Re: [musl] PAC/BTI Support on aarch64

mailing list of musl libc
 help / color / mirror / code / Atom feed

From: Markus Wichmann <nullplan@gmx.net>
To: musl@lists.openwall.com
Cc: Rich Felker <dalias@libc.org>, enh <enh@google.com>
Subject: Re: [musl] PAC/BTI Support on aarch64
Date: Tue, 13 Feb 2024 18:51:47 +0100	[thread overview]
Message-ID: <ZcusM27RAiKaJeHy@voyager> (raw)
In-Reply-To: <CAFftDdoiXvCq=p0CCUzShiojOHZZ0S_cH9e6Bymf1P1p2pTkCg@mail.gmail.com>

Am Tue, Feb 13, 2024 at 08:47:42AM -0600 schrieb William Roberts:
> It should. Is there a known minimal tool chain requirement and I can test?
>

Typically the first C99 compiler or the first aarch64 compiler,
whichever is younger.

>
> No, anywhere branches are allowed, a BTI instruction must be the first
> instruction. BTI is just a way for software to say, hey this is a
> valid jump/branch
> target, allow it. This reduces the amount of gadgets available to an
> attacker, which
> is why libc is such a juicy target, as it's in everything. A lot of
> things static link it,
> which effectively turns it off for the whole process.
>

So this means there must be a BTI instruction following every single BL
instruction.

But in the end this isn't that much different from endbr64 on the PC.
Whatever happened to those patches, BTW?

> Yes, so the kernel will manage the EL1 register flag for this, and then
> mprotect sets the PROT_BTI flag during dlopen().
>

Well, this is a novelty. This is the first time there will be an
arch-specific flag in mmap()/mprotect() for the musl dynlinker. So far
that code has been entirely portable.

> It's important to note, that even when enabling the assembly code files, if the
> C level source is not built with -mbranch-protection=standard, the feature will
> remain off for the library.
>

Arch-specific compiler flags are not a problem; configure.sh can add
those as needed.

> I can't think of anything like this offhand, but aarches may want to add prot
> flags to mprotect calls.
>

That hasn't happened yet. Of course, this may be as simple as adding a
static inline function. The fact that the important information is in a
note section is yet another novelty, of course. So far, the important
information (even arch-specific) has been contained in the dynamic
section.

> it usually
> #ifdef aarch64
> if (gnu_notes_bti_set && (prot & PROT_EXEC)) {
>     prot |= PROT_BTI;
> else {
>     prot &= ~PROT_BTI;
> }
> #endif
>
> mprotect(..., prot);
>

So far we have managed to steer clear of conditional inclusion, and I
think we should try to keep it that way.

Ciao,
Markus

next prev parent reply	other threads:[~2024-02-13 17:52 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-12 16:38 William Roberts
2024-02-12 18:42 ` Rich Felker
2024-02-12 21:25   ` William Roberts
2024-02-12 21:34     ` enh
2024-02-12 22:46     ` Rich Felker
2024-02-12 23:05       ` enh
2024-02-12 23:18         ` William Roberts
2024-02-13  2:08           ` Rich Felker
2024-02-13 14:47             ` William Roberts
2024-02-13 17:51               ` Markus Wichmann [this message]
2024-02-14  2:19                 ` Rich Felker
2024-02-14  3:19                   ` William Roberts
2024-02-14  4:44                   ` Markus Wichmann
2024-02-14 13:32                     ` Thorsten Glaser
2024-02-14 14:03                       ` Rich Felker
2024-02-14 14:12                         ` Thorsten Glaser
2024-02-15 13:29                   ` Stefan O'Rear
2024-02-15 14:06                     ` Rich Felker
2024-03-02 14:33                       ` Szabolcs Nagy
2024-03-02 14:45                         ` Rich Felker
2024-02-15  0:03             ` Szabolcs Nagy
2024-02-15  0:22               ` enh
2024-02-15  9:18                 ` Szabolcs Nagy
2024-02-19 23:54   ` Fangrui Song
     [not found]   ` <DS7PR12MB57659BC5D5536574D1B91D26CB502@DS7PR12MB5765.namprd12.prod.outlook.com>
2024-02-20  6:21     ` Anton Korobeynikov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZcusM27RAiKaJeHy@voyager \
    --to=nullplan@gmx.net \
    --cc=dalias@libc.org \
    --cc=enh@google.com \
    --cc=musl@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).