Summary

Add a command line option to enable/disable AArch64 PAC-RET. This should flag should be expandable for future branch protection work. GCC/Clang already has a -mbranch-protection flag which supports PAC-RET and BTI. Where possible we should following existing precedents.

Problem

AArch64 PAC-RET support needs the ability to enable or disable it.

Solution

Add XX:UseBranchProtection string flag for AArch64.

Specification

-XX:UseBranchProtection will have the following options:

• none - Disable PAC-RET support. This is the default option.
• standard - Enable PAC-RET support if the system supports it and the java binary was compiled with PAC-RET. Otherwise disable PAC-RET.
• pac-ret - Enable PAC-RET support. If the system does not support it or the java binary was not compiled with PAC then print a warning but leave enabled.

If/When BTI or other branch protection functionality is added, then additional options can be added. The option to concatenate multiple options together should be added (for example bti+pac-ret). Standard should always enable all options that are available for the current system.

pac-ret will initially only supported on AArch64 Linux.

For reference, the GCC supports: -mbranch-protection=none|standard|pac-ret[+leaf+b-key]|bti And allows multiple options concatenated together via +