Bug#1021292: dpkg-dev: Please add support for pointer authentication on arm64

[Wookey]

Package: dpkg-dev
Version: 1.19.7
Severity: wishlist
Tags: patch

As discussed in the below-linked thread on dpkg-dev, we should enable PAC and 
BTI
on arm64 as a standard hardening flag.
https://lists.debian.org/debian-dpkg/2022/05/msg00022.html

Attached is Guillem's proposed patch which does the trick, updated for
current dpkg (I opened this bug file in June, but forgot to actually
press send, so now updated for the current 1.21.9)

Despite this delay, I hope we can can have this in for bookworm.

-- 
Wookey

diff -Nru dpkg-1.21.9/debian/changelog dpkg-1.21.9+1/debian/changelog
--- dpkg-1.21.9/debian/changelog        2022-07-01 09:25:58.000000000 +0000
+++ dpkg-1.21.9+1/debian/changelog      2022-10-04 15:28:43.000000000 +0000
@@ -1,3 +1,9 @@
+dpkg (1.21.9+1) unstable; urgency=medium
+
+  * Add 'branch' hardening support for amd64 and arm64
+
+ -- Wookey <woo...@debian.org>  Tue, 04 Oct 2022 16:28:43 +0100
+
 dpkg (1.21.9) unstable; urgency=medium
 
   [ Guillem Jover ]
diff -Nru dpkg-1.21.9/scripts/Dpkg/Vendor/Debian.pm 
dpkg-1.21.9+1/scripts/Dpkg/Vendor/Debian.pm
--- dpkg-1.21.9/scripts/Dpkg/Vendor/Debian.pm   2022-06-30 23:46:56.000000000 
+0000
+++ dpkg-1.21.9+1/scripts/Dpkg/Vendor/Debian.pm 2022-10-04 15:13:28.000000000 
+0000
@@ -129,6 +129,7 @@
             format => 1,
             relro => 1,
             bindnow => 0,
+            branch => 1,
         },
     );
 
@@ -364,6 +365,11 @@
        # relro not implemented on ia64, hppa, avr32.
        $use_feature{hardening}{relro} = 0;
     }
+    if ($cpu !~ /^(?:amd64|arm64)$/) {                                         
                   
+        # On amd64 use -fcf-protection.                                        
                   
+        # On arm64 use -mbranch-protection=standard.                           
                   
+        $use_feature{hardening}{branch} = 0;                                   
                   
+    } 
 
     # Mask features that might be influenced by other flags.
     if ($opts_build->has('noopt')) {
@@ -430,6 +436,17 @@
        $flags->append('LDFLAGS', '-Wl,-z,now');
     }
 
+    # Branch protection                                                        
                   
+    if ($use_feature{hardening}{branch}) {                                     
                   
+        my $flag;                                                              
                   
+        if ($cpu eq 'arm64') {                                                 
                   
+            $flag = '-mbranch-protection=standard';                            
                   
+        } elsif ($cpu eq 'amd64') {                                            
                   
+            $flag = '-fcf-protection';                                         
                   
+        }                                                                      
                   
+        $flags->append($_, $flag) foreach @compile_flags;                      
                   
+    }                                                                          
                   
+
     ## Commit
 
     # Set used features to their builtin setting if unset.
diff -Nru dpkg-1.21.9/scripts/t/Dpkg_BuildFlags.t 
dpkg-1.21.9+1/scripts/t/Dpkg_BuildFlags.t
--- dpkg-1.21.9/scripts/t/Dpkg_BuildFlags.t     2022-06-18 17:57:44.000000000 
+0000
+++ dpkg-1.21.9+1/scripts/t/Dpkg_BuildFlags.t   2022-10-04 15:28:06.000000000 
+0000
@@ -55,6 +55,7 @@
     ) ],
     hardening => [ qw(
         bindnow
+        branch
         format
         fortify
         pie