Bug#1021292: dpkg-buildflags: Please add support for pointer authentication on arm64
Package: dpkg-dev
Followup-For: Bug #1021292
X-Debbugs-Cc: wookey@wookware.org, debian-devel@lists.debian.org
> We decided that the best thing to do was create a new hardening flags
> feature called 'branch' to add to the existing set. This enables
> -mbranch-protection=standard on arm64, and
> -fcf-protection on amd64
After reading various threads (such as this[1] Xen thread, and from there a
related[2] Linux kernel thread) about fcf-protection:
Could we consider ensuring NOTRACK_EN=0 and -fno-jump-tables if-and-when making
this change?
(I'm not sure yet, but the CET 'notrack' instruction seems unusual to me, and
although I hope to find out and become convinced that it's safe and worthwhile,
it seems like a potential loophole in the safety that CET could offer. my
understanding is that it's intended to allow certain limited callsites to
invoke functions that do not begin with branch-target (endbr64) instructions)
[1] - https://lists.xenproject.org/archives/html/xen-devel/2022-03/msg00522.html
[2] - https://lkml.org/lkml/2022/3/7/1068
Reply to: