guix: Pointer Authentication and Branch Target Identification for aarch64 Linux #24123

pull fanquake wants to merge 1 commits into bitcoin:master from fanquake:mbranch_protection_aarch64_linux changing 2 files +12 −25
  1. fanquake commented at 1:43 pm on January 21, 2022: member

    Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the -mbranch-protection=flag available in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible to armv8.0 code sequences that activate on v8.3 (PAC) & v8.5 (BTI) enabled Arm machines. (taken from Fedora).

    Creation of a BTI enabled binary also requires that everything being linked in be BTI enabled. This means you currently cannot, for example, cross-compile using a Ubuntu based aarch64 toolchain, if you’re wanting to use this feature. This can be shown using -Wl,z,force-bti, which will emit warnings for linked objects that are not BTI enabled (this is used in configure to detect when to disable using the flags). i.e:

    0int main() { return 0; }

    0# aarch64-linux-gnu-g++ (Ubuntu 13.2.0-23ubuntu4) 13.2.0
1aarch64-linux-gnu-g++ test.cpp -mbranch-protection=standard -Wl,-z,force-bti
2/usr/lib/gcc-cross/aarch64-linux-gnu/13/../../../../aarch64-linux-gnu/bin/ld: /usr/lib/gcc-cross/aarch64-linux-gnu/13/../../../../aarch64-linux-gnu/lib/../lib/Scrt1.o: warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.

    Closes #19075.

  2. fanquake added the label Linux/Unix on Jan 21, 2022
  3. fanquake added the label Build system on Jan 21, 2022
  4. DrahtBot commented at 7:58 pm on January 21, 2022: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/24123.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    Concept ACK hebasto, laanwj, kristapsk

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #31529 (guix: latest 2.31 glibc by fanquake)
    • #25573 ([POC] guix: produce a fully -static-pie bitcoind by fanquake)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  5. hebasto commented at 10:25 pm on January 22, 2022: member

    Concept ACK.

    From reading docs it’s still unclear to me whether -mbranch-protection=standard implies -mbranch-protection=bti?

    0$ ./test/lint/lint-git-commit-check.sh 
1The subject line of commit hash f799135959461079a220c5ddc97ea9a6b0056b2b is followed by a non-empty line. Subject lines should always be followed by a blank line.
  6. fanquake force-pushed on Jan 23, 2022
  7. laanwj commented at 4:00 pm on January 25, 2022: member

    Concept ACK.

    We might want to wait with doing this until hardware supporting BTI and PAC is available to test on, though.

  8. in configure.ac:868 in c98b6eb1bf outdated 
    914+        ], [], [$LDFLAG_WERROR])
915+        AX_CHECK_LINK_FLAG([-Wl,-z,pac-plt], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-z,pac-plt"], [], [$LDFLAG_WERROR])
916+        CXXFLAGS="$SAVED_CXXFLAGS"
917+      ])
918+      ;;
919+  esac
    luke-jr commented at 7:35 pm on January 29, 2022:
    Won’t this break a normal from-source build if the C/C++ standard libraries are BTI-ready, but other dependencies are not?
    fanquake commented at 12:27 pm on August 14, 2023:
    Made this Guix-only for now.
  9. DrahtBot added the label Needs rebase on Feb 2, 2022
  10. maflcko added the label DrahtBot Guix build requested on Feb 2, 2022
  11. Vic23M approved
  12. Vic23M commented at 8:11 am on February 12, 2022: none
  13. fanquake force-pushed on May 12, 2022
  14. fanquake removed the label Needs rebase on May 12, 2022
  15. DrahtBot commented at 7:05 pm on May 17, 2022: contributor

