application will not run on Fedora 35 or later. Waive If: The application will not run on newer AArch64 cores. Example: FAIL: branch protection test because not enabled Example: FAIL: branch protection test because only partially enabled Example: FAIL: branch protection test because .note.gnu.property section not found (it is needed for branch protection support) Example: FAIL: branch protection test because the -mbranch-protection option was not used
AArch64 processors are vulnerable to a class of attack known as ROP and JOP style attacks. Preventing this kind of exploit requires assistance from the hardware itself, in the form of new instructions that need to be inserted by the compiler, and new bits in the core’s status that need to be set.
This test checks to see if the compile time option to enable the security feature was used. There are four levels of security available, ranging from none through partial (some functions are protected others are not) to full. The test checks that full security has been enabled.
The security feature is enabled by compiling with the -mbranch-protection=standard gcc command line option.
Note - these security features are only found on newer versions of the AArch64 architecture, and they need a compiler and a loader that will support them. Currently this means Fedora 35 or later, but not RHEL-8 or RHEL-9.
If an assembler source file is used as part of an application then it too needs to be updated. Any location in the source code where an indirect branch or function call can land must now have BTI as the first instruction executed. This instruction is safe to use even in code that will not be executed in a BTI-enabled environment as it translates into a no-op instruction if not needed.
In addition the assembler needs a note to indicate that it now supports BTI. This note can be added via including this code snippet in the sources:
.pushsection .note.gnu.property, "a" .align 3 .word 2f - 1f .word 4f - 3f .word 5 /* NT_GNU_PROPERTY_TYPE_0 */ 1: .asciz "GNU" 2: .align 3 3: .word 0xc0000000 /* type: GNU_PROPERTY_AARCH64_FEATURE_1_AND */ .word 6f - 5f /* size */ 5: .word 1 /* value: GNU_PROPERTY_AARCH64_FEATURE_1_BTI */ 6: .align 3 4: .popsection
Note - this test is the inverse of the The not-branch-protection test test and directly related to the The dynamic-tags test test.
Note - this test is automatically enabled if one of the following profile options is used:
--profile=rawhide--profile=f38--profile=f37--profile=f36--profile=el10The test is automatically disabled if one of the other profile options is used, ie:
--profile=el7--profile=el8--profile=el9--profile=f35If necessary the test can be disabled via the --skip-branch-protection option and re-enabled via the --test-branch-protection option.