Bug#1057469: gcc-12: Please build with -mbranch-protection=standard to enable PAC/BTI support on arm64
Package: gcc-12
Version: 12.3.0-12
X-Debbugs-Cc: debian-arm@lists.debian.org, debian-glibc@lists.debian.org
Dear Maintainer,
PAC/BTI is a useful Arm security feature, see this recent presentation
at the Cambridge Mini Debconf for all details: [0]
In order to properly support PAC/BTI in Debian we need to enable support
in both GCC and glibc. An executable is marked as BTI compatible only if
all the execution units of the program are BTI compatible. See pages
10-11 on the presentation slides. [1]
I have filed https://bugs.debian.org/1055711 already for gcc-13, which
is the default compiler in sid. However, it's important to enable the
switch on gcc-12 as well because:
a) glibc is currently built with gcc-12, see thread at [2]. The compiler
building glibc needs to have the feature turned on
b) there are multiple programs in Debian still using GCC 12
c) more generally it would be great for GCC 12 users to also get the
feature :-)
See attached patch.
Thanks!
Emanuele
[0] https://wiki.debian.org/DebianEvents/gb/2023/MiniDebConfCambridge/Capper
[1] https://wiki.debian.org/DebianEvents/gb/2023/MiniDebConfCambridge/Capper?action=AttachFile&do=view&target=miniconf-2023-PAC-and-BTI.pdf
[2] https://lists.debian.org/debian-glibc/2023/11/msg00032.html
diff -Nru gcc-12-12.3.0/debian/rules2 gcc-12-12.3.0/debian/rules2
--- gcc-12-12.3.0/debian/rules2 2023-12-03 15:44:44.000000000 +0100
+++ gcc-12-12.3.0/debian/rules2 2023-12-05 14:11:39.000000000 +0100
@@ -195,6 +195,11 @@
STAGE1_LDFLAGS =
endif
+ifeq ($(DEB_TARGET_ARCH),arm64)
+ CFLAGS += -mbranch-protection=standard
+ CXXFLAGS += -mbranch-protection=standard
+endif
+
# set CFLAGS/LDFLAGS for the configure step only, maybe be modifed for some target
# all other flags are passed to the make step.
pass_vars = $(foreach v,$(1),$(if $($(v)),$(v)="$($(v))"))
Reply to: