RFC: JEP drafts PAC for Linux/AArch64 (JDK-8264130) and Arm64 for MacOS/AArch64 (JDK-8264131)

[Alan Hayward]

Hi all,

I’ve been investigating PAC for the AArch64 ports - figuring out what should be supported and trying it out in code. PAC is an AArch64 extension that provides instructions for signing and authenticating values and addresses; it can be used to bring protection against various types of attacks, for a small performance cost. If OpenJDK is running on a system with PAC protection enabled in the kernel, then it should use the feature.

I’ve started by implementing the same support as GCC/LLVM - namely signing return addresses. So far I have this seemingly fully working in interpreter only; and C1/C2 crashing in deoptimization.
I’ve also got an early attempt at MacOS arm64e. In addition to signing return addresses, arm64e requires signing function pointers.
The upcoming PAuth ABI for Linux includes all of the above plus additional features. I’ve not made any attempt at this yet.

All of this comes at a cost. Current estimate is 3% on average for signing return addresses. This almost vanishes on non PAC hardware, or when the feature is disabled, as in both cases the PAC instructions are treated as NOPs. Arm64e has the advantage that it is compiled twice within the same fat binary meaning the arm64e version will not have the extra NOPs.

I’ve opened JEPs for both the Linux and Arm64e work. These are my first attempts at writing a JEP, so any comments would be greatly appreciated.

PAC-RET protection for Linux/AArch64:
https://bugs.openjdk.java.net/browse/JDK-8264130

Arm64e support for MacOS/AArch64:
https://bugs.openjdk.java.net/browse/JDK-8264131


Thanks,
Alan.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.