Re: Enabling PAC/BTI support on arm64

[Emanuele Rocca <ema@debian.org>]

Hey Aurelien,

On 2023-12-05 08:32, Aurelien Jarno wrote:
> What about the patch below, it basically just change the compiler to
> always enable -mbranch-protection=standard, and it's also used for the
> configure script.

> --- glibc-2.37/debian/sysdeps/arm64.mk
> +++ glibc-2.37/debian/sysdeps/arm64.mk
> @@ -1,2 +1,5 @@
>  # configuration options for all flavours
>  extra_config_options = --enable-multi-arch --enable-memory-tagging
> +
> +CC = $(DEB_HOST_GNU_TYPE)-$(BASE_CC)$(DEB_GCC_VERSION) -mbranch-protection=standard
> +CXX = $(DEB_HOST_GNU_TYPE)-$(BASE_CXX)$(DEB_GCC_VERSION) -mbranch-protection=standard

Your patch works. Highlights:

 cd build-tree/arm64-libc && \
         CC="aarch64-linux-gnu-gcc-12 -mbranch-protection=standard" \
         CXX="aarch64-linux-gnu-g++-12 -mbranch-protection=standard" \
 [...]
 checking for BTI support... yes
 checking if pac-ret is enabled... yes
 [...]
 aarch64-linux-gnu-gcc-12 -mbranch-protection=standard -nostdlib -nostartfiles -r -o /<<PKGBUILDDIR>>/build-tree/arm64-libc/csu/Scrt1.o /<<PKGBUILDDIR>>/build-tree/arm64-libc/csu/start.os /<<PKGBUILDDIR>>/build-tree/arm64-libc/csu/abi-note.o /<<PKGBUILDDIR>>/build-tree/arm64-libc/csu/init.o

Full logs at https://people.debian.org/~ema/glibc_2.37-13.1_arm64.build

At some later point when both gcc and glibc with BTI enabled are in the
archive we could think of adding an autopkgtest checking for something
like:

 readelf -n /usr/lib/aarch64-linux-gnu/Scrt1.o | grep 'BTI, PAC'

But for now: do you want me to file a bug against glibc to keep track of
this in the BTS?

Thank you very much!
  Emanuele