Message ID | 20241016170435.1404114-1-adhemerval.zanella@linaro.org |
---|---|
Headers |
Return-Path: <binutils-bounces~patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 384CF385840A for <patchwork@sourceware.org>; Wed, 16 Oct 2024 17:05:20 +0000 (GMT) X-Original-To: binutils@sourceware.org Delivered-To: binutils@sourceware.org Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by sourceware.org (Postfix) with ESMTPS id CF7363858D33 for <binutils@sourceware.org>; Wed, 16 Oct 2024 17:04:40 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CF7363858D33 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org CF7363858D33 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::631 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1729098282; cv=none; b=Gk10cywwLHXv1TariL7z/Aui55UdWXiCcG5pEf+HfsxgP2LpXTWL1aefCWTn6egeXEv4odvxDxWUQVBA/fHngBeAsxyPCMZVYWAKH7qp73O1syI7BfXe5iC3lAciOQCZrgID28p6kBpFbs/LFDTwCAvO/3RJ81L0ZG5Fa11OPME= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1729098282; c=relaxed/simple; bh=iGvG17UJu7Qxw4f+pyRXzsSn0I7+yRxVIY+Wjsbnw/I=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=VnP8SddSeKfnoIKZgwUlZl7SSMNN6/qq30lGxI9wKMt8RjjHJUdwOe7FyfFt6U9uTRCSdulA66ubWAZsV6mp44AalG2C4qfBXs6OGkfZG+vFe8IQtXvgUkRsA5ZaHRO/b9RNDF1h/QoH1nW6quf9Kts9ejsOKs0xCihY1Tjnfi0= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-20cb7088cbcso379685ad.0 for <binutils@sourceware.org>; Wed, 16 Oct 2024 10:04:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1729098279; x=1729703079; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=qG08xlf9RZGBy1BjPeUkxxUbdNV/o8tyR2OHoScX/c0=; b=i+I5P8+0o9HgjxpK7Gvnpitp97ZSCRzj0aqcyU0OVENJJ9cDqgWd3dsT83Hp7YMzu6 nLipMaBBpmEnX+ndzjqRRp9FUInKI7HhKJ32OCQrOwLtkTwONa3T4FZqsIdIXdMphQyx jsocGTwjNGm5BU0HPXHniV+pzAxwX6+kDtshCKGEHg+0l7xKhiEQbn0YbMYW6t/wUa+X LB+JHwI4hTgu+DCMpIAHyAeShlL3g7RjKveAPFszLw15KgLAHETRPIdJxTFuAv23vRs6 BnIPI4zhWff2+jSwksSlFPhku9yYsbqqBFYL1Pqm+EwIfVH2TgraGzhjp0GRTmGhIIkj F6pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729098279; x=1729703079; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qG08xlf9RZGBy1BjPeUkxxUbdNV/o8tyR2OHoScX/c0=; b=jS3+fAvm2EYTtG51+hr2/3fUI9MFsun+7Z3X+tRZKoHAy3R/NsqLy0UPkXlmy8S/HJ Uu1JEA6l7HleMgfyYe2s3oEpkWQ9KwQmKHrwmxU1pTatXuhhco0E8y8KHF0/hGT2UqRN /LbP7vzWXxVc/a80znl8q5mTXAwd/cu/vv7SquWQaI5oNx1NPDtb72W/OyWTpFE/pzgq UqRBHkfE8HAnK3AiyhUuIOZ9AWGjy+fikny8QZtJ+BKOR0WSv9CZT51O4NLQv5N6OZKl BIPTi4IUJyb040xkzZdbV2uBkrfpsGvdtd1c7R4UBZnKMG6/R9K5r2khdL2j1H1egpS0 vXsg== X-Gm-Message-State: AOJu0Ywx4qcnK6edosvLphMcKlRNwv3d3qt0haCMp9S2zjFjA4BLCwMw HAIOtP8DqF+qjW+UQGaCBClQ8/+qabEdB/Q8UbUCu/YAxXMLKVdLPcefGloT0IbKbyFLGKtd2Jt 9 X-Google-Smtp-Source: AGHT+IFdvczySayZ4IJOibMppRM+WM2FWmlTev87Vy1qkdjA9jQw9Zzq9BV11R5nHo8IN0fj7A6fRg== X-Received: by 2002:a17:903:1108:b0:20c:ea0a:9665 with SMTP id d9443c01a7336-20cea0a98aemr154164095ad.32.1729098279555; Wed, 16 Oct 2024 10:04:39 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c3:1434:ab87:e5f9:1b86:daf6]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20d1805cdaesm30912895ad.281.2024.10.16.10.04.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Oct 2024 10:04:39 -0700 (PDT) From: Adhemerval Zanella <adhemerval.zanella@linaro.org> To: binutils@sourceware.org Cc: Stephen Roettger <sroettger@google.com>, Jeff Xu <jeffxu@google.com>, "H . J . Lu" <hjl.tools@gmail.com> Subject: [PATCH v3 0/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property Date: Wed, 16 Oct 2024 14:01:10 -0300 Message-ID: <20241016170435.1404114-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Binutils mailing list <binutils.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>, <mailto:binutils-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/binutils/> List-Post: <mailto:binutils@sourceware.org> List-Help: <mailto:binutils-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>, <mailto:binutils-request@sourceware.org?subject=subscribe> Errors-To: binutils-bounces~patchwork=sourceware.org@sourceware.org |
