RFR: 8337536: AArch64: Enable BTI branch protection for runtime part [v2]

Thu Aug 15 02:28:49 UTC 2024

On Fri, 9 Aug 2024 13:37:54 GMT, Fei Gao <fgao at openjdk.org> wrote:

>> This patch enables BTI branch protection for runtime part on Linux/aarch64 platform.
>> 
>> Motivation
>> 
>> 1. Since Fedora 33, glibc+kernel are PAC/BTI enabled by default. User-level packages can gain additional hardening by compiling with the GCC/Clang flag `-mbranch-protection=flag`. See [1].
>> 
>> 2. In JDK-8277204 [2], `--enable-branch-protection` was introduced as one VM configure flag, which would pass `-mbranch-protection=standard` compilation flags to all c/c++ files. Note that `standard` turns on both `pac-ret` and `bti` branch protections. For more details about code reuse attacks and hardware-assisted branch protections on AArch64, see [3].
>> 
>> However, we checked the `.note.gnu.property` section of all the shared libraries under `jdk/lib` on Fedora 40, and found that only libjvm.so didn't set these two target feature bits:
>> 
>> 
>>   GNU_PROPERTY_AARCH64_FEATURE_1_BTI
>>   GNU_PROPERTY_AARCH64_FEATURE_1_PAC
>> 
>> 
>> Note-1: BTI is an all or nothing property for a link unit [4]. That is, libjvm.so is not BTI-enabled.
>> 
>> Note-2: PAC bit in `.note.gnu.property` section is used to protect `.got.plt` table. It's independent of whether the relocatable objects use PAC or not.
>> 
>> Goal
>> 
>> Hence, this patch aims to set PAC/BTI feature bits of the `.note.gnu.property` section for libjvm.so.
>> 
>> Implementation
>> 
>> Task-1: find out the problematic input objects
>> 
>> From [5], "Static linkers processing ELF relocatable objects must set the feature bit in the output object or image only if all the input objects have the corresponding feature bit set." Hence we suspect that the root cause is probably that the PAC/BTI feature bits are not set only for some input objects of libjvm.so.
>> 
>> In order to find out these inputs, we passed `--force-bti` linker flag [4] in my local test. This linker flag would warn if any input object does not have GNU_PROPERTY_AARCH64_FEATURE_1_BTI. We got the following list:
>> 
>> 
>>   src/hotspot/os_cpu/linux_aarch64/atomic_linux_aarch64.S
>>   src/hotspot/os_cpu/linux_aarch64/copy_linux_aarch64.S
>>   src/hotspot/os_cpu/linux_aarch64/safefetch_linux_aarch64.S
>>   src/hotspot/os_cpu/linux_aarch64/threadLS_linux_aarch64.S
>> 
>> 
>> Task-2: add `.note.gnu.property` section for these assembly files
>> 
>> As mentioned in Motivation-2 part, `-mbranch-protection=standard` is passed to compile c/c++ files but these assembly files are missed.
>> 
>> In this patch, we also pass `-mbranch-protection=standard` flag to assembler (See the update i...
>
> Fei Gao has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
> 
>  - Clean up makefile
>  - Merge branch 'master' into enable-bti-runtime
>  - 8337536: AArch64: Enable BTI branch protection for runtime part
>    
>    This patch enables BTI branch protection for runtime part on
>    Linux/aarch64 platform.
>    
>    Motivation
>    
>    1. Since Fedora 33, glibc+kernel are PAC/BTI enabled by default.
>    User-level packages can gain additional hardening by compiling with the
>    GCC/Clang flag `-mbranch-protection=flag`. See [1].
>    
>    2. In JDK-8277204 [2], `--enable-branch-protection` was introduced as
>    one VM configure flag, which would pass `-mbranch-protection=standard`
>    compilation flags to all c/c++ files. Note that `standard` turns on both
>    `pac-ret` and `bti` branch protections. For more details about code
>    reuse attacks and hardware-assisted branch protections on AArch64, see
>    [3].
>    
>    However, we checked the `.note.gnu.property` section of all the shared
>    libraries under `jdk/lib` on Fedora 40, and found that only libjvm.so
>    didn't set these two target feature bits:
>    
>    ```
>      GNU_PROPERTY_AARCH64_FEATURE_1_BTI
>      GNU_PROPERTY_AARCH64_FEATURE_1_PAC
>    ```
>    
>    Note-1: BTI is an all or nothing property for a link unit [4]. That is,
>    libjvm.so is not BTI-enabled.
>    
>    Note-2: PAC bit in `.note.gnu.property` section is used to protect
>    `.got.plt` table. It's independent of whether the relocatable objects
>    use PAC or not.
>    
>    Goal
>    
>    Hence, this patch aims to set PAC/BTI feature bits of the
>    `.note.gnu.property` section for libjvm.so.
>    
>    Implementation
>    
>    Task-1: find out the problematic input objects
>    
>    From [5], "Static linkers processing ELF relocatable objects must set
>    the feature bit in the output object or image only if all the input
>    objects have the corresponding feature bit set." Hence we suspect that
>    the root cause is probably that the PAC/BTI feature bits are not set
>    only for some input objects of libjvm.so.
>    
>    In order to find out these inputs, we passed `--force-bti` linker flag
>    [4] in my local test. This linker flag would warn if any input object
>    does not have GNU_PROPERTY_AARCH64_FEATURE_1_BTI. We got the following
>    list:
>    
>    ```
>      src/hotspot/os_cpu/linux_aarch64/atomic_linux_aarch64.S
> ...

Marked as reviewed by eliu (Committer).

src/hotspot/cpu/aarch64/copy_aarch64.hpp line 67:

> 65: "       .align  5;\n"                                                   \
> 66: "0:"                                                                    \
> 67: "       hint    #0x24; // bti j\n"                                               \

LGTM. Only a few indent issues.

-------------

PR Review: https://git.openjdk.org/jdk/pull/20491#pullrequestreview-2239522676
PR Review Comment: https://git.openjdk.org/jdk/pull/20491#discussion_r1717797701