-
Sub-task
-
Resolution: Delivered
-
P4
-
19
-
aarch64
-
linux
Support for PAC-RET protection on the Linux/AArch64 platform has been introduced.
When enabled, OpenJDK will use hardware features from the ARMv8.3 Pointer Authentication Code (PAC) extension to protect against Return Orientated Programming (ROP) attacks. For more information on the PAC extension see ["Providing protection for complex software"](https://documentation-service.arm.com/static/602a81dbbc293d2cd05e6b09) or the "Pointer authentication in AArch64 state" section in the [Arm ARM](https://developer.arm.com/documentation/ddi0487/latest/).
To take advantage of this feature, first OpenJDK must be built with the configuration flag `--enable-branch-protection` using GCC 9.1.0+ or LLVM 10+ . Then, the runtime flag `-XX:UseBranchProtection=standard` will enable PAC-RET protection if the system supports it and the `java` binary was compiled with branch-protection enabled; otherwise the flag is silently ignored. Alternatively, `-XX:UseBranchProtection=pac-ret` will also enable PAC-RET protection, but in this case if the system does not support it or the `java` binary was not compiled with branch-protection enabled, then a warning will be printed.
When enabled, OpenJDK will use hardware features from the ARMv8.3 Pointer Authentication Code (PAC) extension to protect against Return Orientated Programming (ROP) attacks. For more information on the PAC extension see ["Providing protection for complex software"](https://documentation-service.arm.com/static/602a81dbbc293d2cd05e6b09) or the "Pointer authentication in AArch64 state" section in the [Arm ARM](https://developer.arm.com/documentation/ddi0487/latest/).
To take advantage of this feature, first OpenJDK must be built with the configuration flag `--enable-branch-protection` using GCC 9.1.0+ or LLVM 10+ . Then, the runtime flag `-XX:UseBranchProtection=standard` will enable PAC-RET protection if the system supports it and the `java` binary was compiled with branch-protection enabled; otherwise the flag is silently ignored. Alternatively, `-XX:UseBranchProtection=pac-ret` will also enable PAC-RET protection, but in this case if the system does not support it or the `java` binary was not compiled with branch-protection enabled, then a warning will be printed.