Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S

stratakis · stratakis · commit 6d86e0f48d5e · 2025-01-09T15:25:15.000+01:00
The BTI flag must be applied in assembler sources for this class of attacks to be mitigated on newer aarch64 processors. See also: https://sourceware.org/annobin/annobin.html/Test-branch-protection.html and https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enabling-pac-and-bti-on-aarch64
diff --git a/Python/asm_trampoline.S b/Python/asm_trampoline.S
@@ -18,10 +18,18 @@ _Py_trampoline_func_start:
 #if defined(__aarch64__) && defined(__AARCH64EL__) && !defined(__ILP32__)
     // ARM64 little endian, 64bit ABI
     // generate with aarch64-linux-gnu-gcc 12.1
+#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 || \
+    defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
+    hint 25
+#endif
     stp     x29, x30, [sp, -16]!
     mov     x29, sp
     blr     x3
     ldp     x29, x30, [sp], 16
+#if defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 || \
+    defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
+    hint 29
+#endif
     ret
 #endif
 #ifdef __riscv
@@ -53,3 +61,22 @@ _Py_trampoline_func_end:
     .align 8
 4:
 #endif // __x86_64__
+#if defined(__aarch64__) && defined(__AARCH64EL__) && !defined(__ILP32__)
+#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 ||
+  defined(__ARM_FEATURE_PAC_DEFAULT) && (__ARM_FEATURE_PAC_DEFAULT & 1) == 1
+    .pushsection    .note.gnu.property, "a"
+    .align  3
+    .word   2f - 1f
+    .word   4f - 3f
+    .word   5            /* NT_GNU_PROPERTY_TYPE_0 */
+1:  .asciz  "GNU"
+
+2:  .align  3
+3:  .word   0xc0000000   /* type: GNU_PROPERTY_AARCH64_FEATURE_1_AND */
+    .word   6f - 5f      /* size */
+5:  .word   3            /* value: GNU_PROPERTY_AARCH64_FEATURE_1_BTI */
+
+6:  .align  3
+4:  .popsection
+#endif
+#endif
