-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlinux-arm64.txt
More file actions
39 lines (36 loc) · 2.17 KB
/
linux-arm64.txt
File metadata and controls
39 lines (36 loc) · 2.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Linux + arm64 (aarch64) only — appended after base.txt and linux.txt.
# Target ISA baseline: ARMv8.2-A with crypto + CRC. Matches the "server
# arm64" floor (Neoverse N1, Graviton 2+, Ampere Altra) without requiring
# Neoverse-V1-only features like SVE. Pulls in dotprod (helpful for
# BoringSSL's vectorized GHASH/Poly1305), the FP16 ops, and the AES /
# SHA-1 / SHA-2 / PMULL instruction families used heavily in BoringSSL.
-march=armv8.2-a+crypto+crc+dotprod
# Pointer Authentication + Branch Target Identification. `standard` is the
# clang-recommended bundle:
# - pac-ret : sign LR on function entry, authenticate on return
# (defeats most ROP-style return-address overwrite).
# - bti : emit BTI landing pads at indirect-branch targets so the
# PE marks code pages with PROT_BTI; on hardware that
# supports it (ARMv8.5+, Apple M1+, Neoverse-N2/V1+)
# indirect branches into non-landing-pad bytes trap.
# Backwards-compatible: PAC instructions are HINT-space NOPs on pre-v8.3
# hardware, BTI lands in HINT space too. Net: hardening on modern silicon,
# zero cost on older.
-mbranch-protection=standard
# NOTE on `-Wl,-z,force-bti` and `-Wl,-z,pac-plt`:
# These are the linker-side enforcers that would mark the output binary as
# requiring PROT_BTI / PAC at load time. They are intentionally NOT enabled
# here because lld treats them as *strict*: it errors out (not warns) if
# any input object lacks the corresponding GNU property note, and the
# stock Ubuntu/glibc CRT objects (Scrt1.o, crti.o, crtn.o on noble-arm64
# 24.04) ship without those notes — the link aborts with
#
# ld.lld: error: /lib/aarch64-linux-gnu/Scrt1.o: -z force-bti: file
# does not have GNU_PROPERTY_AARCH64_FEATURE_1_BTI property
#
# We keep the codegen flag (`-mbranch-protection=standard` above) so our
# own .o files emit the PAC/BTI sequences and per-object notes; lld then
# combines those into the output's PT_GNU_PROPERTY only when *every*
# input agrees. Re-enable the two `-z ...` flags once we link against a
# CRT/libc that ships BTI/PAC notes (musl built with --enable-bti, or a
# custom-built glibc 2.39+ with the property pass on).