guix: Pointer Authentication and Branch Target Identification for aarch64 Linux #24123
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code Coverage & BenchmarksFor details see: https://corecheck.dev/bitcoin/bitcoin/pulls/24123. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsNo conflicts as of last run. |
|
Concept ACK. From reading docs it's still unclear to me whether |
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
9313bf6 to
c98b6eb
Compare
|
Concept ACK. We might want to wait with doing this until hardware supporting BTI and PAC is available to test on, though. |
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
c98b6eb to
b51e648
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
b51e648 to
616e9b9
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
616e9b9 to
f4a72a1
Compare
|
I've changed the approach here, and this is now based on #25437 and parts of #25484. This adds |
|
Concept ACK |
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
2 times, most recently
from
17ae4aa to
4f74122
Compare
|
🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the Possibly this is due to a silent merge conflict (the changes in this pull request being Leave a comment here, if you need help tracking down a confusing failure. |
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
aac821e to
c29a4e4
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
c29a4e4 to
30af1c5
Compare
|
Rebased on master and dropped a commit, also bumped the glibc 2.33 branch to the latest commit. Still based on #30433, but the main blocker here remains the glibc bump. |
|
For now, the Guix built bins could be inspected with: # bitcoin/guix-build-30af1c56da93/output/aarch64-linux-gnu/bitcoin-30af1c56da93/bin# readelf -n * | grep "AArch64"
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC
Properties: AArch64 feature: BTI, PAC |
|
It would be helpful if someone with BTI-enabled hardware could test the binaries and verified BTI during runtime. Unfortunately, I'm unable to do it by myself, as my hardware supports only PAC, not BTI. |
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
30af1c5 to
c5b775e
Compare
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
c5b775e to
1d22173
Compare
fanquake
changed the title
…ags for aarch64-linux 001b1cf build: use standard branch-protection for aarch64-linux (fanquake) Pull request description: Use `-mbranch-protection=standard` when targetting `*aarch64-*-linux*`. Part of #24123, but this flag can already be used on a best effort basis. Note that this flag is also already used by default, in the toolchain, on various distros (i.e Fedora). ACKs for top commit: hebasto: ACK 001b1cf. TheCharlatan: ACK 001b1cf Tree-SHA512: 2d7ae60f59921a62d51139cb0fd5cecbed4f63266564b2623b7d160f5b0c2c42c78ef8aeff787f485eccc46a9ffd5da70023ec093df6add7c982e0d48a1601b5
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
2 times, most recently
from
bffcd69 to
e596204
Compare
|
Rebased for #30433, and updated to add an export allowance for |
…o hardening flags 61a6c3b build: add `-mbranch-protection=bti` to aarch64 hardening flags (fanquake) Pull request description: This is a simpler (less hardening) version of bitcoin#24123. You can inspect binaries using `readelf -n`, and look for BTI in a `.note.gnu.property`. i.e ```bash readelf -n src/bitcoin-cli Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010NT_GNU_PROPERTY_TYPE_0 Properties: AArch64 feature: BTI ``` Related to bitcoin#19075. ACKs for top commit: TheCharlatan: utACK 61a6c3b Tree-SHA512: 64504de44e91d853165daf4111dca905d8eb9ef3f4bfb0d447c677b02c9100dbd56f13e6fe6539fb06c2343a094229591ac5d1bd9e184b32b512c0ac3f9bac36
…o hardening flags 61a6c3b build: add `-mbranch-protection=bti` to aarch64 hardening flags (fanquake) Pull request description: This is a simpler (less hardening) version of bitcoin#24123. You can inspect binaries using `readelf -n`, and look for BTI in a `.note.gnu.property`. i.e ```bash readelf -n src/bitcoin-cli Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010NT_GNU_PROPERTY_TYPE_0 Properties: AArch64 feature: BTI ``` Related to bitcoin#19075. ACKs for top commit: TheCharlatan: utACK 61a6c3b Tree-SHA512: 64504de44e91d853165daf4111dca905d8eb9ef3f4bfb0d447c677b02c9100dbd56f13e6fe6539fb06c2343a094229591ac5d1bd9e184b32b512c0ac3f9bac36
…o hardening flags 61a6c3b build: add `-mbranch-protection=bti` to aarch64 hardening flags (fanquake) Pull request description: This is a simpler (less hardening) version of bitcoin#24123. You can inspect binaries using `readelf -n`, and look for BTI in a `.note.gnu.property`. i.e ```bash readelf -n src/bitcoin-cli Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010NT_GNU_PROPERTY_TYPE_0 Properties: AArch64 feature: BTI ``` Related to bitcoin#19075. ACKs for top commit: TheCharlatan: utACK 61a6c3b Tree-SHA512: 64504de44e91d853165daf4111dca905d8eb9ef3f4bfb0d447c677b02c9100dbd56f13e6fe6539fb06c2343a094229591ac5d1bd9e184b32b512c0ac3f9bac36
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
e596204 to
f91b1f5
Compare
glibc 2.32 was the first to ship with support for branch protection when compiled with a compatible compiler, see below. However a number of bugfixes/improvements shipped in glibc 2.33, so use that, rather than trying to backport all relevant changes. glibc 2.32 release notes: https://lwn.net/Articles/828210/ * AArch64 now supports standard branch protection security hardening in glibc when it is built with a GCC that is configured with --enable-standard-branch-protection (or if -mbranch-protection=standard flag is passed when building both GCC target libraries and glibc, in either case a custom GCC is needed). This includes branch target identification (BTI) and pointer authentication for return addresses (PAC-RET). They require armv8.5-a and armv8.3-a architecture extensions respectively for the protection to be effective, otherwise the used instructions are nops. User code can use PAC-RET without libc support, but BTI requires a libc that is built with BTI support, otherwise runtime objects linked into user code will not be BTI compatible. `__libc_single_threaded` added as it is now exported from at least `bitcoin-wallet` and `test_bitcoin`.
fanquake
force-pushed
the
mbranch_protection_aarch64_linux
branch
from
f91b1f5 to
1a3b8ce
Compare
Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the
-mbranch-protection=flagavailable in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible toarmv8.0code sequences that activate onv8.3(PAC) &v8.5(BTI) enabled Arm machines. (taken from Fedora).Creation of a BTI enabled binary also requires that everything being linked in be BTI enabled. This means you currently cannot, for example, cross-compile using a Ubuntu based aarch64 toolchain, if you're wanting to use this feature. This can be shown using
-Wl,z,force-bti, which will emit warnings for linked objects that are not BTI enabled (this is used in configure to detect when to disable using the flags). i.e:Closes #19075.