Series |
elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property
|
|
Message
Adhemerval Zanella Netto
Oct. 16, 2024, 5:01 p.m. UTC
The new attribute indicates that an ET_EXEC or ET_DYN ELF object should be memory-sealed if the loader supports it. Memory sealing is useful as a hardening mechanism to avoid either remapping the memory segments or changing the memory protection segments layout by the dynamic loader (for instance, the RELRO hardening). The Linux 6.10 (8be7258aad44b5e25977a98db136f677fa6f4370) added the mseal syscall accomplishes it. A GNU property is used instead of a new dynamic sectiopn tag (like the one proposed fro DT_GNU_FLAGS_1) to allow memory sealing to work with ET_EXEC without PT_DYNAMIC support (at least for glibc some ports still do no support static-pie). The first patch adds the -Wl,memory-seal/-Wl,nomemory-seal options to ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for ET_EXEC or ET_DYN objects. The second patch adds similar support for ld.gold. The third patch adds the ld --enable-memory-seal configure options to enable the memory sealing mark as default (similar to other security hardening as RELRO or non-executable stacks). Changes v2->v3: * Do not add or merge the GNU_PROPERTY_MEMORY_SEAL property if present on ET_REL. * Extend testing. Changes v1->v2: * Make the security hardening opt-in instead of opt-out. * Add gold support. Adhemerval Zanella (3): elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property ld: Add --enable-memory-seal configure option bfd/elf-properties.c | 100 ++++++++++++++++----- bfd/elfxx-x86.c | 3 +- binutils/readelf.c | 6 ++ binutils/testsuite/lib/binutils-common.exp | 22 +++++ elfcpp/elfcpp.h | 1 + gold/NEWS | 3 + gold/layout.cc | 4 + gold/options.h | 3 + gold/testsuite/Makefile.am | 19 ++++ gold/testsuite/Makefile.in | 26 +++++- gold/testsuite/memory_seal_main.c | 5 ++ gold/testsuite/memory_seal_shared.c | 7 ++ gold/testsuite/memory_seal_test.sh | 45 ++++++++++ include/bfdlink.h | 3 + include/elf/common.h | 1 + ld/NEWS | 4 + ld/config.in | 3 + ld/configure | 38 ++++++-- ld/configure.ac | 17 ++++ ld/emultempl/elf.em | 5 ++ ld/ld.texi | 8 ++ ld/lexsup.c | 11 +++ ld/testsuite/config/default.exp | 8 ++ ld/testsuite/ld-elf/property-seal-1.d | 16 ++++ ld/testsuite/ld-elf/property-seal-1.s | 11 +++ ld/testsuite/ld-elf/property-seal-2.d | 17 ++++ ld/testsuite/ld-elf/property-seal-3.d | 16 ++++ ld/testsuite/ld-elf/property-seal-4.d | 16 ++++ ld/testsuite/ld-elf/property-seal-5.d | 15 ++++ ld/testsuite/ld-elf/property-seal-6.d | 16 ++++ ld/testsuite/ld-elf/property-seal-7.d | 14 +++ ld/testsuite/ld-elf/property-seal-8.d | 15 ++++ ld/testsuite/ld-srec/srec.exp | 4 + ld/testsuite/lib/ld-lib.exp | 6 ++ 34 files changed, 456 insertions(+), 32 deletions(-) create mode 100644 gold/testsuite/memory_seal_main.c create mode 100644 gold/testsuite/memory_seal_shared.c create mode 100755 gold/testsuite/memory_seal_test.sh create mode 100644 ld/testsuite/ld-elf/property-seal-1.d create mode 100644 ld/testsuite/ld-elf/property-seal-1.s create mode 100644 ld/testsuite/ld-elf/property-seal-2.d create mode 100644 ld/testsuite/ld-elf/property-seal-3.d create mode 100644 ld/testsuite/ld-elf/property-seal-4.d create mode 100644 ld/testsuite/ld-elf/property-seal-5.d create mode 100644 ld/testsuite/ld-elf/property-seal-6.d create mode 100644 ld/testsuite/ld-elf/property-seal-7.d create mode 100644 ld/testsuite/ld-elf/property-seal-8.d