qiurui
/
glibc
mirror of git://sourceware.org/git/glibc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

aarch64: Support enforcing BTI on dependencies 

Add glibc.cpu.aarch64_bti tunable with 2 values:

 - permissive (default)
 - enforced

and use this tunable to enforce BTI marking on dependencies
when the enforced option is selected.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Tested-by: Jeremy Linton <jeremy.linton@arm.com>
This commit is contained in:
Yury Khrustalev 2025-10-29 16:12:14 +00:00
parent 59bac0d5d2
commit dba95d2887
7 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
manual/tunables.texi
View File

@ -598,6 +598,23 @@ This tunable is specific to x86-64 and effective only when the lazy
binding is disabled. binding is disabled.
@end deftp @end deftp
@deftp Tunable glibc.cpu.aarch64_bti
This tunable controls Branch Target Identification (BTI) handling for the
process. This handling is implemented via protecting the memory mapping
with @code{PROT_BTI} for modules that are marked with the appropriate ELF
property @code{GNU_PROPERTY_AARCH64_FEATURE_1_BTI} (see Program Loading in
@url{https://github.com/ARM-software/abi-aa/blob/main/sysvabi64/sysvabi64.rst}).
Accepted values are:
0 = permissive: BTI protection is enabled only for modules that have BTI
marking (default).
1 = enforced: if a module that does not have BTI marking is loaded, it is
an error (either a process abort or a @code{dlopen} error if this binary
is loaded via @code{dlopen}).
@end deftp
@deftp Tunable glibc.cpu.aarch64_gcs @deftp Tunable glibc.cpu.aarch64_gcs
This tunable controls Guarded Control Stack (GCS) for the process. This tunable controls Guarded Control Stack (GCS) for the process.

5
sysdeps/aarch64/cpu-features.h
View File

@ -54,6 +54,11 @@
|| (MIDR_PARTNUM(midr) == 0x002 \ || (MIDR_PARTNUM(midr) == 0x002 \
&& MIDR_VARIANT(midr) == 0))) && MIDR_VARIANT(midr) == 0)))
enum {
BTI_CHECK_PERMISSIVE = 0,
BTI_CHECK_ENFORCED = 1,
};
struct cpu_features struct cpu_features
{ {
uint64_t midr_el1; uint64_t midr_el1;

15
sysdeps/aarch64/dl-bti.c
View File

@ -31,6 +31,9 @@
void void
_dl_bti_protect (struct link_map *map, int fd) _dl_bti_protect (struct link_map *map, int fd)
{ {
/* If we try to enable BTI protection, MAP must be BTI marked. */
map->l_mach.bti = true;
const size_t pagesz = GLRO(dl_pagesize); const size_t pagesz = GLRO(dl_pagesize);
const ElfW(Phdr) *phdr; const ElfW(Phdr) *phdr;
@ -84,10 +87,22 @@ _dl_bti_check (struct link_map *l, const char *program)
if (l->l_mach.bti_fail) if (l->l_mach.bti_fail)
bti_failed (l, program); bti_failed (l, program);
/* We enforce BTI if tunable is set and if this object has BTI marking. */
bool enforce_bti = GLRO (dl_aarch64_bti) == BTI_CHECK_ENFORCED;
for (unsigned int i = 0; i < l->l_searchlist.r_nlist; i++) for (unsigned int i = 0; i < l->l_searchlist.r_nlist; i++)
{ {
struct link_map *dep = l->l_searchlist.r_list[i]; struct link_map *dep = l->l_searchlist.r_list[i];
if (dep->l_mach.bti_fail) if (dep->l_mach.bti_fail)
bti_failed (dep, program); bti_failed (dep, program);
#ifdef SHARED
/* Ignore BTI marking on ld.so: its properties are not processed, and
the kernel is responsible for setting up BTI protection for the
loader. */
if (is_rtld_link_map (dep->l_real))
continue;
#endif
if (enforce_bti && !dep->l_mach.bti)
bti_failed (dep, program);
} }
} }

6
sysdeps/aarch64/dl-tunables.list
View File

@ -21,6 +21,12 @@ glibc {
name { name {
type: STRING type: STRING
} }
aarch64_bti {
type: UINT_64
minval: 0
maxval: 1
default: 0
}
aarch64_gcs { aarch64_gcs {
type: UINT_64 type: UINT_64
minval: 0 minval: 0

1
sysdeps/aarch64/linkmap.h
View File

@ -24,4 +24,5 @@ struct link_map_machine
void *tlsdesc_table; /* Address of TLS descriptor hash table. */ void *tlsdesc_table; /* Address of TLS descriptor hash table. */
bool bti_fail; /* Failed to enable Branch Target Identification. */ bool bti_fail; /* Failed to enable Branch Target Identification. */
bool gcs; /* Guarded Control Stack marking. */ bool gcs; /* Guarded Control Stack marking. */
bool bti; /* Branch Target Identification marking. */
}; };

2
sysdeps/unix/sysv/linux/aarch64/cpu-features.c
View File

@ -137,6 +137,8 @@ init_cpu_features (struct cpu_features *cpu_features)
/* Check if BTI is supported. */ /* Check if BTI is supported. */
cpu_features->bti = GLRO (dl_hwcap2) & HWCAP2_BTI; cpu_features->bti = GLRO (dl_hwcap2) & HWCAP2_BTI;
if (cpu_features->bti)
GLRO (dl_aarch64_bti) = TUNABLE_GET (glibc, cpu, aarch64_bti, uint64_t, 0);
/* Setup memory tagging support if the HW and kernel support it, and if /* Setup memory tagging support if the HW and kernel support it, and if
the user has requested it. */ the user has requested it. */

16
sysdeps/unix/sysv/linux/aarch64/dl-procinfo.c
View File

@ -56,5 +56,21 @@ PROCINFO_CLASS struct cpu_features _dl_aarch64_cpu_features
# endif # endif
#endif #endif
#if !IS_IN (ldconfig)
# if !defined PROCINFO_DECL && defined SHARED
._dl_aarch64_bti
# else
PROCINFO_CLASS unsigned long _dl_aarch64_bti
# endif
# ifndef PROCINFO_DECL
= BTI_CHECK_PERMISSIVE
# endif
# if !defined SHARED || defined PROCINFO_DECL
;
# else
,
# endif
#endif
#undef PROCINFO_DECL #undef PROCINFO_DECL
#undef PROCINFO_CLASS #undef PROCINFO_CLASS