Bug#1021292: dpkg-buildflags: Please add support for pointer authentication on arm64

To: Debian Bug Tracking System <1021292@bugs.debian.org>
Subject: Bug#1021292: dpkg-buildflags: Please add support for pointer authentication on arm64
From: James Addison <jay@jp-hosting.net>
Date: Mon, 27 Mar 2023 11:29:38 +0100
Message-id: <[🔎] 167991297826.20369.2786564230900570829.reportbug@frontier>
Reply-to: James Addison <jay@jp-hosting.net>, 1021292@bugs.debian.org
References: <166493796657.17925.4516908824260258351.reportbug@cheddar.halon.org.uk>

Package: dpkg-dev
Followup-For: Bug #1021292
X-Debbugs-Cc: wookey@wookware.org, debian-devel@lists.debian.org

> We decided that the best thing to do was create a new hardening flags
> feature called 'branch' to add to the existing set. This enables
> -mbranch-protection=standard on arm64, and
> -fcf-protection on amd64

After reading various threads (such as this[1] Xen thread, and from there a
related[2] Linux kernel thread) about fcf-protection:

Could we consider ensuring NOTRACK_EN=0 and -fno-jump-tables if-and-when making
this change?

(I'm not sure yet, but the CET 'notrack' instruction seems unusual to me, and
although I hope to find out and become convinced that it's safe and worthwhile,
it seems like a potential loophole in the safety that CET could offer.  my
understanding is that it's intended to allow certain limited callsites to
invoke functions that do not begin with branch-target (endbr64) instructions)

[1] - https://lists.xenproject.org/archives/html/xen-devel/2022-03/msg00522.html

[2] - https://lkml.org/lkml/2022/3/7/1068

Reply to:

Prev by Date: Re: Reducing allowed Vcs for packaging?
Next by Date: dh_auto_test: use check target instead of the test target
Previous by thread: Bug#1033413: ITP: profile-cleaner -- Reduces browser profile size by cleaning their sqlite databases
Next by thread: dh_auto_test: use check target instead of the test target
Index(es):
- Date
- Thread