Package: dpkg-dev Version: 1.19.7 Severity: wishlist Tags: patch As discussed in the below-linked thread on dpkg-dev, we should enable PAC and BTI on arm64 as a standard hardening flag. https://lists.debian.org/debian-dpkg/2022/05/msg00022.html
Attached is Guillem's proposed patch which does the trick, updated for current dpkg (I opened this bug file in June, but forgot to actually press send, so now updated for the current 1.21.9) Despite this delay, I hope we can can have this in for bookworm. -- Wookey
diff -Nru dpkg-1.21.9/debian/changelog dpkg-1.21.9+1/debian/changelog --- dpkg-1.21.9/debian/changelog 2022-07-01 09:25:58.000000000 +0000 +++ dpkg-1.21.9+1/debian/changelog 2022-10-04 15:28:43.000000000 +0000 @@ -1,3 +1,9 @@ +dpkg (1.21.9+1) unstable; urgency=medium + + * Add 'branch' hardening support for amd64 and arm64 + + -- Wookey <woo...@debian.org> Tue, 04 Oct 2022 16:28:43 +0100 + dpkg (1.21.9) unstable; urgency=medium [ Guillem Jover ] diff -Nru dpkg-1.21.9/scripts/Dpkg/Vendor/Debian.pm dpkg-1.21.9+1/scripts/Dpkg/Vendor/Debian.pm --- dpkg-1.21.9/scripts/Dpkg/Vendor/Debian.pm 2022-06-30 23:46:56.000000000 +0000 +++ dpkg-1.21.9+1/scripts/Dpkg/Vendor/Debian.pm 2022-10-04 15:13:28.000000000 +0000 @@ -129,6 +129,7 @@ format => 1, relro => 1, bindnow => 0, + branch => 1, }, ); @@ -364,6 +365,11 @@ # relro not implemented on ia64, hppa, avr32. $use_feature{hardening}{relro} = 0; } + if ($cpu !~ /^(?:amd64|arm64)$/) { + # On amd64 use -fcf-protection. + # On arm64 use -mbranch-protection=standard. + $use_feature{hardening}{branch} = 0; + } # Mask features that might be influenced by other flags. if ($opts_build->has('noopt')) { @@ -430,6 +436,17 @@ $flags->append('LDFLAGS', '-Wl,-z,now'); } + # Branch protection + if ($use_feature{hardening}{branch}) { + my $flag; + if ($cpu eq 'arm64') { + $flag = '-mbranch-protection=standard'; + } elsif ($cpu eq 'amd64') { + $flag = '-fcf-protection'; + } + $flags->append($_, $flag) foreach @compile_flags; + } + ## Commit # Set used features to their builtin setting if unset. diff -Nru dpkg-1.21.9/scripts/t/Dpkg_BuildFlags.t dpkg-1.21.9+1/scripts/t/Dpkg_BuildFlags.t --- dpkg-1.21.9/scripts/t/Dpkg_BuildFlags.t 2022-06-18 17:57:44.000000000 +0000 +++ dpkg-1.21.9+1/scripts/t/Dpkg_BuildFlags.t 2022-10-04 15:28:06.000000000 +0000 @@ -55,6 +55,7 @@ ) ], hardening => [ qw( bindnow + branch format fortify pie