Message ID | 20240930200822.1669666-1-adhemerval.zanella@linaro.org |
---|---|
Headers | show |
Series | elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property | expand |
On Mon, Sep 30, 2024 at 1:08 PM Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote: > > The new attribute indicates that an ET_EXEC or ET_DYN ELF object should > be memory-sealed if the loader supports it. Memory sealing is useful as > a hardening mechanism to avoid either remapping the memory segments or > changing the memory protection segments layout by the dynamic loader > (for instance, the RELRO hardening). The Linux 6.10 > (8be7258aad44b5e25977a98db136f677fa6f4370) added the mseal syscall > accomplishes it. > > A GNU property is used instead of a new dynamic section tag (like the > one proposed for DT_GNU_FLAGS_1) because the memory sealing should be > selectable for ET_EXEC and not only for ET_DYN. It also fits new opt-in > security features like x86 CET or AArch64 BTI. > > The first patch adds the -Wl,memory-seal/-Wl,nomemory-seal options to > ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for ET_EXEC > or ET_DYN objects. > > The second patch adds similar support for ld.gold. > > The third patch adds the ld --enable-memory-seal configure options to > enable the memory sealing mark as default (similar to other security > hardening as RELRO or non-executable stacks). > --enable-memory-seal helps distribution that wants to enable sealing by default. I like this approach because it gives distributions a choice for their own strategies. As an example using chromeOS, I imagine that we can start with opt-in, testing it on a few apps, e.g. Chrome, then switch to opt-out and enable sealing for the entire system. > Changes v1->v2: > * Make the security hardening opt-in instead of opt-out. > * Add gold support. > > Adhemerval Zanella (3): > elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property > gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property > ld: Add --enable-memory-seal configure option > > bfd/elf-properties.c | 72 +++++++++++++++++----- > bfd/elfxx-x86.c | 3 +- > binutils/readelf.c | 6 ++ > binutils/testsuite/lib/binutils-common.exp | 22 +++++++ > elfcpp/elfcpp.h | 1 + > gold/NEWS | 3 + > gold/layout.cc | 4 ++ > gold/options.h | 3 + > gold/testsuite/Makefile.am | 19 ++++++ > gold/testsuite/Makefile.in | 26 +++++++- > gold/testsuite/memory_seal_main.c | 5 ++ > gold/testsuite/memory_seal_shared.c | 7 +++ > gold/testsuite/memory_seal_test.sh | 45 ++++++++++++++ > include/bfdlink.h | 3 + > include/elf/common.h | 1 + > ld/NEWS | 4 ++ > ld/config.in | 3 + > ld/configure | 28 ++++++++- > ld/configure.ac | 17 +++++ > ld/emultempl/elf.em | 5 ++ > ld/ld.texi | 8 +++ > ld/lexsup.c | 11 ++++ > ld/testsuite/config/default.exp | 8 +++ > ld/testsuite/ld-elf/property-seal-1.d | 15 +++++ > ld/testsuite/ld-elf/property-seal-2.d | 14 +++++ > ld/testsuite/ld-srec/srec.exp | 4 ++ > ld/testsuite/lib/ld-lib.exp | 6 ++ > 27 files changed, 320 insertions(+), 23 deletions(-) > create mode 100644 gold/testsuite/memory_seal_main.c > create mode 100644 gold/testsuite/memory_seal_shared.c > create mode 100755 gold/testsuite/memory_seal_test.sh > create mode 100644 ld/testsuite/ld-elf/property-seal-1.d > create mode 100644 ld/testsuite/ld-elf/property-seal-2.d > > -- > 2.34.1 >