Enable pointer authentication on ARM64 #42888
Comments
jgowdy
added
the
feature request
|
Will this affect performance? |
|
The performance impact is very small, we've had difficulty measuring it versus variance in runs of our benchmark suite. It's an additional assembly language instruction at the beginning and end of each method that does a small amount of math in hardware. If the CPU doesn't support PAC, the instructions are treated as NOPs. If the stack pointer is modified by an attacker, when the function is about to return it executes the AUTIASP instruction which will detect the modified stack pointer and the process will signal and abort. |
|
Hmm, I don't immediately see any problem with enabling this. Would you like to send a PR? We could have more reviews there. |
|
This modification results in an error in the case of cross-compilation. (#43200) 'host_arch': 'x64' |
…nd mac builds. (#5859) * Update for building NodeJS v18.12.1. Add scripts for w64 and mac. * Try building with trap-handler on aarch64-linux. * chmod +x * Disable pointer authentication on arm 64. (nodejs/node#42888) * Include a header to use `memalign`.
|
Is there a workaround for this |
Commit 938212f added -msign-return-address=all to _all_ cflags but that is wrong when cross-compiling, it should only be added to the target's cflags. Fixes: nodejs#42888
|
Untested, but #45756 hopefully fixes it. Please test. |
|
There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment. For more information on how the project manages feature requests, please consult the feature request management document. |
|
There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment. For more information on how the project manages feature requests, please consult the feature request management document. |
Commit 938212f added -msign-return-address=all to _all_ cflags but that is wrong when cross-compiling, it should only be added to the target's cflags. The flag being deprecated, it is also changed to `-mbranch-protection=standard`. Fixes: nodejs#42888 Co-Authored-By: Michaël Zasso <targos@protonmail.com>
Commit 938212f added -msign-return-address=all to _all_ cflags but that is wrong when cross-compiling, it should only be added to the target's cflags. The flag being deprecated, it is also changed to `-mbranch-protection=standard`. Fixes: #42888 Co-Authored-By: Michaël Zasso <targos@protonmail.com> PR-URL: #51256 Fixes: nodejs/build#3319 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Commit 938212f added -msign-return-address=all to _all_ cflags but that is wrong when cross-compiling, it should only be added to the target's cflags. The flag being deprecated, it is also changed to `-mbranch-protection=standard`. Fixes: #42888 Co-Authored-By: Michaël Zasso <targos@protonmail.com> PR-URL: #51256 Fixes: nodejs/build#3319 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Commit 938212f added -msign-return-address=all to _all_ cflags but that is wrong when cross-compiling, it should only be added to the target's cflags. The flag being deprecated, it is also changed to `-mbranch-protection=standard`. Fixes: #42888 Co-Authored-By: Michaël Zasso <targos@protonmail.com> PR-URL: #51256 Fixes: nodejs/build#3319 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Commit 938212f added -msign-return-address=all to _all_ cflags but that is wrong when cross-compiling, it should only be added to the target's cflags. The flag being deprecated, it is also changed to `-mbranch-protection=standard`. Fixes: #42888 Co-Authored-By: Michaël Zasso <targos@protonmail.com> PR-URL: #51256 Fixes: nodejs/build#3319 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Commit 938212f added -msign-return-address=all to _all_ cflags but that is wrong when cross-compiling, it should only be added to the target's cflags. The flag being deprecated, it is also changed to `-mbranch-protection=standard`. Fixes: nodejs#42888 Co-Authored-By: Michaël Zasso <targos@protonmail.com> PR-URL: nodejs#51256 Fixes: nodejs/build#3319 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
What is the problem this feature will solve?
ARM64v8.3 supports Pointer Authentication with the PACIASP and AUTIASP instructions which are interpreted as NOP instructions on pre 8.3 architectures. These instructions sign the stack pointer and validate the stack pointer prior to return to mitigate return oriented programming.
GCC supports these options on arm64 / aarch64. The legacy option was
-msign-return-address=[all | non-leaf | none]and the modern option is-mbranch-protection=none|standard|pac-ret[+leaf+b-key]|btiI would like to suggest that the arm64 build be modified to include
-mbranch-protection=pac-retwith the-marchbeing set to ARMv8.2 or earlier or not configured, so that GCC will generate PACIASP and AUTIASP instructions. It is critical that-march=armv8.3or higher not be passed or the non-backwards compatible RETAA instruction will be generated.What is the feature you are proposing to solve the problem?
The benefit of enabling pointer authentication for the stack pointer on ARM64 would be to mitigate return oriented programming attacks against the Node.js runtime.
What alternatives have you considered?
Presently we are pursuing custom compiles of the Node.js runtime for the new Graviton3 CPUs that support pointer authentication in AWS.
The text was updated successfully, but these errors were encountered: