[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1021292: dpkg-buildflags: Please add support for pointer authentication on arm64

Package: dpkg-dev
Followup-For: Bug #1021292
X-Debbugs-Cc: wookey@wookware.org, debian-devel@lists.debian.org

> We decided that the best thing to do was create a new hardening flags
> feature called 'branch' to add to the existing set. This enables
> -mbranch-protection=standard on arm64, and
> -fcf-protection on amd64

After reading various threads (such as this[1] Xen thread, and from there a
related[2] Linux kernel thread) about fcf-protection:

Could we consider ensuring NOTRACK_EN=0 and -fno-jump-tables if-and-when making
this change?

(I'm not sure yet, but the CET 'notrack' instruction seems unusual to me, and
although I hope to find out and become convinced that it's safe and worthwhile,
it seems like a potential loophole in the safety that CET could offer.  my
understanding is that it's intended to allow certain limited callsites to
invoke functions that do not begin with branch-target (endbr64) instructions)

[1] - https://lists.xenproject.org/archives/html/xen-devel/2022-03/msg00522.html

[2] - https://lkml.org/lkml/2022/3/7/1068

Reply to: