[v7,00/14] aarch64: branch protection support

Message ID cover.1594209990.git.szabolcs.nagy@arm.com
Series aarch64: branch protection support |


Szabolcs Nagy July 8, 2020, 12:10 p.m. UTC
  Indirect branch target identification (BTI, armv8.5-a) and return
address signing using pointer authentication (PAC-RET, armv8.3-a)
can be used for security hardening against some control flow hijack

In gcc these are exposed via -mbranch-protection=bti+pac-ret which
is the same as -mbranch-protection=standard and gcc can be configured
via --enable-standard-branch-protection to use them by default.

BTI requires libc support: it is an opt-in feature per ELF module
via a GNU property note that the dynamic linker has to check and
mprotect the executable pages with PROT_BTI. And libc objects that
are statically linked into user binaries must be BTI compatible
for the GNU property note to be present. (The property note is
handled by linux for static linked executables and for the ld.so.)

PAC-RET does not require libc runtime support, but, just like BTI,
it can be used in libc binaries for security hardening.

There are unresolved GCC PAC-RET and BTI issues, but it is possible
to support GCC 10 even without those fixed so this patch set includes
two PAC-RET patches that are GCC bug workarounds and outlined atomics
in libgcc in current GCC 10 is not BTI compatible so for testing
'CC=gcc -mno-outline-atomics' was used. User code will likely need a
fixed GCC for deploying branch protection. The PAC-RET related GCC
discussion is at

The HWCAP_BTI and PROT_BTI values depend on linux changes that
are scheduled for the Linux 5.8 release.

I plan to commit this set to glibc 2.32.
The patches are also available in the nsz/pacbti-v7 branch.

- use sizeof in abi-note.S instead of int literals.
- move bti c after cfi_startproc.
- use size_t/void* instead of ElfW(Addr) in dl-bti.c.
- NEWS fixes.
- add reviewed-by, now only the first and last patches need review.

- reordered two patches: renaming empty .S to .c and BTI fix for .S.
- the BTI fix for .S now fixes some .S that are conditionally empty
  (and thus conditionally missed BTI marking)
- added a new patch to catch BTI incompatible objects at link time.
- merged the PT_GNU_PROPERTY and PT_NOTE rtld fixes (from H.J.Lu).

- split the BTI runtime enablement patch (07) and added
  the PT_NOTE handling cleanup patch from H.J.Lu.
- PATCH 07: rtld changes for PT_GNU_PROPERTY handling.
- PATCH 08: rtld changes to cleanup PT_NOTE handling:
  i changed the PHDR processing to scan backward.
- PATCH 09: updated the property handling code.

- changed plan not to wait for final resolution on gcc issues.
  gcc-10 can be made to work.
- the elf.h changes are now committed.
- added Reviewed-by annotations.
- PATCH 01: use ElfW(Nhdr). (this has been sent already on its own).
- PATCH 02: use #define HAVE_AARCH64_BTI 0 (and not #undef).
- PATCH 03: use #if HAVE_AARCH64_BTI (and not #ifdef).
- PATCH 07: use errno in _dl_signal_error and not EINVAL.
- PATCH 07: more comment about the second pass over program headers.
- PATCH 08: use #define HAVE_AARCH64_PAC_RET 0.
- PATCH 09: use #if HAVE_AARCH64_PAC_RET.
- PATCH 10: _mcount patch is written so it's backportable.
  no Reviewed-by because this changed significantly.
- PATCH 11: strip_pac is moved to PATCH 10
  no Reviewed-by because this changed significantly.
- PATCH 12: new patch: news entry.

- instead of END_FILE add note in sysdep.h.
- dropped the syscall template patch (END_FILE is not needed).
- PATCH 05: remove END_FILE macros.
- PATCH 05: clarify the GNU_PROPERTY macro and related defines.
- PATCH 09: separate hook for PT_GNU_PROPERTY handling.
- PATCH 09: modified rtld.c and dl-load.c accordingly.
- PATCH 09: rename linkmap->bti_guarded to linkmap->bti.
- PATCH 13: new patch, update _mcount for pac-ret.
- fixed TODOs except for the last two patches, which are written
  for current gcc behaviour.
- I'm waiting for a review of PATCH 03 and welcome comments on
  the rest of the set, which i consider done unless there are
  changes on the gcc or linux side.

