guix: Pointer Authentication and Branch Target Identification for aarch64 Linux #24123

Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the -mbranch-protection=flag available in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible to armv8.0 code sequences that activate on v8.3 (PAC) & v8.5 (BTI) enabled Arm machines. (taken from Fedora).

Creation of a BTI enabled binary also requires that everything being linked in be BTI enabled. This means you currently cannot, for example, cross-compile using a Ubuntu based aarch64 toolchain, if you're wanting to use this feature. This can be shown using -Wl,z,force-bti, which will emit warnings for linked objects that are not BTI enabled (this is used in configure to detect when to disable using the flags). i.e:

int main() { return 0; }

# aarch64-linux-gnu-g++ (Ubuntu 13.2.0-23ubuntu4) 13.2.0
aarch64-linux-gnu-g++ test.cpp -mbranch-protection=standard -Wl,-z,force-bti
/usr/lib/gcc-cross/aarch64-linux-gnu/13/../../../../aarch64-linux-gnu/bin/ld: /usr/lib/gcc-cross/aarch64-linux-gnu/13/../../../../aarch64-linux-gnu/lib/../lib/Scrt1.o: warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.

Closes #19075.

<!--e57a25ab6845829454e8d69fc972939a-->

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

<!--006a51241073e994b41acfe9ec718e94-->

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/24123.

<!--021abf342d371248e50ceaed478a90ca-->

Reviews

See the guideline for information on the review process.

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

<!--174a7506f384e20aa4161008e828411d-->

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #33537 ([wip] A more static bitcoin-qt by fanquake)
• #33181 (guix: build for Linux HOSTS with -static-libgcc by fanquake)
• #25573 (guix: produce a -static-pie bitcoind by fanquake)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

<!--5faf32d7da4f0f540f40219e4f7537a3-->

Concept ACK.

From reading docs it's still unclear to me whether -mbranch-protection=standard implies -mbranch-protection=bti?

$ ./test/lint/lint-git-commit-check.sh 
The subject line of commit hash f799135959461079a220c5ddc97ea9a6b0056b2b is followed by a non-empty line. Subject lines should always be followed by a blank line.

Concept ACK.

We might want to wait with doing this until hardware supporting BTI and PAC is available to test on, though.

<!--9cd9c72976c961c55c7acef8f6ba82cd-->

Guix builds

I've changed the approach here, and this is now based on #25437 and parts of #25484.

This adds --enable-standard-branch-protection to the configure flags when building GCC, which turns on the usage of branch-protection features by default. I've also added a commit that switches to using glibc 2.33 for the aarch64 build. glibc 2.32 was the first to ship with support for aarch64 branch protection features when built with a compatible compiler (see commit message for details). We couldn't actually use this for Guix builds, because it would break out back compat requires (the symbol checks fail), so this is still just for demonstration.

Concept ACK

Rebased on master & #25861. Please review that PR first.

Rebased past #27029. Might split some more of this out.

Rebased past #27118.

Rebased past #27153.

Rebased past #27406.

Note that the branch protection option being added to libevent here, can now exist inside the NO_HARDEN clause.

Rebased onto #27897, which simplifies the actual changes here, and dropped no-longer needed commits.

Rebased on #29987.

<!--85328a0da195eb286784d51f73fa0af9-->

🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the documentation.

Possibly this is due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

Leave a comment here, if you need help tracking down a confusing failure.

_{Debug: https://github.com/bitcoin/bitcoin/runs/26712572542}

Rebased on master and dropped a commit, also bumped the glibc 2.33 branch to the latest commit. Still based on #30433, but the main blocker here remains the glibc bump.

For now, the Guix built bins could be inspected with:

# bitcoin/guix-build-30af1c56da93/output/aarch64-linux-gnu/bitcoin-30af1c56da93/bin# readelf -n * | grep "AArch64"
      Properties: AArch64 feature: BTI, PAC
      Properties: AArch64 feature: BTI, PAC
      Properties: AArch64 feature: BTI, PAC
      Properties: AArch64 feature: BTI, PAC
      Properties: AArch64 feature: BTI, PAC
      Properties: AArch64 feature: BTI, PAC
      Properties: AArch64 feature: BTI, PAC

It would be helpful if someone with BTI-enabled hardware could test the binaries and verified BTI during runtime.

Unfortunately, I'm unable to do it by myself, as my hardware supports only PAC, not BTI.

Rebased for #30433, and updated to add an export allowance for __libc_single_threaded.

Ideally #25573 will happen soon, which essentially includes this. So closing for now.