make: Disable branch-protection for PIE code on ARM64

Branch protection uses PAC. It cryptographically "signs" a function's return address before it is stored on the stack. Upon return, the address is authenticated using a secret key. If the signature is invalid, the program will fault. The PIE code is used for the parasite and the restorer. In both cases, it runs in a foreign process. The case of the restorer is even trickier because it needs to restore the original PAC keys, which invalidates all previously "signed" pointers within the restorer itself. Fixes #2709 Signed-off-by: Andrei Vagin <avagin@gmail.com>
2025-08-22 01:51:51 +00:00 · 2025-08-15 01:44:01 +00:00 · 2025-08-15 01:44:01 +00:00 · d8c349270c
commit d8c349270c
parent 17a5c6e144
1 changed files with 2 additions and 0 deletions
--- a/2
+++ b/2
@ -64,6 +64,8 @@ endif

 ifeq ($(ARCH),aarch64)
        DEFINES		:= -DCONFIG_AARCH64
+        CC_MBRANCH_PROT := $(shell $(CC) -c -x c /dev/null -mbranch-protection=none -o /dev/null >/dev/null 2>&1 && echo "-mbranch-protection=none")
+        CFLAGS_PIE	:= $(CC_MBRANCH_PROT)
 endif

 ifeq ($(ARCH),ppc64)