[PATCH v7 14/14] aarch64: add NEWS entry about branch protection support

Fri Jul 24 07:19:45 GMT 2020

* Szabolcs Nagy:

> +* AArch64 now supports standard branch protection security hardening
> +  in glibc when it is built with a GCC that is configured with
> +  --enable-standard-branch-protection.  This includes branch target
> +  identification (BTI) and pointer authentication for return addresses
> +  (PAC-RET).  They require armv8.5-a and armv8.3-a architecture
> +  extensions respectively for the protection to be effective,
> +  otherwise the used instructions are nops.  User code can use PAC-RET
> +  without libc support, but BTI requires a libc that is built with BTI
> +  support, otherwise runtime objects linked into user code will not be
> +  BTI compatible.

How can I test whether GCC has been built with
--enable-standard-branch-protection?

We have a Fedora change for this:

  <https://fedoraproject.org/wiki/Changes/Aarch64_PointerAuthentication>

But no GCC update has been submitted for it, and we have not adjust our
glibc build accordingly.

It also doesn't look like libc_nonshared.a is built correctly for this.
In particular, __libc_csu_init (which is linked statically into every
program) does not have any BTI+PAC marker instructions, as far as I can
see:

0000000000000000 <__libc_csu_init>:
   0:   stp     x29, x30, [sp, #-64]!
   4:   mov     x29, sp
   8:   stp     x19, x20, [sp, #16]
   c:   adrp    x20, 0 <__init_array_end>
                        c: R_AARCH64_ADR_PREL_PG_HI21   __init_array_end
  10:   add     x20, x20, #0x0
                        10: R_AARCH64_ADD_ABS_LO12_NC   __init_array_end
  14:   stp     x21, x22, [sp, #32]
  18:   adrp    x21, 0 <__init_array_start>
                        18: R_AARCH64_ADR_PREL_PG_HI21  __init_array_start
  1c:   add     x21, x21, #0x0
                        1c: R_AARCH64_ADD_ABS_LO12_NC   __init_array_start
  20:   sub     x20, x20, x21
  24:   mov     w22, w0
  28:   stp     x23, x24, [sp, #48]
  2c:   mov     x23, x1
  30:   mov     x24, x2
  34:   asr     x20, x20, #3
  38:   bl      0 <_init>
                        38: R_AARCH64_CALL26    _init
  3c:   cbz     x20, 68 <__libc_csu_init+0x68>
  40:   mov     x19, #0x0                       // #0
  44:   nop
  48:   ldr     x3, [x21, x19, lsl #3]
  4c:   mov     x2, x24
  50:   add     x19, x19, #0x1
  54:   mov     x1, x23
  58:   mov     w0, w22
  5c:   blr     x3
  60:   cmp     x20, x19
  64:   b.ne    48 <__libc_csu_init+0x48>  // b.any
  68:   ldp     x19, x20, [sp, #16]
  6c:   ldp     x21, x22, [sp, #32]
  70:   ldp     x23, x24, [sp, #48]
  74:   ldp     x29, x30, [sp], #64
  78:   ret
  7c:   nop

Is there an alternative to enabling this for glibc (and elsewhere)
without a special build of GCC?  Or will this still not work because
without --enable-standard-branch-protection for GCC, libgcc.a is not
ready?

Thanks,
Florian