Issue #2403: F33 System-Wide Change: Aarch64 Pointer Authentication & Branch Target Enablement - fesco

fesco

#2403 F33 System-Wide Change: Aarch64 Pointer Authentication & Branch Target Enablement

Closed: Accepted 3 years ago by ignatenkobrain. Opened 3 years ago by bcotton.

Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the -mbranch-protection= flag available in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible to armv8.0 code sequences that activate on v8.3 (PAC) & v8.5 (BTI) enabled Arm machines.

ignatenkobrain commented 3 years ago

given the clang-gcc change that is being discussed in the devel, is this flag available there too @jlinton ?

jlinton commented 3 years ago

Hi,

Yes the flag name in gcc was changed in the past to match the llvm one.

https://clang.llvm.org/docs/ClangCommandLineReference.html

The suggested -mbranch-protection= should work on both gcc and clang.

On 6/8/20 12:25 PM, Igor Raits wrote:

ignatenkobrain added a new comment to an issue you are following:
given the clang-gcc change that is being discussed in the devel, is this flag available there too @jlinton ?

To reply, visit the link below or just reply to this email
https://pagure.io/fesco/issue/2403