Please add -mbranch-protection=standard to default arm64 build flags
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gcc-13 (Ubuntu) |
New
|
High
|
Unassigned |
Bug Description
arm64 code reuse mitigation was introduced to the Ubuntu Archive with dpkg 1.22.0ubuntu1 [0][1][2].
> Pointer Authentication and Branch Target Identification are
> significant new security features in ARMv8.3 and ARMv8.5 respectively
> arm64 hardware. They are present in new (debian-relevant) hardware,
> starting with the Graviton 3. It is both straightforward and
> reasonably safe to enable these features by default now so that they
> can be reasonably well-tested in time for Bookworm. There is a kernel
> option to turn them off at runtime should hardware be found where this
> is a problem, and of course a compiler option to disable them at build
> time. They are important security enhancements, with a very small
> overhead, which can only work if enabled at build-time, so adding
> -mbranch-
> the right thing to do. [3]
In 2019 using glibc, Arm measured the use of the `pac` option alone to reduce available ROP and JOP gadgets by ~60%. `bti` reduced these gadgets to ~95%. `bti+pac` resulted in a ~98% decrease [4].
`-mbranch-
gcc should have security hardening flag parity with dpkg. Ubuntu Security wants secure defaults for users. This is a philosophical difference from Debian [6]. Ubuntu Security wants compiler hardening applied to random things users download, build, and run, and to snaps, flatpaks, appimages, pip wheels, etc. We want software built on Ubuntu to use safe defaults.
As an example, Xonotic is a video game with arm64 builds on the snap store. C based snaps are built with gcc, and dpkg-buildflags are not applied. As a multiplayer game users process untrusted input. If a remote exploit is discovered, instead of a seg fault, attackers might be able to run RCE on arm64 victims, since they are freely allowed to build ROP chains. Kubernetes, etcd, and many critical pieces of server software are also distributed though snaps. Applying security hardening flags to gcc will protect Ubuntu users and the wider community.
Please add `-mbranch-
[0] https:/
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
[6] https:/
[7] https:/
Updates for this flag will not include package documentation until LP#2046279 is addressed.
I'll help and followup however I can.