RFR: 8337536: AArch64: Enable BTI branch protection for runtime part [v2]

Fei Gao fgao at openjdk.org
Thu Aug 15 15:32:29 UTC 2024 

On Thu, 15 Aug 2024 02:26:10 GMT, Eric Liu <eliu at openjdk.org> wrote:

>> Fei Gao has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
>> 
>>  - Clean up makefile
>>  - Merge branch 'master' into enable-bti-runtime
>>  - 8337536: AArch64: Enable BTI branch protection for runtime part
>>    
>>    This patch enables BTI branch protection for runtime part on
>>    Linux/aarch64 platform.
>>    
>>    Motivation
>>    
>>    1. Since Fedora 33, glibc+kernel are PAC/BTI enabled by default.
>>    User-level packages can gain additional hardening by compiling with the
>>    GCC/Clang flag `-mbranch-protection=flag`. See [1].
>>    
>>    2. In JDK-8277204 [2], `--enable-branch-protection` was introduced as
>>    one VM configure flag, which would pass `-mbranch-protection=standard`
>>    compilation flags to all c/c++ files. Note that `standard` turns on both
>>    `pac-ret` and `bti` branch protections. For more details about code
>>    reuse attacks and hardware-assisted branch protections on AArch64, see
>>    [3].
>>    
>>    However, we checked the `.note.gnu.property` section of all the shared
>>    libraries under `jdk/lib` on Fedora 40, and found that only libjvm.so
>>    didn't set these two target feature bits:
>>    
>>    ```
>>      GNU_PROPERTY_AARCH64_FEATURE_1_BTI
>>      GNU_PROPERTY_AARCH64_FEATURE_1_PAC
>>    ```
>>    
>>    Note-1: BTI is an all or nothing property for a link unit [4]. That is,
>>    libjvm.so is not BTI-enabled.
>>    
>>    Note-2: PAC bit in `.note.gnu.property` section is used to protect
>>    `.got.plt` table. It's independent of whether the relocatable objects
>>    use PAC or not.
>>    
>>    Goal
>>    
>>    Hence, this patch aims to set PAC/BTI feature bits of the
>>    `.note.gnu.property` section for libjvm.so.
>>    
>>    Implementation
>>    
>>    Task-1: find out the problematic input objects
>>    
>>    From [5], "Static linkers processing ELF relocatable objects must set
>>    the feature bit in the output object or image only if all the input
>>    objects have the corresponding feature bit set." Hence we suspect that
>>    the root cause is probably that the PAC/BTI feature bits are not set
>>    only for some input objects of libjvm.so.
>>    
>>    In order to find out these inputs, we passed `--force-bti` linker flag
>>    [4] in my local test. This linker flag would warn if any input object
>>    does not have GNU_PROPERTY_AARCH64_FEATU...
>
> src/hotspot/cpu/aarch64/copy_aarch64.hpp line 67:
> 
>> 65: "       .align  5;\n"                                                   \
>> 66: "0:"                                                                    \
>> 67: "       hint    #0x24; // bti j\n"                                               \
> 
> LGTM. Only a few indent issues.

@e1iu thanks for review! Updated it in the new commit :)

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/20491#discussion_r1718569298

More information about the build-dev mailing list