Skip to content

[AArch64] Add initial support for PAC relocs#2

Closed
kovdan01 wants to merge 16 commits intomaster-oldfrom
dkovalev/pauth-release-19.x
Closed

[AArch64] Add initial support for PAC relocs#2
kovdan01 wants to merge 16 commits intomaster-oldfrom
dkovalev/pauth-release-19.x

Conversation

@kovdan01
Copy link

@kovdan01 kovdan01 commented Aug 23, 2024
edited
Loading

This replaces #1 with some enhancements:

  • support for signed GOT and PLT GOT;
  • support for addr discr of init/fini pointers;
  • support for R_AARCH64_AUTH_TLSDESC reloc.

eleviant and others added 10 commits September 5, 2023 13:29
@eleviant
[AArch64] Add initial support for PAC relocs
dfb58ee
@eleviant
Check PAuth ABI compatibility when loading DSO
e245ace 
TODO: do we need this to be done for vDSO as well?
@eleviant
Some fixes required to run llvm-testsuite with PAC enabled
30c2c61 
- Do not check pointer signature before we are relocated
  as this might be a pointer to global.
- Sign function pointers returned from __vdsosym.
- Do not apply PAC relocs in __dls2, because we may need
  to do this second time in __dls3. We can't do this as
  we overwrite authentication scheme when applying relocs.
@kovdan01
Do not sign zero pointers when resolving relocations
de66a6f
@kovdan01
Support signed function pointers in init/fini arrays
31a2055
@eleviant
Change ptrauth dynamic reloc values
51e9446 
See ARM-software/abi-aa@27491c9
@kovdan01
[PAC] Use __has_feature macro instead of custom ones
99df7d2
@kovdan01
[PAC] Update R_AARCH64_AUTH_ABS64 reloc ID
2cb2d9f
@kovdan01
[PAC] Support signed GOT and PLT GOT
77e7b7f
@kovdan01
[PAC] Support addr discr for init/fini pointers
a32e4de
@kovdan01 kovdan01 mentioned this pull request Aug 23, 2024
Closed
@kovdan01 kovdan01 force-pushed the dkovalev/pauth-release-19.x branch from 1268c66 to 9525be8 Compare September 12, 2024 16:29
@kovdan01 kovdan01 mentioned this pull request Oct 27, 2024
Closed
kovdan01 and others added 2 commits March 25, 2025 20:13
@kovdan01
Sign result of R_AARCH64_JUMP_SLOT only when DT_AARCH64_PAC_PLT p…
ac023bf 
…resent

Previously, it was signed unconditionally w/o taking the dynamic tag into
account (only `__has_feature(ptrauth_calls)` was checked by preprocessor).

See also specification:
https://github.com/ARM-software/abi-aa/blob/main/pauthabielf64/pauthabielf64.rst#recording-a-signed-plt-got-in-the-elf-file
@atrosinenko
Add pac-ret hardening to _init and _fini (#4)
5d84f20 
Ideally, this should be conditional on whether ptrauth_returns is
requested and which key is used, but this patch still should be safe as
PACIASP and AUTIASP are encoded as HINT and both prologue and epilogue
use the same IA key.

Note that even if .init_array and .fini_array are actually used,
_init and _fini functions are statically linked into every executable,
thus this patch is a natural way to silence multiple warnings reported
by PAuth gadget scanner for every executable.
@kovdan01 kovdan01 changed the base branch from master to master-old July 28, 2025 16:56
@kovdan01
Copy link
Author

kovdan01 commented Jul 28, 2025

Closing this as it's superseeded by #5 which is based on top of latest v1.2.5 musl release.

@kovdan01 kovdan01 closed this Jul 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kovdan01 @eleviant @atrosinenko