[v2,0/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property

Message ID 20240930200822.1669666-1-adhemerval.zanella@linaro.org
Headers
Series elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property |

Message

Adhemerval Zanella Netto Sept. 30, 2024, 8:08 p.m. UTC
  The new attribute indicates that an ET_EXEC or ET_DYN ELF object should
be memory-sealed if the loader supports it. Memory sealing is useful as
a hardening mechanism to avoid either remapping the memory segments or
changing the memory protection segments layout by the dynamic loader
(for instance, the RELRO hardening). The Linux 6.10
(8be7258aad44b5e25977a98db136f677fa6f4370) added the mseal syscall
accomplishes it.

A GNU property is used instead of a new dynamic section tag (like the
one proposed for DT_GNU_FLAGS_1) because the memory sealing should be
selectable for ET_EXEC and not only for ET_DYN. It also fits new opt-in
security features like x86 CET or AArch64 BTI. 

The first patch adds the -Wl,memory-seal/-Wl,nomemory-seal options to
ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for ET_EXEC
or ET_DYN objects.

The second patch adds similar support for ld.gold.

The third patch adds the ld --enable-memory-seal configure options to
enable the memory sealing mark as default (similar to other security
hardening as RELRO or non-executable stacks).

Changes v1->v2:
* Make the security hardening opt-in instead of opt-out.
* Add gold support.

Adhemerval Zanella (3):
  elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property
  gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property
  ld: Add --enable-memory-seal configure option

 bfd/elf-properties.c                       | 72 +++++++++++++++++-----
 bfd/elfxx-x86.c                            |  3 +-
 binutils/readelf.c                         |  6 ++
 binutils/testsuite/lib/binutils-common.exp | 22 +++++++
 elfcpp/elfcpp.h                            |  1 +
 gold/NEWS                                  |  3 +
 gold/layout.cc                             |  4 ++
 gold/options.h                             |  3 +
 gold/testsuite/Makefile.am                 | 19 ++++++
 gold/testsuite/Makefile.in                 | 26 +++++++-
 gold/testsuite/memory_seal_main.c          |  5 ++
 gold/testsuite/memory_seal_shared.c        |  7 +++
 gold/testsuite/memory_seal_test.sh         | 45 ++++++++++++++
 include/bfdlink.h                          |  3 +
 include/elf/common.h                       |  1 +
 ld/NEWS                                    |  4 ++
 ld/config.in                               |  3 +
 ld/configure                               | 28 ++++++++-
 ld/configure.ac                            | 17 +++++
 ld/emultempl/elf.em                        |  5 ++
 ld/ld.texi                                 |  8 +++
 ld/lexsup.c                                | 11 ++++
 ld/testsuite/config/default.exp            |  8 +++
 ld/testsuite/ld-elf/property-seal-1.d      | 15 +++++
 ld/testsuite/ld-elf/property-seal-2.d      | 14 +++++
 ld/testsuite/ld-srec/srec.exp              |  4 ++
 ld/testsuite/lib/ld-lib.exp                |  6 ++
 27 files changed, 320 insertions(+), 23 deletions(-)
 create mode 100644 gold/testsuite/memory_seal_main.c
 create mode 100644 gold/testsuite/memory_seal_shared.c
 create mode 100755 gold/testsuite/memory_seal_test.sh
 create mode 100644 ld/testsuite/ld-elf/property-seal-1.d
 create mode 100644 ld/testsuite/ld-elf/property-seal-2.d
  

Comments

Jeff Xu Oct. 2, 2024, 12:18 a.m. UTC | #1
On Mon, Sep 30, 2024 at 1:08 PM Adhemerval Zanella
<adhemerval.zanella@linaro.org> wrote:
>
> The new attribute indicates that an ET_EXEC or ET_DYN ELF object should
> be memory-sealed if the loader supports it. Memory sealing is useful as
> a hardening mechanism to avoid either remapping the memory segments or
> changing the memory protection segments layout by the dynamic loader
> (for instance, the RELRO hardening). The Linux 6.10
> (8be7258aad44b5e25977a98db136f677fa6f4370) added the mseal syscall
> accomplishes it.
>
> A GNU property is used instead of a new dynamic section tag (like the
> one proposed for DT_GNU_FLAGS_1) because the memory sealing should be
> selectable for ET_EXEC and not only for ET_DYN. It also fits new opt-in
> security features like x86 CET or AArch64 BTI.
>
> The first patch adds the -Wl,memory-seal/-Wl,nomemory-seal options to
> ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for ET_EXEC
> or ET_DYN objects.
>
> The second patch adds similar support for ld.gold.
>
> The third patch adds the ld --enable-memory-seal configure options to
> enable the memory sealing mark as default (similar to other security
> hardening as RELRO or non-executable stacks).
>
--enable-memory-seal  helps distribution that wants to enable sealing
by default. I like this approach because it gives distributions a
choice for their own strategies.

As an example using chromeOS, I imagine that we can start with opt-in,
testing it on a few apps, e.g. Chrome, then switch to opt-out and
enable sealing for the entire system.

> Changes v1->v2:
> * Make the security hardening opt-in instead of opt-out.
> * Add gold support.
>
> Adhemerval Zanella (3):
>   elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property
>   gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property
>   ld: Add --enable-memory-seal configure option
>
>  bfd/elf-properties.c                       | 72 +++++++++++++++++-----
>  bfd/elfxx-x86.c                            |  3 +-
>  binutils/readelf.c                         |  6 ++
>  binutils/testsuite/lib/binutils-common.exp | 22 +++++++
>  elfcpp/elfcpp.h                            |  1 +
>  gold/NEWS                                  |  3 +
>  gold/layout.cc                             |  4 ++
>  gold/options.h                             |  3 +
>  gold/testsuite/Makefile.am                 | 19 ++++++
>  gold/testsuite/Makefile.in                 | 26 +++++++-
>  gold/testsuite/memory_seal_main.c          |  5 ++
>  gold/testsuite/memory_seal_shared.c        |  7 +++
>  gold/testsuite/memory_seal_test.sh         | 45 ++++++++++++++
>  include/bfdlink.h                          |  3 +
>  include/elf/common.h                       |  1 +
>  ld/NEWS                                    |  4 ++
>  ld/config.in                               |  3 +
>  ld/configure                               | 28 ++++++++-
>  ld/configure.ac                            | 17 +++++
>  ld/emultempl/elf.em                        |  5 ++
>  ld/ld.texi                                 |  8 +++
>  ld/lexsup.c                                | 11 ++++
>  ld/testsuite/config/default.exp            |  8 +++
>  ld/testsuite/ld-elf/property-seal-1.d      | 15 +++++
>  ld/testsuite/ld-elf/property-seal-2.d      | 14 +++++
>  ld/testsuite/ld-srec/srec.exp              |  4 ++
>  ld/testsuite/lib/ld-lib.exp                |  6 ++
>  27 files changed, 320 insertions(+), 23 deletions(-)
>  create mode 100644 gold/testsuite/memory_seal_main.c
>  create mode 100644 gold/testsuite/memory_seal_shared.c
>  create mode 100755 gold/testsuite/memory_seal_test.sh
>  create mode 100644 ld/testsuite/ld-elf/property-seal-1.d
>  create mode 100644 ld/testsuite/ld-elf/property-seal-2.d
>
> --
> 2.34.1
>