On Wed, 7 Aug 2024 10:40:09 GMT, Fei Gao <f...@openjdk.org> wrote: > This patch enables BTI branch protection for runtime part on Linux/aarch64 > platform. > > Motivation > > 1. Since Fedora 33, glibc+kernel are PAC/BTI enabled by default. User-level > packages can gain additional hardening by compiling with the GCC/Clang flag > `-mbranch-protection=flag`. See [1]. > > 2. In JDK-8277204 [2], `--enable-branch-protection` was introduced as one VM > configure flag, which would pass `-mbranch-protection=standard` compilation > flags to all c/c++ files. Note that `standard` turns on both `pac-ret` and > `bti` branch protections. For more details about code reuse attacks and > hardware-assisted branch protections on AArch64, see [3]. > > However, we checked the `.note.gnu.property` section of all the shared > libraries under `jdk/lib` on Fedora 40, and found that only libjvm.so didn't > set these two target feature bits: > > > GNU_PROPERTY_AARCH64_FEATURE_1_BTI > GNU_PROPERTY_AARCH64_FEATURE_1_PAC > > > Note-1: BTI is an all or nothing property for a link unit [4]. That is, > libjvm.so is not BTI-enabled. > > Note-2: PAC bit in `.note.gnu.property` section is used to protect `.got.plt` > table. It's independent of whether the relocatable objects use PAC or not. > > Goal > > Hence, this patch aims to set PAC/BTI feature bits of the > `.note.gnu.property` section for libjvm.so. > > Implementation > > Task-1: find out the problematic input objects > > From [5], "Static linkers processing ELF relocatable objects must set the > feature bit in the output object or image only if all the input objects have > the corresponding feature bit set." Hence we suspect that the root cause is > probably that the PAC/BTI feature bits are not set only for some input > objects of libjvm.so. > > In order to find out these inputs, we passed `--force-bti` linker flag [4] in > my local test. This linker flag would warn if any input object does not have > GNU_PROPERTY_AARCH64_FEATURE_1_BTI. We got the following list: > > > src/hotspot/os_cpu/linux_aarch64/atomic_linux_aarch64.S > src/hotspot/os_cpu/linux_aarch64/copy_linux_aarch64.S > src/hotspot/os_cpu/linux_aarch64/safefetch_linux_aarch64.S > src/hotspot/os_cpu/linux_aarch64/threadLS_linux_aarch64.S > > > Task-2: add `.note.gnu.property` section for these assembly files > > As mentioned in Motivation-2 part, `-mbranch-protection=standard` is passed > to compile c/c++ files but these assembly files are missed. > > In this patch, we also pass `-mbranch-protection=standard` flag to assembler > (See the update in flags-cflags.m4 and flags-other.m4), and add > `.note.gnu.property` section at the end...
> It turned out to be easier to write it myself than trying to explain it. > Please have a look here: > [0fe840d](https://github.com/openjdk/jdk/commit/0fe840dec597bb4a819eb2025a6d56cd82f237b5) > > (This also contains some additional cleanup in the branch protection > configure code.) Thanks for your review and suggestions @magicus . Updated in the new commit :) ------------- PR Comment: https://git.openjdk.org/jdk/pull/20491#issuecomment-2277959315