    Guix builds

    File commit 225e5b57b2ee2bc1acd7f09c89ccccc15ef8c85f(master) commit 6e02029a7eba24c8615a04cbe1cdc2f533140870(master and this pull)
    SHA256SUMS.part 1b58b80ca65983b3... 60902da13322462a...
    *-aarch64-linux-gnu-debug.tar.gz 26b50f702207b949... da73c81f36ba2f4f...
    *-aarch64-linux-gnu.tar.gz 93156ddbf46f81df... 49d87e2a6f62f992...
    *-arm-linux-gnueabihf-debug.tar.gz 448908d67e456427... 6995a4237a002a65...
    *-arm-linux-gnueabihf.tar.gz 595189752c32bf97... b3aadb2d8f165b42...
    *-arm64-apple-darwin-unsigned.dmg 8fe9a774204a88c7... 068c1b89b9bacaef...
    *-arm64-apple-darwin-unsigned.tar.gz 293f411c2dc51edb... c09afa12e0677dc9...
    *-arm64-apple-darwin.tar.gz abca1d81d437a08a... c15b198b2d1f03fc...
    *-powerpc64-linux-gnu-debug.tar.gz 1744beebac78a5d6... 18afbab08627bbd0...
    *-powerpc64-linux-gnu.tar.gz ec4d4712136dc767... 564780d6229517f2...
    *-powerpc64le-linux-gnu-debug.tar.gz ac1890b8743df6a5... 08950113d8f8a24a...
    *-powerpc64le-linux-gnu.tar.gz b0ebc5e4120bf000... 5033d195b6c3a5f7...
    *-riscv64-linux-gnu-debug.tar.gz 702be3dc495a5a10... 06fb203fb1b5161a...
    *-riscv64-linux-gnu.tar.gz ad1394d672c7b965... be8de64710848522...
    *-win64-debug.zip 5464743530003d4d... c9e8d9c625b5eb35...
    *-win64-setup-unsigned.exe 955c755466eb2b07... 7ef06802748bdc8f...
    *-win64-unsigned.tar.gz 0126640c2d061f14... 146ee2330f8ddfa4...
    *-win64.zip 5b07889e2dce9103... 4e2f315a1f35caee...
    *-x86_64-apple-darwin-unsigned.dmg c5526437a0193c3b... 2c0af2ea1cd7545d...
    *-x86_64-apple-darwin-unsigned.tar.gz e1d81f18176fab2e... 6bc18c838e5fff4f...
    *-x86_64-apple-darwin.tar.gz d34e5f7fe086c51f... 64b3270b92cd3128...
    *-x86_64-linux-gnu-debug.tar.gz acb6561a5919c80f... 6f25c5199f7623a8...
    *-x86_64-linux-gnu.tar.gz 00bb67a5b4e29ca3... 8645814c4e7e8c7e...
    *.tar.gz ab4e54f5d920eb45... 9c521162a3ecfd6e...
    guix_build.log 68d9a71f1973680b... 754faf723b062cbf...
    guix_build.log.diff 85fe222476c6b46f...
  16. DrahtBot removed the label DrahtBot Guix build requested on May 17, 2022
  17. fanquake force-pushed on Jun 27, 2022
  18. fanquake force-pushed on Jun 28, 2022
  19. fanquake commented at 10:43 am on June 28, 2022: member

    I’ve changed the approach here, and this is now based on #25437 and parts of #25484.

    This adds --enable-standard-branch-protection to the configure flags when building GCC, which turns on the usage of branch-protection features by default. I’ve also added a commit that switches to using glibc 2.33 for the aarch64 build. glibc 2.32 was the first to ship with support for aarch64 branch protection features when built with a compatible compiler (see commit message for details). We couldn’t actually use this for Guix builds, because it would break out back compat requires (the symbol checks fail), so this is still just for demonstration.

  20. kristapsk commented at 10:54 am on June 28, 2022: contributor
    Concept ACK
  21. fanquake force-pushed on Jun 29, 2022
  22. fanquake force-pushed on Jun 30, 2022
  23. fanquake force-pushed on Jul 19, 2022
  24. fanquake force-pushed on Jul 19, 2022
  25. fanquake force-pushed on Jul 19, 2022
  26. fanquake force-pushed on Jul 19, 2022
  27. fanquake force-pushed on Jul 19, 2022
  28. lish2099 approved
  29. fanquake referenced this in commit 8e37afcb13 on Jul 30, 2022
  30. fanquake force-pushed on Jul 30, 2022
  31. fanquake force-pushed on Aug 2, 2022
  32. fanquake force-pushed on Aug 19, 2022
  33. fanquake commented at 3:10 pm on August 19, 2022: member
    Rebased on master & #25861. Please review that PR first.
  34. fanquake renamed this:
    [POC] build: enable Pointer Authentication and Branch Target Identification for aarch64 (Linux)
    build: Pointer Authentication and Branch Target Identification for aarch64 Linux (Guix)
    on Aug 24, 2022
  35. fanquake force-pushed on Sep 4, 2022
  36. fanquake force-pushed on Oct 11, 2022
  37. DrahtBot added the label Needs rebase on Feb 17, 2023
  38. fanquake force-pushed on Feb 17, 2023
  39. fanquake commented at 11:07 am on February 17, 2023: member
    Rebased past #27029. Might split some more of this out.
  40. DrahtBot removed the label Needs rebase on Feb 17, 2023
  41. DrahtBot added the label Needs rebase on Feb 28, 2023
  42. fanquake force-pushed on Feb 28, 2023
  43. fanquake commented at 12:10 pm on February 28, 2023: member
    Rebased past #27118.
  44. DrahtBot removed the label Needs rebase on Feb 28, 2023
  45. fanquake force-pushed on Mar 3, 2023
  46. DrahtBot added the label Needs rebase on Mar 15, 2023
  47. fanquake force-pushed on Mar 16, 2023
  48. fanquake commented at 12:19 pm on March 16, 2023: member
    Rebased past #27153.
  49. DrahtBot removed the label Needs rebase on Mar 16, 2023
  50. DrahtBot added the label Needs rebase on Apr 5, 2023
  51. fanquake force-pushed on Apr 5, 2023
  52. fanquake commented at 12:50 pm on April 5, 2023: member

    Rebased past #27406.

    Note that the branch protection option being added to libevent here, can now exist inside the NO_HARDEN clause.

  53. DrahtBot removed the label Needs rebase on Apr 5, 2023
  54. fanquake force-pushed on Apr 14, 2023
  55. fanquake force-pushed on Aug 14, 2023
  56. fanquake commented at 12:27 pm on August 14, 2023: member
    Rebased onto #27897, which simplifies the actual changes here, and dropped no-longer needed commits.
  57. fanquake force-pushed on Aug 14, 2023
  58. DrahtBot added the label CI failed on Aug 14, 2023
  59. DrahtBot added the label Needs rebase on Aug 22, 2023
  60. fanquake force-pushed on Aug 30, 2023
  61. DrahtBot removed the label Needs rebase on Aug 30, 2023
  62. DrahtBot removed the label CI failed on Aug 30, 2023
  63. fanquake referenced this in commit 3045d0a063 on Sep 12, 2023
  64. fanquake force-pushed on Sep 12, 2023
  65. fanquake referenced this in commit 8f48576f11 on Oct 2, 2023
  66. fanquake force-pushed on Oct 2, 2023
  67. DrahtBot added the label CI failed on Oct 2, 2023
  68. fanquake referenced this in commit fd5f9cb888 on Oct 3, 2023
  69. fanquake referenced this in commit 61a6c3b0e9 on Oct 10, 2023
  70. fanquake referenced this in commit 9e068f9612 on Oct 13, 2023
  71. fanquake force-pushed on Oct 13, 2023
  72. DrahtBot removed the label CI failed on Oct 13, 2023
  73. Frank-GER referenced this in commit ed1be98396 on Oct 13, 2023
  74. DrahtBot added the label Needs rebase on Nov 13, 2023
  75. fanquake force-pushed on Nov 13, 2023
  76. DrahtBot removed the label Needs rebase on Nov 13, 2023
  77. fanquake force-pushed on Dec 5, 2023
  78. fanquake force-pushed on Dec 8, 2023
  79. DrahtBot added the label CI failed on Jan 14, 2024
  80. DrahtBot added the label Needs rebase on Mar 14, 2024
  81. fanquake force-pushed on Mar 14, 2024
  82. DrahtBot removed the label Needs rebase on Mar 14, 2024
  83. DrahtBot removed the label CI failed on Mar 14, 2024
  84. fanquake force-pushed on Mar 22, 2024
  85. fanquake referenced this in commit 8189f87151 on Mar 22, 2024
  86. fanquake referenced this in commit 555a386824 on Mar 22, 2024
  87. fanquake referenced this in commit fa8398b5b1 on Mar 26, 2024
  88. fanquake referenced this in commit 144ba43995 on Mar 26, 2024
  89. fanquake referenced this in commit 1a5416a1b0 on Mar 26, 2024
  90. fanquake referenced this in commit d4dc8cb660 on Mar 26, 2024
  91. fanquake referenced this in commit d04324a705 on Mar 26, 2024
  92. fanquake renamed this:
    build: Pointer Authentication and Branch Target Identification for aarch64 Linux (Guix)
    guix: Pointer Authentication and Branch Target Identification for aarch64 Linux (Guix)
    on Mar 26, 2024
  93. fanquake force-pushed on Mar 26, 2024
  94. fanquake force-pushed on Apr 1, 2024
  95. DrahtBot added the label CI failed on Apr 1, 2024
  96. DrahtBot removed the label CI failed on Apr 5, 2024
  97. fanquake force-pushed on Apr 26, 2024
  98. fanquake force-pushed on May 16, 2024
  99. fanquake commented at 4:26 am on May 16, 2024: member
    Rebased on #29987.
  100. fanquake force-pushed on May 16, 2024
  101. fanquake force-pushed on Jun 26, 2024
  102. DrahtBot added the label CI failed on Jun 26, 2024
  103. DrahtBot commented at 5:49 pm on June 26, 2024: contributor

    🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the documentation.

