RFR: 8337536: AArch64: Enable BTI branch protection for runtime part
Fei Gao
fgao at openjdk.org
Fri Aug 9 14:14:31 UTC 2024
On Wed, 7 Aug 2024 17:27:00 GMT, Andrew Haley <aph at openjdk.org> wrote:
> Can you explain why we want to support PAC without BTI? Would anyone use such a config?
Thanks for reviewing @theRealAph .
Sorry, I don't quite understand your question. Do you mean why we currently only support PAC? PAC is mandatory from Armv8.3 for ROP attacks, while BTI is mandatory from Armv8.5 for JOP attacks. JDK currently has PAC enabled, but not BTI.
Or do you mean if we need the option to just support one of them? Now we enable BTI and PAC at the same time by configuring `--enable-branch-protection` and disable them without the flag, i.e. both or nothing. GCC supports all options to give maximum flexibility, just in case anyone wants it. What do you think? Thanks.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/20491#issuecomment-2278041901
More information about the build-dev
mailing list