[3.12] gh-139808: Add branch protections for aarch64 in asm_trampoline.S (#130864)

[stratakis]

Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S.

The BTI flag must be applied in assembler sources for this class of attacks to be mitigated on newer aarch64 processors.

See also:
https://sourceware.org/annobin/annobin.html/Test-branch-protection.html and
https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enabling-pac-and-bti-on-aarch64

• Issue: asm_trampoline.S misses BTI/PAC protection flags for aarch64 #139808

[read-the-docs-community]

Documentation build overview

📚 cpython-previews | 🛠️ Build #32798948 | 📁 Comparing f8f9726 against main (32104a1)

  🔍 Preview build  

534 files changed · + 3 added · ± 477 modified · - 54 deleted

+ Added

• c-api/objbuffer.html
• library/2to3.html
• library/tkinter.tix.html

± Modified

• about.html
• bugs.html
• copyright.html
• glossary.html
• index.html
• license.html
• py-modindex.html
• c-api/abstract.html
• c-api/allocation.html
• c-api/apiabiversion.html
• and 467 more...

- Deleted

• 404.html
• improve-page-nojs.html
• improve-page.html
• _static/tachyon-example-flamegraph.html
• _static/tachyon-example-heatmap.html
• c-api/curses.html
• c-api/extension-modules.html
• c-api/interp-lifecycle.html
• c-api/lifecycle.html
• c-api/monitoring.html
• and 44 more...

[stratakis]

3.12 is currently on security only fixes.

This issue resolves a security issue when compiling on aarch64 with -mbranch-protection. Without the PR, when using -mbranch-protection=standard to enable the aarch64 hardware protections, the linker will see that there is a missing note from the object files generated by the assembly sources and will drop the notes from the final binary/library, deactivating the protections.

Verified that perf integration works well, with and without the flag, including frame pointers. And the final binary correctly shows BTI, PAC, GCS with readelf -n.

cc @vstinner @Yhg1s