Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DRAFT]gh-128605: Add branch protections for asm_trampoline.S #128606

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[DRAFT]gh-128605: Add branch protections for asm_trampoline.S #128606

wants to merge 2 commits into from
+46 −0

Conversation

stratakis
Copy link
Contributor

@stratakis stratakis commented Jan 8, 2025
edited by bedevere-app bot
Loading

@stratakis
Apply Intel Control-flow Technology for x86-64 on asm_trampoline.S
afa01db 
Intel's Control-flow Technology requires manual application
for the assembler files.

See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
@bedevere-app bedevere-app bot mentioned this pull request Jan 8, 2025
Open
@stratakis
Copy link
Contributor Author

cc @fweimer-rh

@stratakis
Copy link
Contributor Author

In the current implementation the cf-protection test for x86_64 passes but not the branch-protection test for aarch64.

@fweimer-rh
Copy link

You should add PAC support at the same time, using hint 25 (paciasp, replaces bti c) and hint 29 (autiasp). These instructions are in the NOP space, but some CPUs have trouble executing them. This applies to bit c as well. So it's best to make this conditional on compiler flags, by checking the __ARM_FEATURE_BTI_DEFAULT preprocessor macro. Then you can change the flag at the end of the note from 1 to 3, and this should make annocheck happy.

@stratakis
Copy link
Contributor Author

Rebased. The conditionals are a bit of a mess right now so I'll do some macros later on.

However annobin still reports:

Hardened: libpython3.12.so.1.0: FAIL: dynamic-tags test because the BTI_PLT flag is missing from the dynamic tags
Hardened: libpython3.12.so.1.0: FAIL: property-note test because properly formatted .note.gnu.property not found (it is needed for branch protection support)

Btw the arm blog proposes a different styled note than what the annobin docs mention: https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/p2-enabling-pac-and-bti-on-aarch64

Also regarding x86_64. Shouldn't the note be conditionalized in the case CET is active?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
awaiting review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stratakis @fweimer-rh