On 2022-10-25 16:10 +0100, Simon McVittie wrote: > On Tue, 25 Oct 2022 at 15:34:26 +0100, Wookey wrote: > > These are hardware features (new instructions) that 'tag' pointers and > > branch targets to make it much harder for malicious code to implement > > ROP (return oriented programming) and JOP (Jump oriented programming) > > attacks. > > > > They have been implemented on both architectures in such a way that > > they can be generally enabled and are simply ignored on hardware that > > doesn't support them (the new instructions are in the NOP space). > > Does this have the same restrictions as CET, which gcc briefly enabled > on x86 by default, but had to roll back[1] and later enable on a smaller > subset of architectures[2], because the new instructions are only NOPs > on x86_64 and modern i386, and are non-baseline (illegal instruction) > on older or more-embedded i386 like the ones in our current i386 baseline?
I'm not sure (I know a lot more about the arm64 side of this than the amd64 side), but we are only enabling this on amd64, not i386. amd64 binaries don't run on i386 so I don't think any practical issue actually arises. You have reminded me that I guess it should be turned on for x32 too. > If yes, we'll have to be careful to only enable this on architectures > where our baseline allows it. IIRC, Geode and VIA CPUs are the ones that > usually cause trouble for i386. Right, and that's the plan. The patch looks approx like this: + # Branch protection + if ($use_feature{hardening}{branch}) { + my $flag; + if ($cpu eq 'arm64') { + $flag = '-mbranch-protection=standard'; + } elsif ($cpu eq 'amd64') { + $flag = '-fcf-protection'; + } + $flags->append($_, $flag) foreach @compile_flags; + } Wookey -- Principal hats: Debian, Wookware, ARM http://wookware.org/
signature.asc
Description: PGP signature