    Possibly this is due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    Leave a comment here, if you need help tracking down a confusing failure.

    Debug: https://github.com/bitcoin/bitcoin/runs/26712572542

  104. fanquake force-pushed on Jul 11, 2024
  105. DrahtBot removed the label CI failed on Jul 11, 2024
  106. hebasto added the label Needs CMake port on Aug 16, 2024
  107. fanquake force-pushed on Aug 23, 2024
  108. fanquake commented at 12:25 pm on August 23, 2024: member
    Rebased on master and dropped a commit, also bumped the glibc 2.33 branch to the latest commit. Still based on #30433, but the main blocker here remains the glibc bump.
  109. fanquake commented at 12:28 pm on August 23, 2024: member

    For now, the Guix built bins could be inspected with:

    0# bitcoin/guix-build-30af1c56da93/output/aarch64-linux-gnu/bitcoin-30af1c56da93/bin# readelf -n * | grep "AArch64"
1      Properties: AArch64 feature: BTI, PAC
2      Properties: AArch64 feature: BTI, PAC
3      Properties: AArch64 feature: BTI, PAC
4      Properties: AArch64 feature: BTI, PAC
5      Properties: AArch64 feature: BTI, PAC
6      Properties: AArch64 feature: BTI, PAC
7      Properties: AArch64 feature: BTI, PAC
  110. hebasto commented at 2:20 pm on August 27, 2024: member

    It would be helpful if someone with BTI-enabled hardware could test the binaries and verified BTI during runtime.

    Unfortunately, I’m unable to do it by myself, as my hardware supports only PAC, not BTI.

  111. fanquake force-pushed on Aug 28, 2024
  112. fanquake removed the label Needs CMake port on Aug 28, 2024
  113. fanquake force-pushed on Aug 28, 2024
  114. fanquake renamed this:
    guix: Pointer Authentication and Branch Target Identification for aarch64 Linux (Guix)
    guix: Pointer Authentication and Branch Target Identification for aarch64 Linux
    on Sep 13, 2024
  115. fanquake referenced this in commit 06a9f7789e on Sep 13, 2024
  116. fanquake force-pushed on Sep 13, 2024
  117. fanquake force-pushed on Sep 13, 2024
  118. fanquake commented at 3:27 pm on September 13, 2024: member
    Rebased for #30433, and updated to add an export allowance for __libc_single_threaded.
  119. PastaPastaPasta referenced this in commit f711370123 on Oct 24, 2024
  120. PastaPastaPasta referenced this in commit 6c262329f7 on Oct 24, 2024
  121. PastaPastaPasta referenced this in commit f007abd19d on Oct 24, 2024
  122. guix: use glibc 2.33 
    glibc 2.32 was the first to ship with support for branch protection when
compiled with a compatible compiler, see below. However a number of
bugfixes/improvements shipped in glibc 2.33, so use that, rather than
trying to backport all relevant changes.

glibc 2.32 release notes: https://lwn.net/Articles/828210/

* AArch64 now supports standard branch protection security hardening
  in glibc when it is built with a GCC that is configured with
  --enable-standard-branch-protection (or if -mbranch-protection=standard
  flag is passed when building both GCC target libraries and glibc,
  in either case a custom GCC is needed).  This includes branch target
  identification (BTI) and pointer authentication for return addresses
  (PAC-RET).  They require armv8.5-a and armv8.3-a architecture
  extensions respectively for the protection to be effective,
  otherwise the used instructions are nops.  User code can use PAC-RET
  without libc support, but BTI requires a libc that is built with BTI
  support, otherwise runtime objects linked into user code will not be
  BTI compatible.

`__libc_single_threaded` added as it is now exported from at least
`bitcoin-wallet` and `test_bitcoin`.
    f91b1f5a1c
  123. fanquake force-pushed on Nov 27, 2024
  124. DrahtBot added the label Needs rebase on Dec 20, 2024
  125. DrahtBot commented at 4:43 pm on December 20, 2024: contributor

    🐙 This pull request conflicts with the target branch and needs rebase.


fanquake DrahtBot hebasto laanwj luke-jr Vic23M kristapsk lish2099

Labels
Linux/Unix Build system Needs rebase

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-30 15:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me