On 2024-10-28 10:55, Sebastian Ramacher wrote: > since dpkg 1.22.0 the additional hardening flags to enable Pointer > Authentication (PAC) and Branch Target Identification (BTI) > on arm64 are enabled by default.
Some more background and an update on this. Both PAC and BTI are enabled by adding -mbranch-protection=standard to the compiler flags. The defaults in Debian sid include such flag since August 2023 (dpkg 1.22.0) as Sebastian said. However PAC and BTI differ in the way they are enabled. For PAC, simply building a program with -mbranch-protection=standard results in PAC to be enabled. When it comes to BTI, all execution units (ie: all object files) linked together need to have BTI in order for the resulting ELF file to have BTI turned on. Since pretty much every program in the world uses crtbeginS.o and crtendS.o from GCC as well as crti.o, Scrt1.o and crtn.o from glibc, this means that only packages built with a BTI-enabled GCC and glibc get the feature. In sid, we enabled BTI support in gcc-14 14.1.0-4 (2024-07-10) and glibc 2.39-5 (2024-07-22). See https://wiki.debian.org/ToolChain/PACBTI for more details. I performed a local archive rebuild to get the list of all packages that don't currently have BTI on, but would get it with a simple rebuild (binNMU). I added the date of "last build" to the output just to verify that no package was built after the end of July 2024, those should have had BTI already. To my surprise some of the packages in the list where last built in 2014, which is... well a long time ago! https://people.debian.org/~ema/pac-bti/arm64-binNMUs.log When the binNMUs started (thank you Sebastian) we had 10204 binary packages with BTI turned on, and we are now at 18348. Once the rebuilds are over I'll check the situation again. There's likely going to be a long tail of packages that don't get BTI with a simple rebuild for many reasons, including for example not using the default compiler flags. As a final thought, given that new toolchain versions bring multiple improvements over the years it's perhaps worth thinking about rebuilding the archive on some sort of regular basis to make sure we get the benefits? ema
