RFR: 8337536: AArch64: Enable BTI branch protection for runtime part [v3]

Fei Gao fgao at openjdk.org
Mon Oct 14 08:57:16 UTC 2024 

On Tue, 3 Sep 2024 09:25:55 GMT, Andrew Haley <aph at openjdk.org> wrote:

>> Fei Gao has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains five additional commits since the last revision:
>> 
>>  - Fix indentation
>>  - Merge branch 'master' into enable-bti-runtime
>>  - Clean up makefile
>>  - Merge branch 'master' into enable-bti-runtime
>>  - 8337536: AArch64: Enable BTI branch protection for runtime part
>>    
>>    This patch enables BTI branch protection for runtime part on
>>    Linux/aarch64 platform.
>>    
>>    Motivation
>>    
>>    1. Since Fedora 33, glibc+kernel are PAC/BTI enabled by default.
>>    User-level packages can gain additional hardening by compiling with the
>>    GCC/Clang flag `-mbranch-protection=flag`. See [1].
>>    
>>    2. In JDK-8277204 [2], `--enable-branch-protection` was introduced as
>>    one VM configure flag, which would pass `-mbranch-protection=standard`
>>    compilation flags to all c/c++ files. Note that `standard` turns on both
>>    `pac-ret` and `bti` branch protections. For more details about code
>>    reuse attacks and hardware-assisted branch protections on AArch64, see
>>    [3].
>>    
>>    However, we checked the `.note.gnu.property` section of all the shared
>>    libraries under `jdk/lib` on Fedora 40, and found that only libjvm.so
>>    didn't set these two target feature bits:
>>    
>>    ```
>>      GNU_PROPERTY_AARCH64_FEATURE_1_BTI
>>      GNU_PROPERTY_AARCH64_FEATURE_1_PAC
>>    ```
>>    
>>    Note-1: BTI is an all or nothing property for a link unit [4]. That is,
>>    libjvm.so is not BTI-enabled.
>>    
>>    Note-2: PAC bit in `.note.gnu.property` section is used to protect
>>    `.got.plt` table. It's independent of whether the relocatable objects
>>    use PAC or not.
>>    
>>    Goal
>>    
>>    Hence, this patch aims to set PAC/BTI feature bits of the
>>    `.note.gnu.property` section for libjvm.so.
>>    
>>    Implementation
>>    
>>    Task-1: find out the problematic input objects
>>    
>>    From [5], "Static linkers processing ELF relocatable objects must set
>>    the feature bit in the output object or image only if all the input
>>    objects have the corresponding feature bit set." Hence we suspect that
>>    the root cause is probably that the PAC/BTI feature bits are not set
>>    only for some input objects of libjvm.so.
>>    
>>    In order to find out these inputs, we passed `--force-bti` linker flag
>>    [4] in my local test. This linker flag would...
>
> What is the effect on JNI? Is there full interworking with non-branch-protected libraries?

Hi @theRealAph , would you mind reviewing this PR once again? Thanks!

-------------

PR Comment: https://git.openjdk.org/jdk/pull/20491#issuecomment-2410496113

More information about the build-dev mailing list