Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8277204 Implement PAC-RET branch protection on Linux/AArch64
  3. JDK-8281209

Release Note: Support for PAC-RET Protection on Linux/AArch64

    XMLWordPrintable

    Details

    • Subcomponent:
    • CPU:
      aarch64
    • OS:
      linux

      Description

      Support for PAC-RET protection on the Linux/AArch64 platform has been introduced.

      When enabled, OpenJDK will use hardware features from the ARMv8.3 Pointer Authentication Code (PAC) extension to protect against Return Orientated Programming (ROP) attacks. For more information on the PAC extension see ["Providing protection for complex software"](https://documentation-service.arm.com/static/602a81dbbc293d2cd05e6b09) or the "Pointer authentication in AArch64 state" section in the [Arm ARM](https://developer.arm.com/documentation/ddi0487/latest/).

      To take advantage of this feature, first OpenJDK must be built with the configuration flag `--enable-branch-protection` using GCC 9.1.0+ or LLVM 10+ . Then, the runtime flag `-XX:UseBranchProtection=standard` will enable PAC-RET protection if the system supports it and the `java` binary was compiled with branch-protection enabled; otherwise the flag is silently ignored. Alternatively, `-XX:UseBranchProtection=pac-ret` will also enable PAC-RET protection, but in this case if the system does not support it or the `java` binary was not compiled with branch-protection enabled, then a warning will be printed.

        Attachments

          Activity

            People

            Assignee:
            ahayward Alan Hayward
            Reporter:
            ahayward Alan Hayward
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: