[gnutls-devel] GnuTLS | aarch64/armv8 assembler files not supporting PAC/BTI (#1517)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Fri Dec 8 16:56:13 CET 2023 


ggardet1 created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1517



## Description of problem:
On aarch64/arm64, when we build with gcc13 and `-mbranch-protection=standard` to enable Pointer Authentication (PAC) and Branch Target Identification (BTI), the final link disable them, because some assembler code do not support PAC and BTI.

The following warning message shows the issue:
```
[  161s] /usr/lib64/gcc/aarch64-suse-linux/13/../../../../aarch64-suse-linux/bin/ld: accelerated/.libs/libaccelerated.a(aes-aarch64.o): warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
[  161s] /usr/lib64/gcc/aarch64-suse-linux/13/../../../../aarch64-suse-linux/bin/ld: accelerated/.libs/libaccelerated.a(ghash-aarch64.o): warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
[  161s] /usr/lib64/gcc/aarch64-suse-linux/13/../../../../aarch64-suse-linux/bin/ld: accelerated/.libs/libaccelerated.a(sha1-armv8.o): warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
[  161s] /usr/lib64/gcc/aarch64-suse-linux/13/../../../../aarch64-suse-linux/bin/ld: accelerated/.libs/libaccelerated.a(sha256-armv8.o): warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
[  161s] /usr/lib64/gcc/aarch64-suse-linux/13/../../../../aarch64-suse-linux/bin/ld: accelerated/.libs/libaccelerated.a(sha512-armv8.o): warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
```
Note: To show this message you need to also pass the `-z force-bti` ldflag.

This point to assembler files:
```
[  135s] libtool: compile:  gcc -Wa,-march=all -mbranch-protection=standard -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -c elf/aes-aarch64.s  -fPIC -DPIC -o elf/.libs/aes-aarch64.o
[  135s] libtool: compile:  gcc -Wa,-march=all -mbranch-protection=standard -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -c elf/ghash-aarch64.s  -fPIC -DPIC -o elf/.libs/ghash-aarch64.o
[  135s] libtool: compile:  gcc -Wa,-march=all -mbranch-protection=standard -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -c elf/sha1-armv8.s  -fPIC -DPIC -o elf/.libs/sha1-armv8.o
[  135s] libtool: compile:  gcc -Wa,-march=all -mbranch-protection=standard -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -c elf/sha256-armv8.s  -fPIC -DPIC -o elf/.libs/sha256-armv8.o
[  135s] libtool: compile:  gcc -Wa,-march=all -mbranch-protection=standard -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -c elf/sha512-armv8.s  -fPIC -DPIC -o elf/.libs/sha512-armv8.o
```

This is a matter to add `paciasp`/`autiasp` in start/end of functions for PAC and `BTI C` (or `hint #34`) as landing pad on branches for BTI.

More information on :
* PAC: https://developer.arm.com/documentation/102433/0100/Return-oriented-programming
* BTI: https://developer.arm.com/documentation/102433/0100/Jump-oriented-programming

## Version of gnutls used:
3.8.2

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
openSUSE Tumbleweed

## How reproducible:

Build on aarch64 with `-mbranch-protection=standard` and `-z force-bti`.


## Actual results:
BTI disabled at link time.

## Expected results:
BIT should be supported.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1517
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20231208/6691c907/attachment.html>

More information about the Gnutls-devel mailing list