cc-wrapper: add support for pacret hardening flag on aarch64

2024-11-25 00:12:56 +00:00 · 2024-06-08 15:58:54 +01:00 · 2024-06-08 15:58:54 +01:00 · 48bde3a189
commit 48bde3a189
parent cc7b011fe1
7 changed files with 16 additions and 1 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -265,6 +265,8 @@

 - The `stackclashprotection` hardening flag has been added, though disabled by default.

+- The `pacret` hardening flag has been added, though disabled by default.
+
 - `cargoSha256` in `rustPlatform.buildRustPackage` has been deprecated in favor
  of `cargoHash` which supports SRI hashes. See
  [buildRustPackage: Compiling Rust applications with Cargo](https://nixos.org/manual/nixpkgs/unstable/#compiling-rust-applications-with-cargo)
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
 fi

 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection pie pic strictoverflow format trivialautovarinit zerocallusedregs)
+  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection pacret pie pic strictoverflow format trivialautovarinit zerocallusedregs)
  declare -A hardeningDisableMap=()

  # Determine which flags were effectively disabled so we can report below.
@ -79,6 +79,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling shadowstack >&2; fi
      hardeningCFlagsBefore+=('-fcf-protection=return')
      ;;
+    pacret)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pacret >&2; fi
+      hardeningCFlagsBefore+=('-mbranch-protection=pac-ret')
+      ;;
    stackprotector)
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
      hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
--- a/pkgs/development/compilers/gcc/default.nix
+++ b/pkgs/development/compilers/gcc/default.nix
@ -437,6 +437,7 @@ pipe ((callFile ./common/builder.nix {}) ({
        && targetPlatform.isx86_64
        && targetPlatform.libc == "glibc"
      )) "shadowstack"
+      ++ optional (!(atLeast9 && targetPlatform.isLinux && targetPlatform.isAarch64)) "pacret"
      ++ optionals (langFortran) [ "fortify" "format" ];
  };

--- a/pkgs/development/compilers/llvm/common/clang/default.nix
+++ b/pkgs/development/compilers/llvm/common/clang/default.nix
@ -143,6 +143,11 @@ let
          || !targetPlatform.isLinux
          || !targetPlatform.isx86_64
        ) "shadowstack"
+        ++ lib.optional (
+          (lib.versionOlder release_version "8")
+          || !targetPlatform.isAarch64
+          || !targetPlatform.isLinux
+        ) "pacret"
        ++ lib.optional (
          (lib.versionOlder release_version "11")
          || (targetPlatform.isAarch64 && (lib.versionOlder release_version "18.1"))
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@ -116,6 +116,7 @@ let
    "fortify"
    "fortify3"
    "shadowstack"
+    "pacret"
    "pic"
    "pie"
    "relro"
--- a/pkgs/stdenv/linux/bootstrap-tools/default.nix
+++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix
@ -18,6 +18,7 @@ derivation ({
  hardeningUnsupportedFlags = [
    "fortify3"
    "shadowstack"
+    "pacret"
    "stackclashprotection"
    "trivialautovarinit"
    "zerocallusedregs"
--- a/pkgs/top-level/stage.nix
+++ b/pkgs/top-level/stage.nix
@ -323,6 +323,7 @@ let
          stdenv = super'.withDefaultHardeningFlags (
            super'.stdenv.cc.defaultHardeningFlags ++ [
              "shadowstack"
+              "pacret"
              "stackclashprotection"
              "trivialautovarinit"
            ]