[PATCH v3 0/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property
Adhemerval Zanella
adhemerval.zanella@linaro.org
Wed Oct 16 17:01:10 GMT 2024
More information about the Binutils mailing list
Wed Oct 16 17:01:10 GMT 2024
- Previous message (by thread): Linaro CI new feature: skip precommit testing
- Next message (by thread): [PATCH v3 1/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The new attribute indicates that an ET_EXEC or ET_DYN ELF object should be memory-sealed if the loader supports it. Memory sealing is useful as a hardening mechanism to avoid either remapping the memory segments or changing the memory protection segments layout by the dynamic loader (for instance, the RELRO hardening). The Linux 6.10 (8be7258aad44b5e25977a98db136f677fa6f4370) added the mseal syscall accomplishes it. A GNU property is used instead of a new dynamic sectiopn tag (like the one proposed fro DT_GNU_FLAGS_1) to allow memory sealing to work with ET_EXEC without PT_DYNAMIC support (at least for glibc some ports still do no support static-pie). The first patch adds the -Wl,memory-seal/-Wl,nomemory-seal options to ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for ET_EXEC or ET_DYN objects. The second patch adds similar support for ld.gold. The third patch adds the ld --enable-memory-seal configure options to enable the memory sealing mark as default (similar to other security hardening as RELRO or non-executable stacks). Changes v2->v3: * Do not add or merge the GNU_PROPERTY_MEMORY_SEAL property if present on ET_REL. * Extend testing. Changes v1->v2: * Make the security hardening opt-in instead of opt-out. * Add gold support. Adhemerval Zanella (3): elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property ld: Add --enable-memory-seal configure option bfd/elf-properties.c | 100 ++++++++++++++++----- bfd/elfxx-x86.c | 3 +- binutils/readelf.c | 6 ++ binutils/testsuite/lib/binutils-common.exp | 22 +++++ elfcpp/elfcpp.h | 1 + gold/NEWS | 3 + gold/layout.cc | 4 + gold/options.h | 3 + gold/testsuite/Makefile.am | 19 ++++ gold/testsuite/Makefile.in | 26 +++++- gold/testsuite/memory_seal_main.c | 5 ++ gold/testsuite/memory_seal_shared.c | 7 ++ gold/testsuite/memory_seal_test.sh | 45 ++++++++++ include/bfdlink.h | 3 + include/elf/common.h | 1 + ld/NEWS | 4 + ld/config.in | 3 + ld/configure | 38 ++++++-- ld/configure.ac | 17 ++++ ld/emultempl/elf.em | 5 ++ ld/ld.texi | 8 ++ ld/lexsup.c | 11 +++ ld/testsuite/config/default.exp | 8 ++ ld/testsuite/ld-elf/property-seal-1.d | 16 ++++ ld/testsuite/ld-elf/property-seal-1.s | 11 +++ ld/testsuite/ld-elf/property-seal-2.d | 17 ++++ ld/testsuite/ld-elf/property-seal-3.d | 16 ++++ ld/testsuite/ld-elf/property-seal-4.d | 16 ++++ ld/testsuite/ld-elf/property-seal-5.d | 15 ++++ ld/testsuite/ld-elf/property-seal-6.d | 16 ++++ ld/testsuite/ld-elf/property-seal-7.d | 14 +++ ld/testsuite/ld-elf/property-seal-8.d | 15 ++++ ld/testsuite/ld-srec/srec.exp | 4 + ld/testsuite/lib/ld-lib.exp | 6 ++ 34 files changed, 456 insertions(+), 32 deletions(-) create mode 100644 gold/testsuite/memory_seal_main.c create mode 100644 gold/testsuite/memory_seal_shared.c create mode 100755 gold/testsuite/memory_seal_test.sh create mode 100644 ld/testsuite/ld-elf/property-seal-1.d create mode 100644 ld/testsuite/ld-elf/property-seal-1.s create mode 100644 ld/testsuite/ld-elf/property-seal-2.d create mode 100644 ld/testsuite/ld-elf/property-seal-3.d create mode 100644 ld/testsuite/ld-elf/property-seal-4.d create mode 100644 ld/testsuite/ld-elf/property-seal-5.d create mode 100644 ld/testsuite/ld-elf/property-seal-6.d create mode 100644 ld/testsuite/ld-elf/property-seal-7.d create mode 100644 ld/testsuite/ld-elf/property-seal-8.d -- 2.43.0
- Previous message (by thread): Linaro CI new feature: skip precommit testing
- Next message (by thread): [PATCH v3 1/3] elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Binutils mailing list