| Message ID | 20241128154511.564500-1-adhemerval.zanella@linaro.org |
|---|---|
| Headers |
Return-Path: <binutils-bounces~patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id B6FAE3858D20 for <patchwork@sourceware.org>; Thu, 28 Nov 2024 15:54:10 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B6FAE3858D20 Authentication-Results: sourceware.org; dkim=pass (2048-bit key, unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=gZj0b3jd X-Original-To: binutils@sourceware.org Delivered-To: binutils@sourceware.org Received: from mail-pl1-x641.google.com (mail-pl1-x641.google.com [IPv6:2607:f8b0:4864:20::641]) by sourceware.org (Postfix) with ESMTPS id B71863858D20 for <binutils@sourceware.org>; Thu, 28 Nov 2024 15:45:17 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B71863858D20 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B71863858D20 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::641 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1732808717; cv=none; b=ZIRAgNhPjECD6IOcAL0IHTzJB7etagxsz00C+2WF7xMJYyrR1PF6fVx6EVtNZWi4ykovl84nhzcvjcFcGOrDG6DTFrF6VWFhGX7bZQCIRI88CJew3BFOzQsHGgh+l34XlBYXGdhgapZ0ZnGTo+MAMWZQ61V/aZaiQBKcPTv8DRU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1732808717; c=relaxed/simple; bh=Nl/Ae8jk6TOONNmQQVbYGQe6d2bYI3dlgf5NcoMSG5k=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=Wc9AzPgUic/AX1RkDp5VTceN3wVk7QwiJa3/I8GH0kAfDruGe0/mKWCNDje5jENLObO7ly4P1Zg+0N82EG6d9l/KDs/ZqxzPwf3PdQtt44PpUs1yvFOyyuAkgeoG7a/137XZXMBWQ6RYEu7OG/NVZvRqOM+HMsIu2b0QPIfRrNc= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B71863858D20 Received: by mail-pl1-x641.google.com with SMTP id d9443c01a7336-21288402a26so7749775ad.0 for <binutils@sourceware.org>; Thu, 28 Nov 2024 07:45:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1732808716; x=1733413516; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=hpLBLg+JkK6jmwa9J24xaZfaXRYCxcYAQG2Me1lMwRU=; b=gZj0b3jdhXbJbH8/6owzgCayPT/SFDj3a8jtUvLuJXNDbwEWd1R2BnuWOx+VHGN0z7 Ov2UjB8xASVQdf0PA8WRk/HQ87zxlTgmrdC63/b6fSNxQxXYGi8sTW0w5YuKKdkJeQQd zzAuT/vLJjM+aTT1LuXaUxFI15uh45oQZwXngfUZTBzLlzo/eEUFxn2vyYFfRwY0Llk/ Lw3gLoJ1F5xQNUSH+R+UyW9sGDM9WYh/qkerzg53t3fyJ9FVln8gzqiQfGsQxrp8v+Kl eXacBtAvTbBS/eVRmha/u7nugtLe6IQw3f5BNHeCaPb4/cd1Ve9oTbBxmH51THvreXjO R6tQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732808716; x=1733413516; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hpLBLg+JkK6jmwa9J24xaZfaXRYCxcYAQG2Me1lMwRU=; b=EHM0spidmuMtO7EbYyUcTWqyrZsykz4OyKRUc0Sq6TdSxzP2liQ80+NFPFpiE/+Tfi 2yyCi1BTLVVRiS1ujUHEe+jTTrUDRYHKCk2LB96SZXIyGbepd7eNCm+pveI5/EzMyw84 yNOJHh5sblSW1RbpILZUbvtz9B2omk4xANii4ditQJ+na4qyqYLtW6SkKL8bs1K62Z05 JNMqL0XSkbWb1b5xhRQk4P5KutulWAfOodTz4Tc2TwBFHQdhLFM5ds0POvNEUPaONK81 AKMEfeJ+xGty/N2AWPLT1J06dIfQbdhipLZVjzlmx7qyFsPkA5NGUWrvV4d/aBXjuV3t A15g== X-Gm-Message-State: AOJu0YygRKC6sg1lXKTL0NCYWc9aEE96GmXCWVm5159QGcYEmIEcH9Gs 7/cpOftCBF88WQ7FOvyZ4vTWKpf6rkROECTdo/2fNznab8uIqJs7jdP1Ow/AcQApR9EcC10AkyH blWNvqZz9 X-Gm-Gg: ASbGnctBIm+Zo4GU4PvIyandOgHMUKLG8iibIJ2w5UmYiBsJBEDq57uKlA4rshPx8Ox PNkaMNDVclAwOm91BSld0q13xnrDXJPBzXUuEx+aoIY11CAodzi1syARkpL3Ug0YU+Krf/AoR48 NAPcrtuy1zUHUKhABXU07O59Yxay8EmxZAtSDT5xCSEVM24auP6uFO6Lw6bpq30IW6G1IriB8VP 33H+4jGZlhmu9cZf94Npl0lHLt27w1D1jyaXHeSTQ2ZECmTwoiuXA40LE1Y03g= X-Google-Smtp-Source: AGHT+IHIPDz2Q+tkxRJrYaY51vXpHOI70d0Zrmcbobi/AIx39gK1XFv+Ow7sn+ZpntshPsYCcEu6TA== X-Received: by 2002:a17:902:ccca:b0:211:eb2d:e4a1 with SMTP id d9443c01a7336-2150128c1cbmr87178655ad.13.1732808716208; Thu, 28 Nov 2024 07:45:16 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c1:68c8:2c85:3a76:728e:ead2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21521985773sm14877405ad.199.2024.11.28.07.45.