Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CA+Ov9+mc7dJuZY-6xPuzH8OcmkBpngoy+8McbJKG-WU0gV-_7w@mail.gmail.com>
Date: Mon, 19 Feb 2024 22:21:58 -0800
From: Anton Korobeynikov <anton@...obeynikov.info>
To: Fangrui Song <i@...kray.me>
Cc: musl@...ts.openwall.com, William Roberts <bill.c.roberts@...il.com>
Subject: Re: PAC/BTI Support on aarch64

Thanks Fangrui!

For PAC / BTI no support from the C standard library is required. All
changes are ordinary source code changes and only assembler sources
should contain proper annotations / notes / BTI checks.

The links above are about pointer authentication ABI (aka "arm64e").
PAC / BTI could be considered as part of it, but only a small one.
Over the last few months we have been working on bringing pauth to
ELF-based platforms. Our aim is to have pauth ABI support to be
released as a part of LLVM 19.

That github Access Softek repo is a downstream fork that contains
rebased Apple changes to frontend, intrinsics, etc. and ELF codegen
bits. We are working on upstreaming code from it to LLVM mainline.

For pauth more deep interaction with standard library is required, as
dynamic loader should process pauth relocations, and sign pointers as
needed. Plus, some additional handling of the gnu.note segment would
be necessary as one would need to e.g. prohibit loading of DSOs with
incompatible ABI. We are having a proof-of-concept patch for MUSL to
process pauth relocations
(https://github.com/access-softek/musl/pull/1). We have not submitted
it to MUSL upstream as there are lots of moving pieces and we do not
want to submit something that could be changed (e.g. reloc numbers
already changed once).

Certainly, for pauth support additional code changes to assembler
sources would be required. As well as ABI marking.

PS: Please CC me on responses as I am not subscribed.

On Mon, Feb 19, 2024 at 4:01 PM Fangrui Song <i@...kray.me> wrote:
>
> On Mon, Feb 12, 2024 at 10:42 AM Rich Felker <dalias@...c.org> wrote:
> >
> > On Mon, Feb 12, 2024 at 10:38:50AM -0600, William Roberts wrote:
> > > Hello,
> > >
> > > I was just wondering if there was any work being done to support PAC
> > > and BTI in aarch64? I could add support but didn't want to duplicate
> > > the work.
> >
> > I'm not aware of any active work on this, but before writing a full
> > implementation, it would be really helpful to start with a basic
> > proposal for the scope of changes needed to make it work to assess
> > whether these are managable and acceptable cost.
> >
> > Rich
>
> Cc +Anton (other messages of this thread can be found at
> https://www.openwall.com/lists/musl/2024/02/12/ ).
>
> Per https://discourse.llvm.org/t/llvm-pointer-authentication-sync-ups/62661/23
> and an lld/ELF patch
>
> * https://github.com/access-softek/llvm-project/commits/elf-pauth
> * https://github.com/access-softek/musl/tree/dkovalev/pauth-code-drop
>
> contains a prototype.
>
> > We verified that LLVM testsuite compiled with pauth successfully passes on pauth-enabled AArch64 board.
>
> https://www.openwall.com/lists/musl/2024/02/12/
>
> It looks like there will be an LLVM Pointer Authentication discussion
> in a few hours:
> https://calendar.google.com/calendar/u/0/embed?src=calendar@llvm.org



-- 
With best regards, Anton Korobeynikov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.