Bug#1021292: dpkg-dev: Please add support for pointer authentication on arm64

2022-10-06 Thread Wookey 
On 2022-10-05 23:13 +0200, Guillem Jover wrote:

> As mentioned on the thread, I was expecting a thread to be started on
> debian-devel, as this changes the current default for both amd64 and
> arm64.

OK. I clearly dropped all the balls there! I will do that
forthwith. Hopefully it will be uncontroversial.

Wookey
-- 
Principal hats:  Debian, Wookware, ARM
http://wookware.org/


signature.asc
Description: PGP signature

Bug#1021292: dpkg-dev: Please add support for pointer authentication on arm64

2022-10-05 Thread Guillem Jover 
Control: tag -1 moreinfo

Hi!

On Wed, 2022-10-05 at 03:46:06 +0100, Wookey wrote:
> Package: dpkg-dev
> Version: 1.19.7
> Severity: wishlist
> Tags: patch

> As discussed in the below-linked thread on dpkg-dev, we should enable
> PAC and BTI on arm64 as a standard hardening flag.
> https://lists.debian.org/debian-dpkg/2022/05/msg00022.html
> 
> Attached is Guillem's proposed patch which does the trick, updated for
> current dpkg (I opened this bug file in June, but forgot to actually
> press send, so now updated for the current 1.21.9)

Yes, I've had this locally as a branch since then:

  


:)

> Despite this delay, I hope we can can have this in for bookworm.

As mentioned on the thread, I was expecting a thread to be started on
debian-devel, as this changes the current default for both amd64 and
arm64. As mentioned on the thread on d-dpkg, we can always detangle
the arch support and postpone either if they seem controversial. So,
if you could start that discussion, that would be great. If there is
pushbach, then I guess this would not be currently mergeable as-is,
even disabled by default. But then we could entertain what I've
recently mentioned elsewhere about versioning the features surface
and the “all” selector in particular to be able to add it anyway (at
least disabled though).

Thanks,
Guillem

Bug#1021292: dpkg-dev: Please add support for pointer authentication on arm64

2022-10-04 Thread Wookey 
Package: dpkg-dev
Version: 1.19.7
Severity: wishlist
Tags: patch

As discussed in the below-linked thread on dpkg-dev, we should enable PAC and 
BTI
on arm64 as a standard hardening flag.
https://lists.debian.org/debian-dpkg/2022/05/msg00022.html

Attached is Guillem's proposed patch which does the trick, updated for
current dpkg (I opened this bug file in June, but forgot to actually
press send, so now updated for the current 1.21.9)

Despite this delay, I hope we can can have this in for bookworm.

-- 
Wookey
diff -Nru dpkg-1.21.9/debian/changelog dpkg-1.21.9+1/debian/changelog
--- dpkg-1.21.9/debian/changelog2022-07-01 09:25:58.0 +
+++ dpkg-1.21.9+1/debian/changelog  2022-10-04 15:28:43.0 +
@@ -1,3 +1,9 @@
+dpkg (1.21.9+1) unstable; urgency=medium
+
+  * Add 'branch' hardening support for amd64 and arm64
+
+ -- Wookey   Tue, 04 Oct 2022 16:28:43 +0100
+
 dpkg (1.21.9) unstable; urgency=medium
 
   [ Guillem Jover ]
diff -Nru dpkg-1.21.9/scripts/Dpkg/Vendor/Debian.pm 
dpkg-1.21.9+1/scripts/Dpkg/Vendor/Debian.pm
--- dpkg-1.21.9/scripts/Dpkg/Vendor/Debian.pm   2022-06-30 23:46:56.0 
+
+++ dpkg-1.21.9+1/scripts/Dpkg/Vendor/Debian.pm 2022-10-04 15:13:28.0 
+
@@ -129,6 +129,7 @@
 format => 1,
 relro => 1,
 bindnow => 0,
+branch => 1,
 },
 );
 
@@ -364,6 +365,11 @@
# relro not implemented on ia64, hppa, avr32.
$use_feature{hardening}{relro} = 0;
 }
+if ($cpu !~ /^(?:amd64|arm64)$/) { 
   
+# On amd64 use -fcf-protection.
   
+# On arm64 use -mbranch-protection=standard.   
   
+$use_feature{hardening}{branch} = 0;   
   
+} 
 
 # Mask features that might be influenced by other flags.
 if ($opts_build->has('noopt')) {
@@ -430,6 +436,17 @@
$flags->append('LDFLAGS', '-Wl,-z,now');
 }
 
+# Branch protection
   
+if ($use_feature{hardening}{branch}) { 
   
+my $flag;  
   
+if ($cpu eq 'arm64') { 
   
+$flag = '-mbranch-protection=standard';
   
+} elsif ($cpu eq 'amd64') {
   
+$flag = '-fcf-protection'; 
   
+}  
   
+$flags->append($_, $flag) foreach @compile_flags;  
   
+}  
   
+
 ## Commit
 
 # Set used features to their builtin setting if unset.
diff -Nru dpkg-1.21.9/scripts/t/Dpkg_BuildFlags.t 
dpkg-1.21.9+1/scripts/t/Dpkg_BuildFlags.t
--- dpkg-1.21.9/scripts/t/Dpkg_BuildFlags.t 2022-06-18 17:57:44.0 
+
+++ dpkg-1.21.9+1/scripts/t/Dpkg_BuildFlags.t   2022-10-04 15:28:06.0 
+
@@ -55,6 +55,7 @@
 ) ],
 hardening => [ qw(
 bindnow
+branch
 format
 fortify
 pie