[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1063515: glibc: Please build with -mbranch-protection=standard on arm64 to enable PAC/BTI support

Source: glibc
Version: 2.37-15
Severity: wishlist
Tags: patch
User: debian-arm@lists.debian.org
Usertags: arm64
Control: block -1 by 1057469

Hi,

As discussed on the debian-glibc mailing list [1], please consider
building glibc on arm64 with -mbranch-protection=standard to enable
support for the PAC/BTI security features in Debian.

The discussion on the mailing list ended up with an agreement on the
attached patch proposed by Aurelien Jarno which works fine in my tests.

In order to properly support PAC/BTI in Debian we need first GCC to
enable support for the feature, and that has not happened yet. For this
reason I'm marking this bug as blocked-by the relevant issue filed
against gcc-12: #1057469.

[1] https://lists.debian.org/debian-glibc/2023/12/msg00022.html

--- glibc-2.37/debian/sysdeps/arm64.mk
+++ glibc-2.37/debian/sysdeps/arm64.mk
@@ -1,2 +1,5 @@
 # configuration options for all flavours
 extra_config_options = --enable-multi-arch --enable-memory-tagging
+
+CC = $(DEB_HOST_GNU_TYPE)-$(BASE_CC)$(DEB_GCC_VERSION) -mbranch-protection=standard
+CXX = $(DEB_HOST_GNU_TYPE)-$(BASE_CXX)$(DEB_GCC_VERSION) -mbranch-protection=standard
Reply to: