Hi,
On 5/19/20 2:21 PM, Igor Raits wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Mon, 2020-05-18 at 15:36 -0400, Ben Cotton wrote:
https://fedoraproject.org/wiki/Changes/Aarch64_PointerAuthentication
== Summary ==
Arm Pointer Authentication (PAC) is a method of hardening code from
Return Oriented Programming (ROP) attacks. It uses a tag in a pointer
to sign and verify pointers. Branch Target Identification (BTI) is
another code hardening method, where the branch/jump target is
identified with a special landing pad instruction. Outside of some
system support in glibc+kernel, packages gain the additional
hardening
by compiling with the -mbranch-protection= flag available in recent
versions of GCC. In particular -mbranch-protection=standard enables
both BTI and PAC, with backwards compatible to armv8.0 code sequences
that activate on v8.3 (PAC) & v8.5 (BTI) enabled Arm machines.
Is there some noticeable performance drop or anything like that?
Potentially, please see my longer response in the other email.
== Owner ==
* Name: [[User:jlinton| Jeremy Linton]] & ARM SIG
* Email: jeremy.linton@xxxxxxx
== Benefit to Fedora ==
PAC & BTI are code hardening features, they should serve to make
fedora more resistant to a couple further classes of runtime attacks.
By enabling this early, fedora is once again proven to be at the
leading edge of security and linux development. If everything works
as
planned, this change will be invisible to the end user, except in
cases where the applications will trap behaviour that appears to be
caused by exploit attempts.
== Scope ==
* Proposal owners:
Work with individual package maintainers in the case of build
failures
or runtime exceptions. In the latter case there are two
possibilities.
First on v8.0 hardware, which is currently the most common, the
additional instruction sequences are treated as NOP's and should be
completely ignored by the hardware. It may be possible on v8.3/8.5
hardware that PAC or BTI may need additional tweaks for hand written
assembly which interacts with PAC/BTI enabled code.
It would be nice if you would specify which exact flags and where you
will add them, so that it would be easy to see which people we need to
get on board for this change.
Its the gcc flag "-mbranch-protection=standard" I mentioned in the
summary above. The assumption is that we place it in the arch specific
opt stanza in /usr/lib/rpm/redhat/rpmrc, or we extend
/usr/lib/rpm/redhat/macros hardening section to allow an arch specific
hardening.
I've rebuilt a minimal install by creating a custom mock template, but I
don't think that is the right official answer.
Thanks,
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx