| Message ID | 20241128154511.564500-1-adhemerval.zanella@linaro.org |
|---|---|
| Headers | show |
| Series | elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property | expand |
Ping on this patchset. On 28/11/24 12:43, Adhemerval Zanella wrote: > elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property > > The new GNU property is a way to mark binaries to be memory-sealed by > the loader, to avoid further changes of PT_LOAD segments (such as > unmapping or changing permission flags). This is done along with Linux > (the mseal syscall [1]), and C runtime supports to instruct the kernel > on the correct time to seal the mapping during program startup (for > instance, after RELRO setup). This support is added along the glibc > support to handle the new gnu property [2]. > > The first patch adds the -Wl,memory-seal and -Wl,nomemory-seal optionsi > to ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for > ET_EXEC or ET_DYN objects. > > The second patch adds similar support for ld.gold. > > The third patch adds the ld --enable-memory-seal configure option to > enable the memory sealing as default. > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8be7258aad44b5e25977a98db136f677fa6f4370 > [2] https://sourceware.org/pipermail/libc-alpha/2024-September/160291.html > > Changes v3->v4: > * Rebase against master > * Address comments from last version > > Changes v2->v3: > * Do not add or merge the GNU_PROPERTY_MEMORY_SEAL property if present > on ET_REL. > * Extend testing. > > Changes v1->v2: > * Make the security hardening opt-in instead of opt-out. > * Add gold support. > > Adhemerval Zanella (3): > elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property > gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property > ld: Add --enable-memory-seal configure option > > bfd/elf-properties.c | 85 +++++++++++++++++----- > bfd/elfxx-x86.c | 3 +- > binutils/readelf.c | 6 ++ > binutils/testsuite/lib/binutils-common.exp | 22 ++++++ > elfcpp/elfcpp.h | 1 + > gold/NEWS | 3 + > gold/layout.cc | 4 + > gold/options.h | 3 + > gold/testsuite/Makefile.am | 19 +++++ > gold/testsuite/Makefile.in | 26 ++++++- > gold/testsuite/memory_seal_main.c | 5 ++ > gold/testsuite/memory_seal_shared.c | 7 ++ > gold/testsuite/memory_seal_test.sh | 45 ++++++++++++ > include/bfdlink.h | 3 + > include/elf/common.h | 1 + > ld/NEWS | 4 + > ld/config.in | 3 + > ld/configure | 38 ++++++++-- > ld/configure.ac | 17 +++++ > ld/emultempl/elf.em | 5 ++ > ld/ld.texi | 8 ++ > ld/lexsup.c | 11 +++ > ld/testsuite/config/default.exp | 8 ++ > ld/testsuite/ld-elf/property-seal-1.d | 16 ++++ > ld/testsuite/ld-elf/property-seal-1.s | 11 +++ > ld/testsuite/ld-elf/property-seal-2.d | 17 +++++ > ld/testsuite/ld-elf/property-seal-3.d | 16 ++++ > ld/testsuite/ld-elf/property-seal-4.d | 16 ++++ > ld/testsuite/ld-elf/property-seal-5.d | 15 ++++ > ld/testsuite/ld-elf/property-seal-6.d | 16 ++++ > ld/testsuite/ld-elf/property-seal-7.d | 14 ++++ > ld/testsuite/ld-elf/property-seal-8.d | 15 ++++ > ld/testsuite/ld-srec/srec.exp | 4 + > ld/testsuite/lib/ld-lib.exp | 6 ++ > 34 files changed, 445 insertions(+), 28 deletions(-) > create mode 100644 gold/testsuite/memory_seal_main.c > create mode 100644 gold/testsuite/memory_seal_shared.c > create mode 100755 gold/testsuite/memory_seal_test.sh > create mode 100644 ld/testsuite/ld-elf/property-seal-1.d > create mode 100644 ld/testsuite/ld-elf/property-seal-1.s > create mode 100644 ld/testsuite/ld-elf/property-seal-2.d > create mode 100644 ld/testsuite/ld-elf/property-seal-3.d > create mode 100644 ld/testsuite/ld-elf/property-seal-4.d > create mode 100644 ld/testsuite/ld-elf/property-seal-5.d > create mode 100644 ld/testsuite/ld-elf/property-seal-6.d > create mode 100644 ld/testsuite/ld-elf/property-seal-7.d > create mode 100644 ld/testsuite/ld-elf/property-seal-8.d >
Ping (x2) On 06/12/24 11:08, Adhemerval Zanella Netto wrote: > Ping on this patchset. > > On 28/11/24 12:43, Adhemerval Zanella wrote: >> elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property >> >> The new GNU property is a way to mark binaries to be memory-sealed by >> the loader, to avoid further changes of PT_LOAD segments (such as >> unmapping or changing permission flags). This is done along with Linux >> (the mseal syscall [1]), and C runtime supports to instruct the kernel >> on the correct time to seal the mapping during program startup (for >> instance, after RELRO setup). This support is added along the glibc >> support to handle the new gnu property [2]. >> >> The first patch adds the -Wl,memory-seal and -Wl,nomemory-seal optionsi >> to ld.bfd. The GNU_PROPERTY_MEMORY_SEAL property is added only for >> ET_EXEC or ET_DYN objects. >> >> The second patch adds similar support for ld.gold. >> >> The third patch adds the ld --enable-memory-seal configure option to >> enable the memory sealing as default. >> >> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8be7258aad44b5e25977a98db136f677fa6f4370 >> [2] https://sourceware.org/pipermail/libc-alpha/2024-September/160291.html >> >> Changes v3->v4: >> * Rebase against master >> * Address comments from last version >> >> Changes v2->v3: >> * Do not add or merge the GNU_PROPERTY_MEMORY_SEAL property if present >> on ET_REL. >> * Extend testing. >> >> Changes v1->v2: >> * Make the security hardening opt-in instead of opt-out. >> * Add gold support. >> >> Adhemerval Zanella (3): >> elf: Add GNU_PROPERTY_MEMORY_SEAL gnu property >> gold: Add GNU_PROPERTY_MEMORY_SEAL gnu property >> ld: Add --enable-memory-seal configure option >> >> bfd/elf-properties.c | 85 +++++++++++++++++----- >> bfd/elfxx-x86.c | 3 +- >> binutils/readelf.c | 6 ++ >> binutils/testsuite/lib/binutils-common.exp | 22 ++++++ >> elfcpp/elfcpp.h | 1 + >> gold/NEWS | 3 + >> gold/layout.cc | 4 + >> gold/options.h | 3 + >> gold/testsuite/Makefile.am | 19 +++++ >> gold/testsuite/Makefile.in | 26 ++++++- >> gold/testsuite/memory_seal_main.c | 5 ++ >> gold/testsuite/memory_seal_shared.c | 7 ++ >> gold/testsuite/memory_seal_test.sh | 45 ++++++++++++ >> include/bfdlink.h | 3 + >> include/elf/common.h | 1 + >> ld/NEWS | 4 + >> ld/config.in | 3 + >> ld/configure | 38 ++++++++-- >> ld/configure.ac | 17 +++++ >> ld/emultempl/elf.em | 5 ++ >> ld/ld.texi | 8 ++ >> ld/lexsup.c | 11 +++ >> ld/testsuite/config/default.exp | 8 ++ >> ld/testsuite/ld-elf/property-seal-1.d | 16 ++++ >> ld/testsuite/ld-elf/property-seal-1.s | 11 +++ >> ld/testsuite/ld-elf/property-seal-2.d | 17 +++++ >> ld/testsuite/ld-elf/property-seal-3.d | 16 ++++ >> ld/testsuite/ld-elf/property-seal-4.d | 16 ++++ >> ld/testsuite/ld-elf/property-seal-5.d | 15 ++++ >> ld/testsuite/ld-elf/property-seal-6.d | 16 ++++ >> ld/testsuite/ld-elf/property-seal-7.d | 14 ++++ >> ld/testsuite/ld-elf/property-seal-8.d | 15 ++++ >> ld/testsuite/ld-srec/srec.exp | 4 + >> ld/testsuite/lib/ld-lib.exp | 6 ++ >> 34 files changed, 445 insertions(+), 28 deletions(-) >> create mode 100644 gold/testsuite/memory_seal_main.c >> create mode 100644 gold/testsuite/memory_seal_shared.c >> create mode 100755 gold/testsuite/memory_seal_test.sh >> create mode 100644 ld/testsuite/ld-elf/property-seal-1.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-1.s >> create mode 100644 ld/testsuite/ld-elf/property-seal-2.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-3.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-4.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-5.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-6.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-7.d >> create mode 100644 ld/testsuite/ld-elf/property-seal-8.d >> >