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Nov 2024 07:45:15 -0800 (PST) From: Adhemerval Zanella <adhemerval.zanella@linaro.org> To: binutils@sourceware.org Cc: Jeff Xu <jeffxu@google.com>, "H . J . Lu" <hjl.tools@gmail.com> Subject: [PATCH v4 0/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property Date: Thu, 28 Nov 2024 12:43:18 -0300 Message-ID: <20241128154511.564500-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Binutils mailing list <binutils.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>, <mailto:binutils-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/binutils/> List-Post: <mailto:binutils@sourceware.org> List-Help: <mailto:binutils-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>, <mailto:binutils-request@sourceware.org?subject=subscribe> Errors-To: binutils-bounces~patchwork=sourceware.org@sourceware.org |
| Series |
elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property
|
|
Message
Adhemerval Zanella Netto
Nov. 28, 2024, 3:43 p.m. UTC
elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property The new GNU property is a way to mark binaries to be memory-sealed by the loader, to avoid further changes of PT_LOAD segments (such as unmapping or changing permission flags). This is done along with Linux (the mseal syscall [1]), and C runtime supports to instruct the kernel on the correct time to seal the mapping during program startup (for instance, after RELRO setup). This support is added along the glibc support to handle the new gnu property [2]. The first patch adds the -Wl,memory-seal and -Wl,nomemory-seal optionsi to ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for ET_EXEC or ET_DYN objects. The second patch adds similar support for ld.gold. The third patch adds the ld --enable-memory-seal configure option to enable the memory sealing as default. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8be7258aad44b5e25977a98db136f677fa6f4370 [2] https://sourceware.org/pipermail/libc-alpha/2024-September/160291.html Changes v3->v4: * Rebase against master * Address comments from last version Changes v2->v3: * Do not add or merge the GNU_PROPERTY_MEMORY_SEAL property if present on ET_REL. * Extend testing. Changes v1->v2: * Make the security hardening opt-in instead of opt-out. * Add gold support. Adhemerval Zanella (3): elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property ld: Add --enable-memory-seal configure option bfd/elf-properties.c | 85 +++++++++++++++++----- bfd/elfxx-x86.c | 3 +- binutils/readelf.c | 6 ++ binutils/testsuite/lib/binutils-common.exp | 22 ++++++ elfcpp/elfcpp.h | 1 + gold/NEWS | 3 + gold/layout.cc | 4 + gold/options.h | 3 + gold/testsuite/Makefile.am | 19 +++++ gold/testsuite/Makefile.in | 26 ++++++- gold/testsuite/memory_seal_main.c | 5 ++ gold/testsuite/memory_seal_shared.c | 7 ++ gold/testsuite/memory_seal_test.sh | 45 ++++++++++++ include/bfdlink.h | 3 + include/elf/common.h | 1 + ld/NEWS | 4 + ld/config.in | 3 + ld/configure | 38 ++++++++-- ld/configure.ac | 17 +++++ ld/emultempl/elf.em | 5 ++ ld/ld.texi | 8 ++ ld/lexsup.c | 11 +++ ld/testsuite/config/default.exp | 8 ++ ld/testsuite/ld-elf/property-seal-1.d | 16 ++++ ld/testsuite/ld-elf/property-seal-1.s | 11 +++ ld/testsuite/ld-elf/property-seal-2.d | 17 +++++ ld/testsuite/ld-elf/property-seal-3.d | 16 ++++ ld/testsuite/ld-elf/property-seal-4.d | 16 ++++ ld/testsuite/ld-elf/property-seal-5.d | 15 ++++ ld/testsuite/ld-elf/property-seal-6.d | 16 ++++ ld/testsuite/ld-elf/property-seal-7.d | 14 ++++ ld/testsuite/ld-elf/property-seal-8.d | 15 ++++ ld/testsuite/ld-srec/srec.exp | 4 + ld/testsuite/lib/ld-lib.exp | 6 ++ 34 files changed, 445 insertions(+), 28 deletions(-) create mode 100644 gold/testsuite/memory_seal_main.c create mode 100644 gold/testsuite/memory_seal_shared.c create mode 100755 gold/testsuite/memory_seal_test.sh create mode 100644 ld/testsuite/ld-elf/property-seal-1.d create mode 100644 ld/testsuite/ld-elf/property-seal-1.s create mode 100644 ld/testsuite/ld-elf/property-seal-2.d create mode 100644 ld/testsuite/ld-elf/property-seal-3.d create mode 100644 ld/testsuite/ld-elf/property-seal-4.d create mode 100644 ld/testsuite/ld-elf/property-seal-5.d create mode 100644 ld/testsuite/ld-elf/property-seal-6.d create mode 100644 ld/testsuite/ld-elf/property-seal-7.d create mode 100644 ld/testsuite/ld-elf/property-seal-8.d
