RFR: 8264130: PAC-RET protection for Linux/AArch64 [v4]

[Andrew Dinn]

On Mon, 15 Nov 2021 11:08:57 GMT, Andrew Haley <aph at openjdk.org> wrote:

>>>whether this function authenticates or strips the address depends only on debugging?
>> 
>> Yes. We only need to strip the value, because we're not jumping to the lr value, only viewing it.
>> 
>> The interface is different to a strip (as we need to pass in the modifier). 
>> 
>> How about something like pauth_authenticate_fast() ? or pauth_authenticate_unsafe() ?
>> 
>> Alternatively, this function is only called by the functions in Frame, so the frequency of use is probably low enough (compared to the sign/auth every function) that it's not going to cause any performance issues. So, could just replace with calls to pauth_authenticate. I think that might be the best option.
>
> A simple rule here: function names go with what the release version does. So I'd go with the actual purpose, which is `pauth_strip_addr_for_debuginfo()`. That's right, isn't it? You only want this thing for stack traces, logs, etc.

This function is used by the frame code. So, that means it is used for all stack walks which are far from being simply cosmetic/ornamental. The runtime will rely on this for various different types of thread housekeeping.

The difference here is that in product mode this simply strips auth bits whereas in debug mode it actually authenticates as it strips to give extra verification. So, your suggested name is quite misleading. Likewise Alan's suggested names is misleading because the primary product operation is to strip not authenticate.

How about pauth_strip_verifiable? and a comment saying that it differs from pauth_strip by actually authenticating when debug is enabled.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6334