On Fri, 9 Aug 2024 13:37:54 GMT, Fei Gao <f...@openjdk.org> wrote: >> This patch enables BTI branch protection for runtime part on Linux/aarch64 >> platform. >> >> Motivation >> >> 1. Since Fedora 33, glibc+kernel are PAC/BTI enabled by default. User-level >> packages can gain additional hardening by compiling with the GCC/Clang flag >> `-mbranch-protection=flag`. See [1]. >> >> 2. In JDK-8277204 [2], `--enable-branch-protection` was introduced as one VM >> configure flag, which would pass `-mbranch-protection=standard` compilation >> flags to all c/c++ files. Note that `standard` turns on both `pac-ret` and >> `bti` branch protections. For more details about code reuse attacks and >> hardware-assisted branch protections on AArch64, see [3]. >> >> However, we checked the `.note.gnu.property` section of all the shared >> libraries under `jdk/lib` on Fedora 40, and found that only libjvm.so didn't >> set these two target feature bits: >> >> >> GNU_PROPERTY_AARCH64_FEATURE_1_BTI >> GNU_PROPERTY_AARCH64_FEATURE_1_PAC >> >> >> Note-1: BTI is an all or nothing property for a link unit [4]. That is, >> libjvm.so is not BTI-enabled. >> >> Note-2: PAC bit in `.note.gnu.property` section is used to protect >> `.got.plt` table. It's independent of whether the relocatable objects use >> PAC or not. >> >> Goal >> >> Hence, this patch aims to set PAC/BTI feature bits of the >> `.note.gnu.property` section for libjvm.so. >> >> Implementation >> >> Task-1: find out the problematic input objects >> >> From [5], "Static linkers processing ELF relocatable objects must set the >> feature bit in the output object or image only if all the input objects have >> the corresponding feature bit set." Hence we suspect that the root cause is >> probably that the PAC/BTI feature bits are not set only for some input >> objects of libjvm.so. >> >> In order to find out these inputs, we passed `--force-bti` linker flag [4] >> in my local test. This linker flag would warn if any input object does not >> have GNU_PROPERTY_AARCH64_FEATURE_1_BTI. We got the following list: >> >> >> src/hotspot/os_cpu/linux_aarch64/atomic_linux_aarch64.S >> src/hotspot/os_cpu/linux_aarch64/copy_linux_aarch64.S >> src/hotspot/os_cpu/linux_aarch64/safefetch_linux_aarch64.S >> src/hotspot/os_cpu/linux_aarch64/threadLS_linux_aarch64.S >> >> >> Task-2: add `.note.gnu.property` section for these assembly files >> >> As mentioned in Motivation-2 part, `-mbranch-protection=standard` is passed >> to compile c/c++ files but these assembly files are missed. >> >> In this patch, we also pass `-mbranch-protection=standard` flag to assembler >> (See the update i... > > Fei Gao has updated the pull request with a new target base due to a merge or > a rebase. The incremental webrev excludes the unrelated changes brought in by > the merge/rebase. The pull request contains three additional commits since > the last revision: > > - Clean up makefile > - Merge branch 'master' into enable-bti-runtime > - 8337536: AArch64: Enable BTI branch protection for runtime part > > This patch enables BTI branch protection for runtime part on > Linux/aarch64 platform. > > Motivation > > 1. Since Fedora 33, glibc+kernel are PAC/BTI enabled by default. > User-level packages can gain additional hardening by compiling with the > GCC/Clang flag `-mbranch-protection=flag`. See [1]. > > 2. In JDK-8277204 [2], `--enable-branch-protection` was introduced as > one VM configure flag, which would pass `-mbranch-protection=standard` > compilation flags to all c/c++ files. Note that `standard` turns on both > `pac-ret` and `bti` branch protections. For more details about code > reuse attacks and hardware-assisted branch protections on AArch64, see > [3]. > > However, we checked the `.note.gnu.property` section of all the shared > libraries under `jdk/lib` on Fedora 40, and found that only libjvm.so > didn't set these two target feature bits: > > ``` > GNU_PROPERTY_AARCH64_FEATURE_1_BTI > GNU_PROPERTY_AARCH64_FEATURE_1_PAC > ``` > > Note-1: BTI is an all or nothing property for a link unit [4]. That is, > libjvm.so is not BTI-enabled. > > Note-2: PAC bit in `.note.gnu.property` section is used to protect > `.got.plt` table. It's independent of whether the relocatable objects > use PAC or not. > > Goal > > Hence, this patch aims to set PAC/BTI feature bits of the > `.note.gnu.property` section for libjvm.so. > > Implementation > > Task-1: find out the problematic input objects > > From [5], "Static linkers processing ELF relocatable objects must set > the feature bit in the output object or image only if all the input > objects have the corresponding feature bit set." Hence we suspect that > the root cause is probably that the PAC/BTI feature bits are not set > only for some input objects of libjvm.so. > > In order to find out these inputs, we passed `--force-bti` linker flag > [4] in my local test. This linker flag would warn if any input object > does not have GNU_PROPERTY_AARCH64_FEATURE_1_BTI. We got the following > list: > > ``` > src/hotspot/os_cpu/linux_aarch64/atomic_linux_aarch64.S > ...
Build changes look good. ------------- Marked as reviewed by erikj (Reviewer). PR Review: https://git.openjdk.org/jdk/pull/20491#pullrequestreview-2230834719