Hello,
The attached is my attempt to enable PAC/BTI[1] support for AArch64. As the Nettle assembly files only define leaf functions (i.e., no subroutine calls with LR/SP save/restore), PAC is not applicable and thus only BTI is enabled for now.
To test, I used the mock[2] environment with the fedora-40-aarch64 configuration:
$ mock -r fedora-40-aarch64 --init <mock-chroot> sh-5.2# ./.bootstrap <mock-chroot> sh-5.2# ./configure --disable-documentation CFLAGS="-mbranch-protection=standard" <mock-chroot> sh-5.2# make -j$(nproc) <mock-chroot> sh-5.2# readelf -n libnettle.so
Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: AArch64 feature: BTI, PAC ...
Regards,
Footnotes: [1] https://wiki.debian.org/ToolChain/PACBTI
[2] https://fedoraproject.org/wiki/Using_Mock_to_test_package_builds
On 7/15/24 3:21 AM, Daiki Ueno wrote:
Hello,
The attached is my attempt to enable PAC/BTI[1] support for AArch64. As the Nettle assembly files only define leaf functions (i.e., no subroutine calls with LR/SP save/restore), PAC is not applicable and thus only BTI is enabled for now.
To test, I used the mock[2] environment with the fedora-40-aarch64 configuration:
$ mock -r fedora-40-aarch64 --init <mock-chroot> sh-5.2# ./.bootstrap <mock-chroot> sh-5.2# ./configure --disable-documentation CFLAGS="-mbranch-protection=standard" <mock-chroot> sh-5.2# make -j$(nproc) <mock-chroot> sh-5.2# readelf -n libnettle.so
Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: AArch64 feature: BTI, PAC ...
Regards,
Besides just ensuring the gnu notes displays the right bits, how was this test this?
FYI I am sitting on some patches for this I need to upstream but I am waiting on access to an email server that wont mangle my patch.
Footnotes: [1] https://wiki.debian.org/ToolChain/PACBTI
[2] https://fedoraproject.org/wiki/Using_Mock_to_test_package_builds
nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-leave@lists.lysator.liu.se
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Bill Roberts bill.roberts@arm.com writes:
Besides just ensuring the gnu notes displays the right bits, how was this test this?
For testing, maybe one could do something similar to https://git.lysator.liu.se/nettle/nettle/-/blob/master/testsuite/x86-ibt-tes... ?
Regards, /Niels
On 7/15/24 12:05 PM, Niels Möller wrote:
Bill Roberts bill.roberts@arm.com writes:
Besides just ensuring the gnu notes displays the right bits, how was this test this?
For testing, maybe one could do something similar to https://git.lysator.liu.se/nettle/nettle/-/blob/master/testsuite/x86-ibt-tes...
I've been doing a bunch of these, and my testing has been just running the existing test suite, built with BTI support on a BTI enabled system. I did look more closely at the labels and all the branches are direct so they don't need bti landing pads. I can test your patch and report back, so really outside of testing I think my only suggestion is to swap the bti c with the hint instruction. Apologies for the disclaimer previously, I forgot our server appends that.
Regards, /Niels
On 7/15/24 2:08 PM, Bill Roberts wrote:
On 7/15/24 12:05 PM, Niels Möller wrote:
Bill Roberts bill.roberts@arm.com writes:
Besides just ensuring the gnu notes displays the right bits, how was this test this?
For testing, maybe one could do something similar to https://git.lysator.liu.se/nettle/nettle/-/blob/master/testsuite/x86-ibt-tes...
I've been doing a bunch of these, and my testing has been just running the existing test suite, built with BTI support on a BTI enabled system. I did look more closely at the labels and all the branches are direct so they don't need bti landing pads. I can test your patch and report back, so really outside of testing I think my only suggestion is to swap the bti c with the hint instruction. Apologies for the disclaimer previously, I forgot our server appends that.
Your patch failed to apply:
git am 0001-build-Support-PACBTI-in-AArch64-assembly.patch Applying: build: Support PACBTI in AArch64 assembly error: patch failed: configure.ac:1041 error: configure.ac: patch does not apply Patch failed at 0001 build: Support PACBTI in AArch64 assembly
on HEAD: --- git log -1 --format=email From 775d6adb77a885616ef3a9fcbc4c087cad129f3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niels=20M=C3=B6ller?= nisse@lysator.liu.se Date: Tue, 21 Feb 2023 07:53:18 +0100 Subject: [PATCH] Add link to puthon bindings. ---
My tree is clean.
Do you have this on a remote I can pull from?
Regards, /Niels
nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-leave@lists.lysator.liu.se
Bill Roberts bill.roberts@arm.com writes:
Do you have this on a remote I can pull from?
I've filed an MR at: https://git.lysator.liu.se/nettle/nettle/-/merge_requests/65
Regards,
On 7/17/24 7:15 PM, Daiki Ueno wrote:
Bill Roberts bill.roberts@arm.com writes:
Do you have this on a remote I can pull from?
I've filed an MR at: https://git.lysator.liu.se/nettle/nettle/-/merge_requests/65
I left my feedback there. Also for those curious I have a remote https://github.com/billatarm/nettle/pull/1 if anyone wants to pull anything from that. I currently don't have access to a mail server that wont mangle things, I could try attaching them. If I could fork nettle on that gitlab instance I could submit a PR through that interface as well.
The patch is functional, I tested it on a BTI and PAC enabled machine. Find my comments in the PR.
Regards,
Looks the patch was attached instead of in the body of the mail, but my comments are as follows:
ASM_ARM64_PROPERTY_BTI=1 ASM_ARM64_BTI_C="bti c"
Don't use "bti c" or any of the bti and pac instructions on Linux. Instead use the hint space mnemonics so older tool chains can still assemble the code. I have added the relevant bti ones below for your reference.
bti c is hint 34 bti j is hint 36
I didn't see jump targets annotated with bti j? Are you sure you tested this on a machine with bti enabled?
On 7/15/24 3:21 AM, Daiki Ueno wrote:
Hello,
The attached is my attempt to enable PAC/BTI[1] support for AArch64. As the Nettle assembly files only define leaf functions (i.e., no subroutine calls with LR/SP save/restore), PAC is not applicable and thus only BTI is enabled for now.
To test, I used the mock[2] environment with the fedora-40-aarch64 configuration:
$ mock -r fedora-40-aarch64 --init <mock-chroot> sh-5.2# ./.bootstrap <mock-chroot> sh-5.2# ./configure --disable-documentation CFLAGS="-mbranch-protection=standard" <mock-chroot> sh-5.2# make -j$(nproc) <mock-chroot> sh-5.2# readelf -n libnettle.so
Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: AArch64 feature: BTI, PAC ...
Regards,
Footnotes: [1] https://wiki.debian.org/ToolChain/PACBTI
[2] https://fedoraproject.org/wiki/Using_Mock_to_test_package_builds
nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-leave@lists.lysator.liu.se
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
nettle-bugs@lists.lysator.liu.se
-
Bill Roberts -
Daiki Ueno -
Niels Möller