public inbox for glibc-cvs@sourceware.org
help / color / mirror / Atom feed
* [glibc/nsz/pacbti-v5] (6 commits) aarch64: add NEWS entry about branch protection support
@ 2020-06-22 13:53 Szabolcs Nagy
0 siblings, 0 replies; only message in thread
From: Szabolcs Nagy @ 2020-06-22 13:53 UTC (permalink / raw)
To: glibc-cvs
The branch 'nsz/pacbti-v5' was updated to point to:
27ba4dcee8... aarch64: add NEWS entry about branch protection support
It previously pointed to:
bf6dffdb8a... aarch64: add NEWS entry about branch protection support
Diff:
!!! WARNING: THE FOLLOWING COMMITS ARE NO LONGER ACCESSIBLE (LOST):
-------------------------------------------------------------------
bf6dffd... aarch64: add NEWS entry about branch protection support
aff2045... aarch64: redefine RETURN_ADDRESS to strip PAC
e5d729b... aarch64: fix pac-ret support in _mcount
ec99013... aarch64: Add pac-ret support to assembly files
140ba3e... aarch64: configure check for pac-ret code generation
b8dd3fb... aarch64: enable BTI at runtime
commit bf6dffdb8ad5dcd2fb30fa5e479b76e135a98a56
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Thu Jun 11 18:19:40 2020 +0100
aarch64: add NEWS entry about branch protection support
This is a new security feature that relies on architecture
extensions and needs glibc to be built with a gcc configured
with branch protection.
commit aff20456ec5a959f8008093f13d3aa521ed71012
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Wed Apr 15 17:40:45 2020 +0100
aarch64: redefine RETURN_ADDRESS to strip PAC
RETURN_ADDRESS is used at several places in glibc to mean a valid
code address of the call site, but with pac-ret it may contain a
pointer authentication code (PAC), so its definition is adjusted.
This is gcc PR target/95891: __builtin_return_address should not
expose signed pointers to user code where it can cause ABI issues.
In glibc RETURN_ADDRESS is only changed if it is built with pac-ret.
There is no detection for the specific gcc issue because it is
hard to test and the additional xpac does not cause problems.
commit e5d729bd160bda78151d50ae7a0c13cab4312c7c
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Wed May 13 12:10:13 2020 +0100
aarch64: fix pac-ret support in _mcount
Currently gcc -pg -mbranch-protection=pac-ret passes signed return
address to _mcount, so _mcount now has to always strip pac from the
frompc since that's from user code that may be built with pac-ret.
This is gcc PR target/94791: signed pointers should not escape and get
passed across extern call boundaries, since that's an ABI break, but
because existing gcc has this issue we work it around in glibc until
that is resolved. This is compatible with a fixed gcc and it is a nop
on systems without PAuth support. The bug was introduced in gcc-7 with
-msign-return-address=non-leaf|all support which in gcc-9 got renamed
to -mbranch-protection=pac-ret|pac-ret+leaf|standard.
strip_pac uses inline asm instead of __builtin_aarch64_xpaclri since
that is not a documented api and not available in all supported gccs.
commit ec99013029e2c057be2c7428210ab64271247b9c
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Wed Apr 29 11:49:20 2020 +0100
aarch64: Add pac-ret support to assembly files
Use return address signing in assembly files for functions that save
LR when pac-ret is enabled in the compiler.
The GNU property note for PAC-RET is not meaningful to the dynamic
linker so it is not strictly required, but it may be used to track
the security property of binaries. (The PAC-RET property is only set
if BTI is set too because BTI implies working GNU property support.)
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
commit 140ba3e772a34c9051fa2e3721c92059c92075a6
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Thu May 7 18:30:12 2020 +0100
aarch64: configure check for pac-ret code generation
Return address signing requires unwinder support, which is
present in libgcc since >=gcc-7, however due to bugs the
support may be broken in <gcc-10 (and similarly there may
be issues in custom unwinders), so pac-ret is not always
safe to use. So in assembly code glibc should only use
pac-ret if the compiler uses it too. Unfortunately there
is no predefined feature macro for it set by the compiler
so pac-ret is inferred from the code generation.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
commit b8dd3fb10a6fa4d57db830155bc429ce50001794
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Mon Jun 22 10:57:20 2020 +0100
aarch64: enable BTI at runtime
Binaries can opt-in to using BTI via an ELF object file marking.
The dynamic linker has to then mprotect the executable segments
with PROT_BTI. In case of static linked executables or in case
of the dynamic linker itself, PROT_BTI protection is done by the
operating system.
On AArch64 glibc uses PT_GNU_PROPERTY instead of PT_NOTE to check
the properties of a binary because PT_NOTE can be unreliable with
old linkers (old linkers just append the notes of input objects
together and add them to the output without checking them for
consistency which means multiple incompatible GNU property notes
can be present in PT_NOTE).
BTI property is handled in the loader even if glibc is not built
with BTI support, so in theory user code can be BTI protected
independently of glibc. In practice though user binaries are not
marked with the BTI property if glibc has no support because the
static linked libc objects (crt files, libc_nonshared.a) are
unmarked.
