[v3,0/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property

Message ID	20241016170435.1404114-1-adhemerval.zanella@linaro.org
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of binutils-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CF7363858D33 From: Adhemerval Zanella <adhemerval.zanella@linaro.org> To: binutils@sourceware.org Cc: Stephen Roettger <sroettger@google.com>, Jeff Xu <jeffxu@google.com>, "H . J . Lu" <hjl.tools@gmail.com> Subject: [PATCH v3 0/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property Date: Wed, 16 Oct 2024 14:01:10 -0300 Message-ID: <20241016170435.1404114-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: binutils-bounces~patch=linaro.org@sourceware.org
Series	elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property \| expand [v3,0/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property [v3,1/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property [v3,2/3] gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property [v3,3/3] ld: Add --enable-memory-seal configure option

Message ID

20241016170435.1404114-1-adhemerval.zanella@linaro.org

Headers

Received-SPF: pass (google.com: domain of
 binutils-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as
 permitted sender) client-ip=8.43.85.97;
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CF7363858D33
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: binutils@sourceware.org
Cc: Stephen Roettger <sroettger@google.com>, Jeff Xu <jeffxu@google.com>,
 "H . J . Lu" <hjl.tools@gmail.com>
Subject: [PATCH v3 0/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property
Date: Wed, 16 Oct 2024 14:01:10 -0300
Message-ID: <20241016170435.1404114-1-adhemerval.zanella@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: binutils-bounces~patch=linaro.org@sourceware.org

Series

elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property | expand

Message

Adhemerval Zanella Netto Oct. 16, 2024, 5:01 p.m. UTC

The new attribute indicates that an ET_EXEC or ET_DYN ELF object should
be memory-sealed if the loader supports it. Memory sealing is useful as
a hardening mechanism to avoid either remapping the memory segments or
changing the memory protection segments layout by the dynamic loader
(for instance, the RELRO hardening). The Linux 6.10
(8be7258aad44b5e25977a98db136f677fa6f4370) added the mseal syscall
accomplishes it.

A GNU property is used instead of a new dynamic sectiopn tag (like the
one proposed fro DT_GNU_FLAGS_1) to allow memory sealing to work with
ET_EXEC without PT_DYNAMIC support (at least for glibc some ports
still do no support static-pie).

The first patch adds the -Wl,memory-seal/-Wl,nomemory-seal options to
ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for ET_EXEC
or ET_DYN objects.

The second patch adds similar support for ld.gold.

The third patch adds the ld --enable-memory-seal configure options to
enable the memory sealing mark as default (similar to other security
hardening as RELRO or non-executable stacks).

Changes v2->v3:
* Do not add or merge the GNU_PROPERTY_MEMORY_SEAL property if present
  on ET_REL.
* Extend testing.

Changes v1->v2:
* Make the security hardening opt-in instead of opt-out.
* Add gold support.

Adhemerval Zanella (3):
  elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property
  gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property
  ld: Add --enable-memory-seal configure option

 bfd/elf-properties.c                       | 100 ++++++++++++++++-----
 bfd/elfxx-x86.c                            |   3 +-
 binutils/readelf.c                         |   6 ++
 binutils/testsuite/lib/binutils-common.exp |  22 +++++
 elfcpp/elfcpp.h                            |   1 +
 gold/NEWS                                  |   3 +
 gold/layout.cc                             |   4 +
 gold/options.h                             |   3 +
 gold/testsuite/Makefile.am                 |  19 ++++
 gold/testsuite/Makefile.in                 |  26 +++++-
 gold/testsuite/memory_seal_main.c          |   5 ++
 gold/testsuite/memory_seal_shared.c        |   7 ++
 gold/testsuite/memory_seal_test.sh         |  45 ++++++++++
 include/bfdlink.h                          |   3 +
 include/elf/common.h                       |   1 +
 ld/NEWS                                    |   4 +
 ld/config.in                               |   3 +
 ld/configure                               |  38 ++++++--
 ld/configure.ac                            |  17 ++++
 ld/emultempl/elf.em                        |   5 ++
 ld/ld.texi                                 |   8 ++
 ld/lexsup.c                                |  11 +++
 ld/testsuite/config/default.exp            |   8 ++
 ld/testsuite/ld-elf/property-seal-1.d      |  16 ++++
 ld/testsuite/ld-elf/property-seal-1.s      |  11 +++
 ld/testsuite/ld-elf/property-seal-2.d      |  17 ++++
 ld/testsuite/ld-elf/property-seal-3.d      |  16 ++++
 ld/testsuite/ld-elf/property-seal-4.d      |  16 ++++
 ld/testsuite/ld-elf/property-seal-5.d      |  15 ++++
 ld/testsuite/ld-elf/property-seal-6.d      |  16 ++++
 ld/testsuite/ld-elf/property-seal-7.d      |  14 +++
 ld/testsuite/ld-elf/property-seal-8.d      |  15 ++++
 ld/testsuite/ld-srec/srec.exp              |   4 +
 ld/testsuite/lib/ld-lib.exp                |   6 ++
 34 files changed, 456 insertions(+), 32 deletions(-)
 create mode 100644 gold/testsuite/memory_seal_main.c
 create mode 100644 gold/testsuite/memory_seal_shared.c
 create mode 100755 gold/testsuite/memory_seal_test.sh
 create mode 100644 ld/testsuite/ld-elf/property-seal-1.d
 create mode 100644 ld/testsuite/ld-elf/property-seal-1.s
 create mode 100644 ld/testsuite/ld-elf/property-seal-2.d
 create mode 100644 ld/testsuite/ld-elf/property-seal-3.d
 create mode 100644 ld/testsuite/ld-elf/property-seal-4.d
 create mode 100644 ld/testsuite/ld-elf/property-seal-5.d
 create mode 100644 ld/testsuite/ld-elf/property-seal-6.d
 create mode 100644 ld/testsuite/ld-elf/property-seal-7.d
 create mode 100644 ld/testsuite/ld-elf/property-seal-8.d