- removed --enable-branch-protection-standard configure option,
  branch protection in glibc is enabled based on the compiler default.
- GNU property notes are disabled if compiler/linker has no support.
- pac-ret is enabled based on compiler defaults.
- PATCH 03: cleaner csu/abi-note.c and fix arm/abi-note.S.
- PATCH 04: new (bti config check).
- PATCH 09: drop the umount2 change.
- PATCH 10: use bool instead of int.
- PATCH 10: fix code style and comments.
- PATCH 10: add linux version requirement to description.
- PATCH 11: new (pac-ret config check).
- PATCH 12: only use pac-ret if HAVE_AARCH64_PAC_RET.
- PATCH 12: fix pac-ret use in dl-trampoline.S.
- PATCH 13: use static inline instead of macro, update description.
- addressed some of the reviews from Adhemerval, the remaining ones
  are marked as TODO in the descriptions and will require another
  test run or agreement on the design.

Sudakshina Das (2):
  aarch64: Add BTI support to assembly files
  aarch64: enable BTI at runtime

Szabolcs Nagy (12):
  Rewrite abi-note.S in C.
  aarch64: configure test for BTI support
  aarch64: Rename place holder .S files to .c
  aarch64: fix swapcontext for BTI
  aarch64: fix RTLD_START for BTI
  rtld: Clean up PT_NOTE and add PT_GNU_PROPERTY handling
  aarch64: ensure objects are BTI compatible
  aarch64: configure check for pac-ret code generation
  aarch64: Add pac-ret support to assembly files
  aarch64: fix pac-ret support in _mcount
  aarch64: redefine RETURN_ADDRESS to strip PAC
  aarch64: add NEWS entry about branch protection support

 NEWS                                          | 11 +++
 config.h.in                                   |  6 ++
 csu/{abi-note.S => abi-note.c}                | 25 +++--
 elf/dl-load.c                                 | 94 +++++++++++++++++--
 elf/rtld.c                                    | 14 ++-
 sysdeps/aarch64/Makefile                      | 12 +++
 .../aarch64/{bsd-_setjmp.S => bsd-_setjmp.c}  |  0
 .../aarch64/{bsd-setjmp.S => bsd-setjmp.c}    |  0
 sysdeps/aarch64/configure                     | 83 ++++++++++++++++
 sysdeps/aarch64/configure.ac                  | 41 ++++++++
 sysdeps/aarch64/crti.S                        | 10 ++
 sysdeps/aarch64/crtn.S                        |  8 ++
 sysdeps/aarch64/dl-bti.c                      | 54 +++++++++++
 sysdeps/aarch64/dl-machine.h                  |  5 +-
 sysdeps/aarch64/dl-prop.h                     | 63 +++++++++++++
 sysdeps/aarch64/dl-tlsdesc.S                  | 11 +++
 sysdeps/aarch64/dl-trampoline.S               | 20 ++++
 sysdeps/aarch64/linkmap.h                     |  3 +
 sysdeps/aarch64/machine-gmon.h                |  3 +-
 sysdeps/aarch64/{memmove.S => memmove.c}      |  0
 sysdeps/aarch64/multiarch/memset_emag.S       |  2 +
 sysdeps/aarch64/multiarch/memset_falkor.S     |  1 +
 sysdeps/aarch64/multiarch/memset_generic.S    |  2 +
 sysdeps/aarch64/multiarch/rtld-memset.S       |  2 +
 sysdeps/aarch64/start.S                       |  1 +
 sysdeps/aarch64/sysdep.h                      | 58 +++++++++++-
 sysdeps/arm/abi-note.S                        |  8 --
 sysdeps/generic/dl-prop.h                     | 23 +++--
 sysdeps/generic/ldsodefs.h                    |  4 +
 sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h  |  1 +
 sysdeps/unix/sysv/linux/aarch64/bits/mman.h   | 31 ++++++
 .../unix/sysv/linux/aarch64/cpu-features.c    |  3 +
 .../unix/sysv/linux/aarch64/cpu-features.h    |  2 +
 sysdeps/unix/sysv/linux/aarch64/swapcontext.S | 14 ++-
 sysdeps/x86/dl-prop.h                         | 47 ++--------
 35 files changed, 575 insertions(+), 87 deletions(-)
 rename csu/{abi-note.S => abi-note.c} (89%)
 rename sysdeps/aarch64/{bsd-_setjmp.S => bsd-_setjmp.c} (100%)
 rename sysdeps/aarch64/{bsd-setjmp.S => bsd-setjmp.c} (100%)
 create mode 100644 sysdeps/aarch64/dl-bti.c
 create mode 100644 sysdeps/aarch64/dl-prop.h
 rename sysdeps/aarch64/{memmove.S => memmove.c} (100%)
 delete mode 100644 sysdeps/arm/abi-note.S
 create mode 100644 sysdeps/unix/sysv/linux/aarch64/bits/mman.h