RFC: JEP drafts PAC for Linux/AArch64 (JDK-8264130) and Arm64 for MacOS/AArch64 (JDK-8264131)

Andrew Dinn adinn at redhat.com
Tue Mar 30 11:11:21 UTC 2021 

Hi Alan,

I'm fairly strongly aligned with Andrew Haley as regards this proposal i.e.

   PAC appears to be of far less value in a managed runtime like Java 
than it is for other app deployment models

   the thing PAC is intended to stop i.e. updating of stacked return 
addresses from within user space is actually something the JVM does 
legitimately and (relatively) safely

Given those two positions I think you need to come up with a strong 
argument to motivate employing PAC on AArch64 -- and living with 
whatever performance overheads it imposes -- before we proceed further. 
I'd also like to see a plan for how we might allow the JVM to continue 
safely to update return addresses.

regards,


Andrew Dinn
-----------

On 29/03/2021 10:01, Alan Hayward wrote:
> Hi all,
> 
> I’ve been investigating PAC for the AArch64 ports - figuring out what should be supported and trying it out in code. PAC is an AArch64 extension that provides instructions for signing and authenticating values and addresses; it can be used to bring protection against various types of attacks, for a small performance cost. If OpenJDK is running on a system with PAC protection enabled in the kernel, then it should use the feature.
> 
> I’ve started by implementing the same support as GCC/LLVM - namely signing return addresses. So far I have this seemingly fully working in interpreter only; and C1/C2 crashing in deoptimization.
> I’ve also got an early attempt at MacOS arm64e. In addition to signing return addresses, arm64e requires signing function pointers.
> The upcoming PAuth ABI for Linux includes all of the above plus additional features. I’ve not made any attempt at this yet.
> 
> All of this comes at a cost. Current estimate is 3% on average for signing return addresses. This almost vanishes on non PAC hardware, or when the feature is disabled, as in both cases the PAC instructions are treated as NOPs. Arm64e has the advantage that it is compiled twice within the same fat binary meaning the arm64e version will not have the extra NOPs.
> 
> I’ve opened JEPs for both the Linux and Arm64e work. These are my first attempts at writing a JEP, so any comments would be greatly appreciated.
> 
> PAC-RET protection for Linux/AArch64:
> https://bugs.openjdk.java.net/browse/JDK-8264130
> 
> Arm64e support for MacOS/AArch64:
> https://bugs.openjdk.java.net/browse/JDK-8264131
> 
> 
> Thanks,
> Alan.
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> 

-- 
regards,


Andrew Dinn
-----------
Red Hat Distinguished Engineer
Red Hat UK Ltd
Registered in England and Wales under Company Registration No. 03798903
Directors: Michael Cunningham, Michael ("Mike") O'Neill

More information about the hotspot-dev mailing list