This patch relies on Linux userspace API that is not yet in a
linux release but in v5.8-rc1 so scheduled to be in Linux 5.8.
Co-authored-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
Summary of changes (added commits):
-----------------------------------
27ba4dc... aarch64: add NEWS entry about branch protection support
6d42e5c... aarch64: redefine RETURN_ADDRESS to strip PAC
8f62ca7... aarch64: fix pac-ret support in _mcount
abdae6d... aarch64: Add pac-ret support to assembly files
660c830... aarch64: configure check for pac-ret code generation
efb1131... aarch64: enable BTI at runtime
commit 27ba4dcee8ae03c0634094dcea26bf1278804982
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Thu Jun 11 18:19:40 2020 +0100
aarch64: add NEWS entry about branch protection support
This is a new security feature that relies on architecture
extensions and needs glibc to be built with a gcc configured
with branch protection.
commit 6d42e5c2203cd7f8a9c0de04c12bb96fe09e260e
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Wed Apr 15 17:40:45 2020 +0100
aarch64: redefine RETURN_ADDRESS to strip PAC
RETURN_ADDRESS is used at several places in glibc to mean a valid
code address of the call site, but with pac-ret it may contain a
pointer authentication code (PAC), so its definition is adjusted.
This is gcc PR target/95891: __builtin_return_address should not
expose signed pointers to user code where it can cause ABI issues.
In glibc RETURN_ADDRESS is only changed if it is built with pac-ret.
There is no detection for the specific gcc issue because it is
hard to test and the additional xpac does not cause problems.
commit 8f62ca73284bb85ad0b7a50dfa5a9ecae27bdc0b
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Wed May 13 12:10:13 2020 +0100
aarch64: fix pac-ret support in _mcount
Currently gcc -pg -mbranch-protection=pac-ret passes signed return
address to _mcount, so _mcount now has to always strip pac from the
frompc since that's from user code that may be built with pac-ret.
This is gcc PR target/94791: signed pointers should not escape and get
passed across extern call boundaries, since that's an ABI break, but
because existing gcc has this issue we work it around in glibc until
that is resolved. This is compatible with a fixed gcc and it is a nop
on systems without PAuth support. The bug was introduced in gcc-7 with
-msign-return-address=non-leaf|all support which in gcc-9 got renamed
to -mbranch-protection=pac-ret|pac-ret+leaf|standard.
strip_pac uses inline asm instead of __builtin_aarch64_xpaclri since
that is not a documented api and not available in all supported gccs.
commit abdae6d2900555e7bccbf29d0be6506ea63a43fa
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Wed Apr 29 11:49:20 2020 +0100
aarch64: Add pac-ret support to assembly files
Use return address signing in assembly files for functions that save
LR when pac-ret is enabled in the compiler.
The GNU property note for PAC-RET is not meaningful to the dynamic
linker so it is not strictly required, but it may be used to track
the security property of binaries. (The PAC-RET property is only set
if BTI is set too because BTI implies working GNU property support.)
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
commit 660c83073d49a06756a759bb511532a385e268b2
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Thu May 7 18:30:12 2020 +0100
aarch64: configure check for pac-ret code generation
Return address signing requires unwinder support, which is
present in libgcc since >=gcc-7, however due to bugs the
support may be broken in <gcc-10 (and similarly there may
be issues in custom unwinders), so pac-ret is not always
safe to use. So in assembly code glibc should only use
pac-ret if the compiler uses it too. Unfortunately there
is no predefined feature macro for it set by the compiler
so pac-ret is inferred from the code generation.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
commit efb1131acc4a6c0819d2727026e2c30d02c8cbd9
Author: Sudakshina Das <sudi.das@arm.com>
Date: Mon Jun 22 10:57:20 2020 +0100
aarch64: enable BTI at runtime
Binaries can opt-in to using BTI via an ELF object file marking.
The dynamic linker has to then mprotect the executable segments
with PROT_BTI. In case of static linked executables or in case
of the dynamic linker itself, PROT_BTI protection is done by the
operating system.
On AArch64 glibc uses PT_GNU_PROPERTY instead of PT_NOTE to check
the properties of a binary because PT_NOTE can be unreliable with
old linkers (old linkers just append the notes of input objects
together and add them to the output without checking them for
consistency which means multiple incompatible GNU property notes
can be present in PT_NOTE).
BTI property is handled in the loader even if glibc is not built
with BTI support, so in theory user code can be BTI protected
independently of glibc. In practice though user binaries are not
marked with the BTI property if glibc has no support because the
static linked libc objects (crt files, libc_nonshared.a) are
unmarked.
This patch relies on Linux userspace API that is not yet in a
linux release but in v5.8-rc1 so scheduled to be in Linux 5.8.
Co-authored-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-06-22 13:53 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-22 13:53 [glibc/nsz/pacbti-v5] (6 commits) aarch64: add NEWS entry about branch protection support Szabolcs Nagy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).