Comments
Ping on this patchset. On 28/11/24 12:43, Adhemerval Zanella wrote: > elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property > > The new GNU property is a way to mark binaries to be memory-sealed by > the loader, to avoid further changes of PT_LOAD segments (such as > unmapping or changing permission flags). This is done along with Linux > (the mseal syscall [1]), and C runtime supports to instruct the kernel > on the correct time to seal the mapping during program startup (for > instance, after RELRO setup). This support is added along the glibc > support to handle the new gnu property [2]. > > The first patch adds the -Wl,memory-seal and -Wl,nomemory-seal optionsi > to ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for > ET_EXEC or ET_DYN objects. > > The second patch adds similar support for ld.gold. > > The third patch adds the ld --enable-memory-seal configure option to > enable the memory sealing as default. > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8be7258aad44b5e25977a98db136f677fa6f4370 > [2] https://sourceware.org/pipermail/libc-alpha/2024-September/160291.html > > Changes v3->v4: > * Rebase against master > * Address comments from last version > > Changes v2->v3: > * Do not add or merge the GNU_PROPERTY_MEMORY_SEAL property if present > on ET_REL. > * Extend testing. > > Changes v1->v2: > * Make the security hardening opt-in instead of opt-out. > * Add gold support. > > Adhemerval Zanella (3): > elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property > gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property > ld: Add --enable-memory-seal configure option > > bfd/elf-properties.c | 85 +++++++++++++++++----- > bfd/elfxx-x86.c | 3 +- > binutils/readelf.c | 6 ++ > binutils/testsuite/lib/binutils-common.exp | 22 ++++++ > elfcpp/elfcpp.h | 1 + > gold/NEWS | 3 + > gold/layout.cc | 4 + > gold/options.h | 3 + > gold/testsuite/Makefile.am | 19 +++++ > gold/testsuite/Makefile.in | 26 ++++++- > gold/testsuite/memory_seal_main.c | 5 ++ > gold/testsuite/memory_seal_shared.c | 7 ++ > gold/testsuite/memory_seal_test.sh | 45 ++++++++++++ > include/bfdlink.h | 3 + > include/elf/common.h | 1 + > ld/NEWS | 4 + > ld/config.in | 3 + > ld/configure | 38 ++++++++-- > ld/configure.ac | 17 +++++ > ld/emultempl/elf.em | 5 ++ > ld/ld.texi | 8 ++ > ld/lexsup.c | 11 +++ > ld/testsuite/config/default.exp | 8 ++ > ld/testsuite/ld-elf/property-seal-1.d | 16 ++++ > ld/testsuite/ld-elf/property-seal-1.s | 11 +++ > ld/testsuite/ld-elf/property-seal-2.d | 17 +++++ > ld/testsuite/ld-elf/property-seal-3.d | 16 ++++ > ld/testsuite/ld-elf/property-seal-4.d | 16 ++++ > ld/testsuite/ld-elf/property-seal-5.d | 15 ++++ > ld/testsuite/ld-elf/property-seal-6.d | 16 ++++ > ld/testsuite/ld-elf/property-seal-7.d | 14 ++++ > ld/testsuite/ld-elf/property-seal-8.d | 15 ++++ > ld/testsuite/ld-srec/srec.exp | 4 + > ld/testsuite/lib/ld-lib.exp | 6 ++ > 34 files changed, 445 insertions(+), 28 deletions(-) > create mode 100644 gold/testsuite/memory_seal_main.c > create mode 100644 gold/testsuite/memory_seal_shared.c > create mode 100755 gold/testsuite/memory_seal_test.sh > create mode 100644 ld/testsuite/ld-elf/property-seal-1.d > create mode 100644 ld/testsuite/ld-elf/property-seal-1.s > create mode 100644 ld/testsuite/ld-elf/property-seal-2.d > create mode 100644 ld/testsuite/ld-elf/property-seal-3.d > create mode 100644 ld/testsuite/ld-elf/property-seal-4.d > create mode 100644 ld/testsuite/ld-elf/property-seal-5.d > create mode 100644 ld/testsuite/ld-elf/property-seal-6.d > create mode 100644 ld/testsuite/ld-elf/property-seal-7.d > create mode 100644 ld/testsuite/ld-elf/property-seal-8.d >
