Home Original page

[PATCH v2 0/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property

Jeff Xu jeffxu@google.com
Wed Oct 2 00:18:50 GMT 2024 
On Mon, Sep 30, 2024 at 1:08 PM Adhemerval Zanella
<adhemerval.zanella@linaro.org> wrote:
>
> The new attribute indicates that an ET_EXEC or ET_DYN ELF object should
> be memory-sealed if the loader supports it. Memory sealing is useful as
> a hardening mechanism to avoid either remapping the memory segments or
> changing the memory protection segments layout by the dynamic loader
> (for instance, the RELRO hardening). The Linux 6.10
> (8be7258aad44b5e25977a98db136f677fa6f4370) added the mseal syscall
> accomplishes it.
>
> A GNU property is used instead of a new dynamic section tag (like the
> one proposed for DT_GNU_FLAGS_1) because the memory sealing should be
> selectable for ET_EXEC and not only for ET_DYN. It also fits new opt-in
> security features like x86 CET or AArch64 BTI.
>
> The first patch adds the -Wl,memory-seal/-Wl,nomemory-seal options to
> ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for ET_EXEC
> or ET_DYN objects.
>
> The second patch adds similar support for ld.gold.
>
> The third patch adds the ld --enable-memory-seal configure options to
> enable the memory sealing mark as default (similar to other security
> hardening as RELRO or non-executable stacks).
>
--enable-memory-seal  helps distribution that wants to enable sealing
by default. I like this approach because it gives distributions a
choice for their own strategies.

As an example using chromeOS, I imagine that we can start with opt-in,
testing it on a few apps, e.g. Chrome, then switch to opt-out and
enable sealing for the entire system.

> Changes v1->v2:
> * Make the security hardening opt-in instead of opt-out.
> * Add gold support.
>
> Adhemerval Zanella (3):
>   elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property
>   gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property
>   ld: Add --enable-memory-seal configure option
>
>  bfd/elf-properties.c                       | 72 +++++++++++++++++-----
>  bfd/elfxx-x86.c                            |  3 +-
>  binutils/readelf.c                         |  6 ++
>  binutils/testsuite/lib/binutils-common.exp | 22 +++++++
>  elfcpp/elfcpp.h                            |  1 +
>  gold/NEWS                                  |  3 +
>  gold/layout.cc                             |  4 ++
>  gold/options.h                             |  3 +
>  gold/testsuite/Makefile.am                 | 19 ++++++
>  gold/testsuite/Makefile.in                 | 26 +++++++-
>  gold/testsuite/memory_seal_main.c          |  5 ++
>  gold/testsuite/memory_seal_shared.c        |  7 +++
>  gold/testsuite/memory_seal_test.sh         | 45 ++++++++++++++
>  include/bfdlink.h                          |  3 +
>  include/elf/common.h                       |  1 +
>  ld/NEWS                                    |  4 ++
>  ld/config.in                               |  3 +
>  ld/configure                               | 28 ++++++++-
>  ld/configure.ac                            | 17 +++++
>  ld/emultempl/elf.em                        |  5 ++
>  ld/ld.texi                                 |  8 +++
>  ld/lexsup.c                                | 11 ++++
>  ld/testsuite/config/default.exp            |  8 +++
>  ld/testsuite/ld-elf/property-seal-1.d      | 15 +++++
>  ld/testsuite/ld-elf/property-seal-2.d      | 14 +++++
>  ld/testsuite/ld-srec/srec.exp              |  4 ++
>  ld/testsuite/lib/ld-lib.exp                |  6 ++
>  27 files changed, 320 insertions(+), 23 deletions(-)
>  create mode 100644 gold/testsuite/memory_seal_main.c
>  create mode 100644 gold/testsuite/memory_seal_shared.c
>  create mode 100755 gold/testsuite/memory_seal_test.sh
>  create mode 100644 ld/testsuite/ld-elf/property-seal-1.d
>  create mode 100644 ld/testsuite/ld-elf/property-seal-2.d
>
> --
> 2.34.1
>
More information about the Binutils mailing list