asm_trampoline.S misses BTI/PAC protection flags for aarch64

[stratakis]

Bug report

Bug description:

asm_trampoline.S added here 6d791a9 misses the BTI/PAC protections offered for the latest aarch64 processors when using the -mbranch-protection=<protection> flag.

For C code the compiler takes care of that, however for the assembler files the relevant instructions need to be added manually.

This was discovered by running the annobin-annocheck tool on a Fedora machine:

$ annocheck --hardened libpython3.14.so.1.0

annocheck 'hardened' test fails for /usr/lib64/libpython3.14.so.1.0 on aarch64 dynamic-tags test because the BTI_PLT flag is missing from the dynamic tags

property-note test because properly formatted .note.gnu.property not found (it is needed for branch protection support)

When the protections are there, the binary/library should read:

$ readelf -n libpython3.14.so.1.0 | grep Properties
Properties: AArch64 feature: BTI, PAC

While adding the instructions is simple enough, more complexity arises due to Perf requiring to work without frame pointers from 3.13+.

Relevant documentation: https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enabling-pac-and-bti-on-aarch64

CPython versions tested on:

CPython main branch, 3.15, 3.14, 3.13, 3.12

Operating systems tested on:

Linux

Linked PRs

• gh-139808: Add branch protections for aarch64 in asm_trampoline.S #130864
• [3.15] gh-139808: Add branch protections for aarch64 in asm_trampoline.S (GH-130864) #149730
• [3.14] gh-139808: Add branch protections for aarch64 in asm_trampoline.S (#130864) #150189
• [3.13] gh-139808: Add branch protections for aarch64 in asm_trampoline.S (GH-130864) (GH-150189) #150194
• [3.12] gh-139808: Add branch protections for aarch64 in asm_trampoline.S (#130864) #150198