Ping (x2) On 06/12/24 11:08, Adhemerval Zanella Netto wrote: > Ping on this patchset. > > On 28/11/24 12:43, Adhemerval Zanella wrote: >> elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property >> >> The new GNU property is a way to mark binaries to be memory-sealed by >> the loader, to avoid further changes of PT_LOAD segments (such as >> unmapping or changing permission flags). This is done along with Linux >> (the mseal syscall [1]), and C runtime supports to instruct the kernel >> on the correct time to seal the mapping during program startup (for >> instance, after RELRO setup). This support is added along the glibc >> support to handle the new gnu property [2]. >> >> The first patch adds the -Wl,memory-seal and -Wl,nomemory-seal optionsi >> to ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for >> ET_EXEC or ET_DYN objects. >> >> The second patch adds similar support for ld.gold. >> >> The third patch adds the ld --enable-memory-seal configure option to >> enable the memory sealing as default. >> >> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8be7258aad44b5e25977a98db136f677fa6f4370 >> [2] https://sourceware.org/pipermail/libc-alpha/2024-September/160291.html >> >> Changes v3->v4: >> * Rebase against master >> * Address comments from last version >> >> Changes v2->v3: >> * Do not add or merge the GNU_PROPERTY_MEMORY_SEAL property if present >> on ET_REL. >> * Extend testing. >> >> Changes v1->v2: >> * Make the security hardening opt-in instead of opt-out. >> * Add gold support. >> >> Adhemerval Zanella (3): >> elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property >> gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property >> ld: Add --enable-memory-seal configure option >> >> bfd/elf-properties.c | 85 +++++++++++++++++----- >> bfd/elfxx-x86.c | 3 +- >> binutils/readelf.c | 6 ++ >> binutils/testsuite/lib/binutils-common.exp | 22 ++++++ >> elfcpp/elfcpp.h | 1 + >> gold/NEWS | 3 + >> gold/layout.cc | 4 + >> gold/options.h | 3 + >> gold/testsuite/Makefile.am | 19 +++++ >> gold/testsuite/Makefile.in | 26 ++++++- >> gold/testsuite/memory_seal_main.c | 5 ++ >> gold/testsuite/memory_seal_shared.c | 7 ++ >> gold/testsuite/memory_seal_test.sh | 45 ++++++++++++ >> include/bfdlink.h | 3 + >> include/elf/common.h | 1 + >> ld/NEWS | 4 + >> ld/config.in | 3 + >> ld/configure | 38 ++++++++-- >> ld/configure.ac | 17 +++++ >> ld/emultempl/elf.em | 5 ++ >> ld/ld.texi | 8 ++ >> ld/lexsup.c | 11 +++ >> ld/testsuite/config/default.exp | 8 ++ >> ld/testsuite/ld-elf/property-seal-1.d | 16 ++++ >> ld/testsuite/ld-elf/property-seal-1.s | 11 +++ >> ld/testsuite/ld-elf/property-seal-2.d | 17 +++++ >> ld/testsuite/ld-elf/property-seal-3.d | 16 ++++ >> ld/testsuite/ld-elf/property-seal-4.d | 16 ++++ >> ld/testsuite/ld-elf/property-seal-5.d | 15 ++++ >> ld/testsuite/ld-elf/property-seal-6.d | 16 ++++ >> ld/testsuite/ld-elf/property-seal-7.d | 14 ++++ >> ld/testsuite/ld-elf/property-seal-8.d | 15 ++++ >> ld/testsuite/ld-srec/srec.exp | 4 + >> ld/testsuite/lib/ld-lib.exp | 6 ++ >> 34 files changed, 445 insertions(+), 28 deletions(-) >> create mode 100644 gold/testsuite/memory_seal_main.c >> create mode 100644 gold/testsuite/memory_seal_shared.c >> create mode 100755 gold/testsuite/memory_seal_test.sh >> create mode 100644 ld/testsuite/ld-elf/property-seal-1.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-1.s >> create mode 100644 ld/testsuite/ld-elf/property-seal-2.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-3.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-4.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-5.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-6.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-7.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-8.d >> >