All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] gcc: enable branch protection by standard
@ 2021-05-20 17:15 Ross Burton
  2021-05-20 18:12 ` [OE-core] " Khem Raj
  2021-05-21  6:12 ` Mikko Rapeli
  0 siblings, 2 replies; 4+ messages in thread
From: Ross Burton @ 2021-05-20 17:15 UTC (permalink / raw)
  To: openembedded-core

Pass --enable-standard-branch-protection.  This is an aarch64-specific
option (currently) which does nothing on other targets.  On aarch64 this
generates code uses BTI/PAC instructions to mitigate Return Orientated
Programming attacks.  This approach is backwards compatible and the code
size/performance impact is typically negliable.

More details can be found at
https://events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-devtools/gcc/gcc-configure-common.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-devtools/gcc/gcc-configure-common.inc b/meta/recipes-devtools/gcc/gcc-configure-common.inc
index a64c4caf00..dc7f458b25 100644
--- a/meta/recipes-devtools/gcc/gcc-configure-common.inc
+++ b/meta/recipes-devtools/gcc/gcc-configure-common.inc
@@ -40,6 +40,7 @@ EXTRA_OECONF = "\
     ${@get_gcc_mips_plt_setting(bb, d)} \
     ${@get_gcc_ppc_plt_settings(bb, d)} \
     ${@get_gcc_multiarch_setting(bb, d)} \
+	--enable-standard-branch-protection \
 "
 
 # glibc version is a minimum controlling whether features are enabled. 
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] gcc: enable branch protection by standard
  2021-05-20 17:15 [PATCH] gcc: enable branch protection by standard Ross Burton
@ 2021-05-20 18:12 ` Khem Raj
  2021-05-21  6:12 ` Mikko Rapeli
  1 sibling, 0 replies; 4+ messages in thread
From: Khem Raj @ 2021-05-20 18:12 UTC (permalink / raw)
  To: Ross Burton, openembedded-core



On 5/20/21 10:15 AM, Ross Burton wrote:
> Pass --enable-standard-branch-protection.  This is an aarch64-specific
> option (currently) which does nothing on other targets.  On aarch64 this
> generates code uses BTI/PAC instructions to mitigate Return Orientated
> Programming attacks.  This approach is backwards compatible and the code
> size/performance impact is typically negliable.
> 
> More details can be found at
> https://events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf
> 
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
>   meta/recipes-devtools/gcc/gcc-configure-common.inc | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/meta/recipes-devtools/gcc/gcc-configure-common.inc b/meta/recipes-devtools/gcc/gcc-configure-common.inc
> index a64c4caf00..dc7f458b25 100644
> --- a/meta/recipes-devtools/gcc/gcc-configure-common.inc
> +++ b/meta/recipes-devtools/gcc/gcc-configure-common.inc
> @@ -40,6 +40,7 @@ EXTRA_OECONF = "\
>       ${@get_gcc_mips_plt_setting(bb, d)} \
>       ${@get_gcc_ppc_plt_settings(bb, d)} \
>       ${@get_gcc_multiarch_setting(bb, d)} \
> +	--enable-standard-branch-protection \
>   "
>  

lgtm


>   # glibc version is a minimum controlling whether features are enabled.
> 
> 
> 
> 
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] gcc: enable branch protection by standard
  2021-05-20 17:15 [PATCH] gcc: enable branch protection by standard Ross Burton
  2021-05-20 18:12 ` [OE-core] " Khem Raj
@ 2021-05-21  6:12 ` Mikko Rapeli
  2021-05-21  7:33   ` Khem Raj
  1 sibling, 1 reply; 4+ messages in thread
From: Mikko Rapeli @ 2021-05-21  6:12 UTC (permalink / raw)
  To: ross; +Cc: openembedded-core

Hi,

On Thu, May 20, 2021 at 06:15:11PM +0100, Ross Burton wrote:
> Pass --enable-standard-branch-protection.  This is an aarch64-specific
> option (currently) which does nothing on other targets.  On aarch64 this
> generates code uses BTI/PAC instructions to mitigate Return Orientated
> Programming attacks.  This approach is backwards compatible and the code
> size/performance impact is typically negliable.
> 
> More details can be found at
> https://events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf

Do you recommend this for dunfell and other stable releases? Any requirements
to gcc version? What about clang?

