I have been in discussion with Guillem about enabling the various branch protection mechanisms available on newer x86 and arm CPUs.
These are hardware features (new instructions) that 'tag' pointers and branch targets to make it much harder for malicious code to implement ROP (return oriented programming) and JOP (Jump oriented programming) attacks. They have been implemented on both architectures in such a way that they can be generally enabled and are simply ignored on hardware that doesn't support them (the new instructions are in the NOP space). These features have been enabled in other distros for some time and we've done an archive rebuild of arm64 to check that there was not significant breakage. There is a lot of discussion of the details of this and the pros/cons of enabling this by default in the thread so I will try to keep this mail as a summary and suggest you go read https://lists.debian.org/debian-dpkg/2022/05/msg00022.html and https://lists.debian.org/debian-dpkg/2022/06/msg00000.html if you want to know how it works, and all the details. We decided that the best thing to do was create a new hardening flags feature called 'branch' to add to the existing set. This enables -mbranch-protection=standard on arm64, and -fcf-protection on amd64 (yes it would have been nice if the gcc people had used common flags across the arches, but there you go) If/when other arches get similar functionality those would be enabled under this heading too (Are there any already that I don;t know about?) There is a dpkg branch containing this feature here: https://git.hadrons.org/git/debian/dpkg/dpkg.git/log/?h=next/dpkg-buildflags-feature-branch And a bug to track progress here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021292 So the immediate issue now is whether or not to enable this by default in bookworm? It's a significant protection on newish hardware, which those who've worked on it (and I now, having investigated) believe should be on by default. We have a general policy of enabling reaosnably low-cost security features by default, and this is one of those. It's a fairly low-risk thing to do, especially as others have gone before us (Rhel made -fcf-protection the gcc default in 2018, and Suse in Oct 2021. Suse turned on branch-protection=standard (ie BTI+PAC) on arm64 in nov 2020), but it is changing the defaults. Like all dpkg-buildflags it can easily be disabled for a particular package and there is a kernel option to turn it off on a particular machine if issues are encountered (and no doubt we will find a couple). I hope that all makes sense. Wookey -- Principal hats: Debian, Wookware, ARM http://wookware.org/
signature.asc
Description: PGP signature
