aarch64/armv8 assembler files not supporting PAC/BTI
Description of problem:
On aarch64/arm64, when we build with gcc13 and -mbranch-protection=standard
to enable Pointer Authentication (PAC) and Branch Target Identification (BTI), the final link disable them, because some assembler code do not support PAC and BTI.
The following warning message shows the issue:
[ 161s] /usr/lib64/gcc/aarch64-suse-linux/13/../../../../aarch64-suse-linux/bin/ld: accelerated/.libs/libaccelerated.a(aes-aarch64.o): warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
[ 161s] /usr/lib64/gcc/aarch64-suse-linux/13/../../../../aarch64-suse-linux/bin/ld: accelerated/.libs/libaccelerated.a(ghash-aarch64.o): warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
[ 161s] /usr/lib64/gcc/aarch64-suse-linux/13/../../../../aarch64-suse-linux/bin/ld: accelerated/.libs/libaccelerated.a(sha1-armv8.o): warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
[ 161s] /usr/lib64/gcc/aarch64-suse-linux/13/../../../../aarch64-suse-linux/bin/ld: accelerated/.libs/libaccelerated.a(sha256-armv8.o): warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
[ 161s] /usr/lib64/gcc/aarch64-suse-linux/13/../../../../aarch64-suse-linux/bin/ld: accelerated/.libs/libaccelerated.a(sha512-armv8.o): warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.
Note: To show this message you need to also pass the -z force-bti
ldflag.
This point to assembler files:
[ 135s] libtool: compile: gcc -Wa,-march=all -mbranch-protection=standard -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -c elf/aes-aarch64.s -fPIC -DPIC -o elf/.libs/aes-aarch64.o
[ 135s] libtool: compile: gcc -Wa,-march=all -mbranch-protection=standard -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -c elf/ghash-aarch64.s -fPIC -DPIC -o elf/.libs/ghash-aarch64.o
[ 135s] libtool: compile: gcc -Wa,-march=all -mbranch-protection=standard -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -c elf/sha1-armv8.s -fPIC -DPIC -o elf/.libs/sha1-armv8.o
[ 135s] libtool: compile: gcc -Wa,-march=all -mbranch-protection=standard -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -c elf/sha256-armv8.s -fPIC -DPIC -o elf/.libs/sha256-armv8.o
[ 135s] libtool: compile: gcc -Wa,-march=all -mbranch-protection=standard -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -c elf/sha512-armv8.s -fPIC -DPIC -o elf/.libs/sha512-armv8.o
This is a matter to add paciasp
/autiasp
in start/end of functions for PAC and BTI C
(or hint #34
) as landing pad on branches for BTI.
More information on :
- PAC: https://developer.arm.com/documentation/102433/0100/Return-oriented-programming
- BTI: https://developer.arm.com/documentation/102433/0100/Jump-oriented-programming
Version of gnutls used:
3.8.2
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
openSUSE Tumbleweed
How reproducible:
Build on aarch64 with -mbranch-protection=standard
and -z force-bti
.
Actual results:
BTI disabled at link time.
Expected results:
BIT should be supported.