Bug 1847148 - Aarch64 Pointer Authentication & Branch Target Enablement
Summary: Aarch64 Pointer Authentication & Branch Target Enablement
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Changes Tracking
Version: 33
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jeremy Linton
QA Contact:
URL:
Whiteboard:
Depends On: 1862110 1861423
Blocks: ARMTracker F33Changes
TreeView+ depends on / blocked
 
Reported: 2020-06-15 19:03 UTC by Ben Cotton
Modified: 2020-10-27 14:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 14:47:56 UTC
Type: ---


Attachments (Terms of Use)

Description Ben Cotton 2020-06-15 19:03:43 UTC
This is a tracking bug for Change: Aarch64 Pointer Authentication & Branch Target Enablement
For more details, see: https://fedoraproject.org/wiki/Changes/Aarch64_PointerAuthentication

Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the -mbranch-protection= flag available in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible to armv8.0 code sequences that activate on v8.3 (PAC) & v8.5 (BTI) enabled Arm machines.

Comment 1 Jeremy Linton 2020-07-14 15:35:21 UTC
We should hold off on getting the flag in until gcc 10.2 lands as there are a couple PAC fixes in 10.2 we will want.

Comment 2 Jeremy Linton 2020-07-17 21:15:44 UTC
I went with the KISS method, and just added it to the optflags. The pull request is here: https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/97

There is a build here: https://koji.fedoraproject.org/koji/taskinfo?taskID=47357962

The gcc bug that should be integrated before the mass rebuild is:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94891

The fix has been backported to gcc 9/10.1 and is in the 10.2 branch as well. 

Its not clear to me if fedora is planning on moving to 10.2 before the rebuild, otherwise I can create a PR for the 10.1 backport.

Comment 3 Florian Weimer 2020-07-24 07:22:00 UTC
As far as I can tell, this change requires special builds of gcc and glibc:

https://sourceware.org/pipermail/libc-alpha/2020-July/116611.html

As a result, the mass rebuild will NOT complete this change.

Comment 4 Jeremy Linton 2020-07-28 17:54:42 UTC
I've checked with Szabolcs, and its his understanding too that simply building gcc with mbranch-protection=standard will do what we want.

Comment 5 Ben Cotton 2020-08-11 14:42:31 UTC
Branching F33 Change Tracker bugs.

Today is the code complete (testable) deadline. All bugs should be at least in MODIFIED state by now to indicate they are testable.

Comment 6 Jeremy Linton 2020-08-13 16:57:24 UTC
Large parts of this are in place, I need to test/validate functionality, but I think the distro has definitely been "modified" so that is my error for not setting the bz state.

Comment 7 Ben Cotton 2020-08-27 01:12:00 UTC
Yesterday we reached the Code complete (100% code complete) deadline for Fedora 33 Changes. If your Change is complete, please set this tracking bug to ON_QA. If you need to defer this Change to Fedora 34, please let NEEDINFO me.

As a reminder, we are now in the Beta Freeze. If you need to land package updates, please propose it as a Freeze Exception at https://qa.fedoraproject.org/blockerbugs/propose_bug

Comment 8 Jeremy Linton (ARM) 2020-09-08 22:12:39 UTC
I've been testing this on a v8.0 machine (honeycomb, rpi4) as well as a v8.5 model, and everything looks reasonable at the moment.

Comment 9 Ben Cotton 2020-10-27 14:47:56 UTC
Closing tracking bugs for F33. If your change didn't make it into F33 for some reason, please reopen this and NEEDINFO me.


Note You need to log in before you can comment on or make changes to this bug.