== Summary ==
Arm Pointer Authentication (PAC) is a method of hardening code from
Return Oriented Programming (ROP) attacks. It uses a tag in a pointer
to sign and verify pointers. Branch Target Identification (BTI) is
another code hardening method, where the branch/jump target is
identified with a special landing pad instruction. Outside of some
system support in glibc+kernel, packages gain the additional hardening
by compiling with the -mbranch-protection= flag available in recent
versions of GCC. In particular -mbranch-protection=standard enables
both BTI and PAC, with backwards compatible to armv8.0 code sequences
that activate on v8.3 (PAC) & v8.5 (BTI) enabled Arm machines.
== Owner ==
* Name: [[User:jlinton| Jeremy Linton]] & ARM SIG
* Email: jeremy.linton(a)arm.com
== Benefit to Fedora ==
PAC & BTI are code hardening features, they should serve to make
fedora more resistant to a couple further classes of runtime attacks.
By enabling this early, fedora is once again proven to be at the
leading edge of security and linux development. If everything works as
planned, this change will be invisible to the end user, except in
cases where the applications will trap behaviour that appears to be
caused by exploit attempts.
== Scope ==
* Proposal owners:
Work with individual package maintainers in the case of build failures
or runtime exceptions. In the latter case there are two possibilities.
First on v8.0 hardware, which is currently the most common, the
additional instruction sequences are treated as NOP's and should be
completely ignored by the hardware. It may be possible on v8.3/8.5
hardware that PAC or BTI may need additional tweaks for hand written
assembly which interacts with PAC/BTI enabled code.
* Other developers:
Assure their packages continue to compile and pass
unit/integration/etc tests on v8.0 hardware. Continue to monitor
runtime problems on v8.3+ for bugs, vs exploit attempts.
* Release engineering: (pending)
* Policies and guidelines:
At the moment, nothing needs to be changed as this should propagate as
the default set of RPM build flags.
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
If everything works as planned, this should be transparent to the end user.
== How To Test ==
Testing falls into two categories. Assuring that the packages continue
to work on existing arm v8.0 hardware without PAC, and testing on
PAC+BTI enabled hardware. For the most part the expectation from the
fedora community is that package maintainers assure their packages
continue to work on existing systems. PAC+ hardware will be in limited
supply during the F33 development cycle, so the expectation is that
owners of that hardware will perform more complete systemwide testing
and report any defects found against the packages in question along
with fixes or hardware access.
== User Experience ==
== Dependencies ==
There are various gcc and kernel related changes which have already
landed, but there continue to be a few cleanup patches trickling into
the toolchain/compiler as problems are discovered.
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?)
Build affected packages with explicit compiler flags disabling the
feature. Worse case the top level rpm macros reversion, and a rebuild
of effected packages.
Contingency deadline: Beta target.
* Blocks release? No, except for major functionality loss due to core
* Blocks product? No
== Documentation ==
Arm pointer authentication is a technology designed to make software
more robust by providing hardware assistance for code hardening. It
protects pointers by cryptographically signing them and verifying
their signatures when used, thereby mitigating certain attack vectors.
Core support is provided to applications and libraries transparently
via kernel and toolchain changes to generate hardended code. Branch
Target identification, similarly provides landing pads, to harden code
paths by restricting the processor from jumping into unexpected parts
of a function.
He / Him / His
Senior Program Manager, Fedora & CentOS Stream