[Bug 2040321] Re: Please add -mbranch-protection=standard to default arm64 build flags

Mark Esler 2040321 at bugs.launchpad.net
Wed Sep 4 17:57:59 UTC 2024 

** Changed in: gcc-13 (Ubuntu)
    Milestone: ubuntu-24.04 => None

** Package changed: gcc-13 (Ubuntu) => gcc-14 (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-14 in Ubuntu.
https://bugs.launchpad.net/bugs/2040321

Title:
  Please add -mbranch-protection=standard to default arm64 build flags

Status in gcc-14 package in Ubuntu:
  New

Bug description:
  arm64 code reuse mitigation was introduced to the Ubuntu Archive with
  dpkg 1.22.0ubuntu1 [0][1][2].

  > Pointer Authentication and Branch Target Identification are
  > significant new security features in ARMv8.3 and ARMv8.5 respectively
  > arm64 hardware. They are present in new (debian-relevant) hardware,
  > starting with the Graviton 3. It is both straightforward and
  > reasonably safe to enable these features by default now so that they
  > can be reasonably well-tested in time for Bookworm. There is a kernel
  > option to turn them off at runtime should hardware be found where this
  > is a problem, and of course a compiler option to disable them at build
  > time. They are important security enhancements, with a very small
  > overhead, which can only work if enabled at build-time, so adding
  > -mbranch-protection=standard to the default build options seems like
  > the right thing to do. [3]

  In 2019 using glibc, Arm measured the use of the `pac` option alone to
  reduce available ROP and JOP gadgets by ~60%. `bti` reduced these
  gadgets to ~95%. `bti+pac` resulted in a ~98% decrease [4].

  `-mbranch-protection=standard` enables both BTI and PAC. It is the
  current arm64 default for the Ubuntu Archive [0], Debian [2], and
  Fedora [5].

  gcc should have security hardening flag parity with dpkg. Ubuntu
  Security wants secure defaults for users. This is a philosophical
  difference from Debian [6]. Ubuntu Security wants compiler hardening
  applied to random things users download, build, and run, and to snaps,
  flatpaks, appimages, pip wheels, etc. We want software built on Ubuntu
  to use safe defaults.

  As an example, Xonotic is a video game with arm64 builds on the snap
  store. C based snaps are built with gcc, and dpkg-buildflags are not
  applied. As a multiplayer game users process untrusted input. If a
  remote exploit is discovered, instead of a seg fault, attackers might
  be able to run RCE on arm64 victims, since they are freely allowed to
  build ROP chains. Kubernetes, etcd, and many critical pieces of server
  software are also distributed though snaps. Applying security
  hardening flags to gcc will protect Ubuntu users and the wider
  community.

  Please add `-mbranch-protection` to the default compiler flags of
  gcc-13 in Ubuntu 24.04 [7].

  [0] https://launchpad.net/ubuntu/+source/dpkg/1.22.0ubuntu1
  [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021292
  [2] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=8f5aca71c1435c9913d5562b8cae68b751dff663
  [3] https://lists.debian.org/debian-dpkg/2022/05/msg00022.html
  [4] https://community.arm.com/arm-community-blogs/b/tools-software-ides-blog/posts/code-reuse-attacks-the-compiler-story
  [5] https://fedoraproject.org/wiki/Changes/Aarch64_PointerAuthentication
  [6] https://lists.debian.org/debian-dpkg/2022/06/msg00000.html
  [7] https://wiki.ubuntu.com/ToolChain/CompilerFlags

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2040321/+subscriptions

More information about the foundations-bugs mailing list