Linux 5.8 Tightens ARM 64-Bit Security With BTI, Shadow Call Stack Support
The 64-bit ARM (ARM64 / AArch64) architecture changes have already landed into the progressing Linux 5.8 codebase.
When it comes to modern Arm architectural changes for Linux 5.8, this cycle it primarily revolves around two security features now being supported: Branch Target Identification and Shadow Call Stack.
Branch Target Identification (BTI) support as part of the ARMv8.5 specification. Branch Target Identification marks valid targets of indirect branches and the CPU will trap an instruction in a protected page that is trying to perform an indirect branch to an instruction other than a marked BTI.
Unlike BTI that needs ARMv8.5 SoC support, Shadow Call Stack is a compiler-level feature when building with LLVM/Clang. Shadow Call Stack support, which works in conjunction with the LLVM Clang compiler. Shadow Call Stack is designed to prevent against return address overwrites. Currently though the LLVM/Clang compiler code only supports this on AArch64 and so does this current kernel code for Linux 5.8. This kernel code could be ported to other architectures if LLVM ends up supporting the Shadow Call Stack elsewhere. SCS support was previously dropped on x86_64 over big performance hits.
The rest of the ARM64 changes are mostly minor and outlined via this merge. Still coming up in the days ahead for the Linux 5.8 merge window are all of the SoC/platform/DeviceTree changes.
When it comes to modern Arm architectural changes for Linux 5.8, this cycle it primarily revolves around two security features now being supported: Branch Target Identification and Shadow Call Stack.
Branch Target Identification (BTI) support as part of the ARMv8.5 specification. Branch Target Identification marks valid targets of indirect branches and the CPU will trap an instruction in a protected page that is trying to perform an indirect branch to an instruction other than a marked BTI.
Unlike BTI that needs ARMv8.5 SoC support, Shadow Call Stack is a compiler-level feature when building with LLVM/Clang. Shadow Call Stack support, which works in conjunction with the LLVM Clang compiler. Shadow Call Stack is designed to prevent against return address overwrites. Currently though the LLVM/Clang compiler code only supports this on AArch64 and so does this current kernel code for Linux 5.8. This kernel code could be ported to other architectures if LLVM ends up supporting the Shadow Call Stack elsewhere. SCS support was previously dropped on x86_64 over big performance hits.
The rest of the ARM64 changes are mostly minor and outlined via this merge. Still coming up in the days ahead for the Linux 5.8 merge window are all of the SoC/platform/DeviceTree changes.
1 Comment