Cheers,

-Mikko

> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
>  meta/recipes-devtools/gcc/gcc-configure-common.inc | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/meta/recipes-devtools/gcc/gcc-configure-common.inc b/meta/recipes-devtools/gcc/gcc-configure-common.inc
> index a64c4caf00..dc7f458b25 100644
> --- a/meta/recipes-devtools/gcc/gcc-configure-common.inc
> +++ b/meta/recipes-devtools/gcc/gcc-configure-common.inc
> @@ -40,6 +40,7 @@ EXTRA_OECONF = "\
>      ${@get_gcc_mips_plt_setting(bb, d)} \
>      ${@get_gcc_ppc_plt_settings(bb, d)} \
>      ${@get_gcc_multiarch_setting(bb, d)} \
> +	--enable-standard-branch-protection \
>  "
>
>  # glibc version is a minimum controlling whether features are enabled. 
> -- 
> 2.25.1
> 

> 
> 
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] gcc: enable branch protection by standard
  2021-05-21  6:12 ` Mikko Rapeli
@ 2021-05-21  7:33   ` Khem Raj
  0 siblings, 0 replies; 4+ messages in thread
From: Khem Raj @ 2021-05-21  7:33 UTC (permalink / raw)
  To: Mikko Rapeli, ross; +Cc: openembedded-core



On 5/20/21 11:12 PM, Mikko Rapeli wrote:
> Hi,
> 
> On Thu, May 20, 2021 at 06:15:11PM +0100, Ross Burton wrote:
>> Pass --enable-standard-branch-protection.  This is an aarch64-specific
>> option (currently) which does nothing on other targets.  On aarch64 this
>> generates code uses BTI/PAC instructions to mitigate Return Orientated
>> Programming attacks.  This approach is backwards compatible and the code
>> size/performance impact is typically negliable.
>>
>> More details can be found at
>> https://events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf
> 
> Do you recommend this for dunfell and other stable releases? Any requirements
> to gcc version? What about clang?

it can be backported to dunfell, but I would not recommend it unless we 
run whole set of testing.

clang does not have convenient configure switch like gcc, so you bring 
up a good point, if we added this via cmdline options instead via 
SECURITY_CFLAGS
then it will work homogeneously across clang and gcc, perhaps that might 
be a better approach as it will also extend to other prebuilt toolchains 
which may support this option but arent configured to default to them.

Ross, some thought might be needed.


> 
> Cheers,
> 
> -Mikko
> 
>> Signed-off-by: Ross Burton <ross.burton@arm.com>
>> ---
>>   meta/recipes-devtools/gcc/gcc-configure-common.inc | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/meta/recipes-devtools/gcc/gcc-configure-common.inc b/meta/recipes-devtools/gcc/gcc-configure-common.inc
>> index a64c4caf00..dc7f458b25 100644
>> --- a/meta/recipes-devtools/gcc/gcc-configure-common.inc
>> +++ b/meta/recipes-devtools/gcc/gcc-configure-common.inc
>> @@ -40,6 +40,7 @@ EXTRA_OECONF = "\
>>       ${@get_gcc_mips_plt_setting(bb, d)} \
>>       ${@get_gcc_ppc_plt_settings(bb, d)} \
>>       ${@get_gcc_multiarch_setting(bb, d)} \
>> +	--enable-standard-branch-protection \
>>   "
>>   
>>   # glibc version is a minimum controlling whether features are enabled.
>> -- 
>> 2.25.1
>>
> 
>>
>>
>>
>>
>>
>> 
>>

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-21  7:33 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-20 17:15 [PATCH] gcc: enable branch protection by standard Ross Burton
2021-05-20 18:12 ` [OE-core] " Khem Raj
2021-05-21  6:12 ` Mikko Rapeli
2021-05-21  7:33   ` Khem Raj

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.