#2403 F33 System-Wide Change: Aarch64 Pointer Authentication & Branch Target Enablement
Closed: Accepted 6 months ago by ignatenkobrain. Opened 6 months ago by bcotton.

Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the -mbranch-protection= flag available in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible to armv8.0 code sequences that activate on v8.3 (PAC) & v8.5 (BTI) enabled Arm machines.


given the clang-gcc change that is being discussed in the devel, is this flag available there too @jlinton ?

Hi,

Yes the flag name in gcc was changed in the past to match the llvm one.

https://clang.llvm.org/docs/ClangCommandLineReference.html

The suggested -mbranch-protection= should work on both gcc and clang.

On 6/8/20 12:25 PM, Igor Raits wrote:

ignatenkobrain added a new comment to an issue you are following:
given the clang-gcc change that is being discussed in the devel, is this flag available there too @jlinton ?

To reply, visit the link below or just reply to this email
https://pagure.io/fesco/issue/2403

This is APPROVED now with (+4, 0, -0).

Metadata Update from @ignatenkobrain:
- Issue tagged with: pending announcement

6 months ago

Metadata Update from @ignatenkobrain:
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

6 months ago

Login to comment on this ticket.

Metadata