From nobody Wed Jun 22 16:20:12 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B5C0A859166; Wed, 22 Jun 2022 16:20:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LSpWc22KSz4h2g; Wed, 22 Jun 2022 16:20:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655914812; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Bg2wiqqMMvOCMJ/6U5OYjge71vOk/4k3nUMZ48ZHqL4=; b=vQoqGnBY4ZLbSdtaNjR7YHUxlY5G0EtDtwhPovASts/wsa7CN8Sclj8Q676T7dpLv8fwqf 3DZ5pJ9peEJ0KXM3u17L/3aK4RjZJ67Uwf/fDBssrfFp127mZ4nB7+tDhUEMo5CAEwebNz 1S0G3NdOmAsScMiG2NeWwvOj3ABPIybQsZq4ZARuNTxACd5zRj8D/uZiiIX2HUnAg7rc9/ /9nOPlE6OPSgz1K4Da9cpXQWYGWtm6gG06KrZsuQjmtZZqtC3J75roVMDeNZpi0XeanMLr Hcdt0/eE3AttXyCtFx89KLUT8ITbBzyawT7N8b8rxyqc/p01jltBEFXpTI0OXQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 208C1EF0; Wed, 22 Jun 2022 16:20:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 25MGKCLA098068; Wed, 22 Jun 2022 16:20:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 25MGKCHU098065; Wed, 22 Jun 2022 16:20:12 GMT (envelope-from git) Date: Wed, 22 Jun 2022 16:20:12 GMT Message-Id: <202206221620.25MGKCHU098065@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: 2f3a961487c9 - main - Add RELRO build knob, default to enabled List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2f3a961487c97dc879f07bb97bc62d7bd70b3f8d Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655914812; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Bg2wiqqMMvOCMJ/6U5OYjge71vOk/4k3nUMZ48ZHqL4=; b=eqoRH70F2+kabQmr3utAPExHPQf3cRpEMsnf+faqHd7tvIm4qEtbTOfUFl8azmgpPv3g2O CEv88dulTUefVuatkS8xnPhez1Uh65cETaydDOYy5xdEC4lMq6shKvr5D4L0f8YChjciwS KCYLdvc1flLX19o9C+vN0YJpwKf77/tGNOFUN4nbb/L6gjH9B610wI5OhbbKJkJyED83da 5zacu1B/jueSDJw6T4NA8Y/hCKM9Z5SGXbnE42QBRPp3v/2IVczJdWnJE/tH8GOWHrs5xq vIDAbfe1AmDVBm9XaZXWrTPOILrTIMlJkJrKijkc++8y6wTuVwf2G6gzx2XAWQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1655914812; a=rsa-sha256; cv=none; b=twVDgHUvDB5XkATAzHphlRgVMorybY9BsqwTod9x/0p2NRfyWG5C6odLLUmCBBsg5mt+Z4 wEaMSgXrUPwBAW4Gio3AIu4CHvJ/0GBUaZ4e3WkFzlfpkRXWLUDsqlNK2+6tuoxtxagwWb HkPW/z94Fh8BS4neT3LhaIqsHJhQO/g2+HzyCsMlQrfsG3L74diMNzmtfus73ygJ9lkZsQ B9Rk7TpDThUDcP2w0A7IZ2nzINX+wR3p2oEUwO+N2dx1Y5XHM/AMoHmYz2SBo8B1dub2t9 JqeNjkdXaxbDidoJBCWaz7IfwKtIzWem2+FASj1K36Hx7/niChJ78hSR0qx+ug== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=2f3a961487c97dc879f07bb97bc62d7bd70b3f8d commit 2f3a961487c97dc879f07bb97bc62d7bd70b3f8d Author: Ed Maste AuthorDate: 2022-06-22 12:58:04 +0000 Commit: Ed Maste CommitDate: 2022-06-22 16:18:41 +0000 Add RELRO build knob, default to enabled Note that lld enables relro by default, so that we already had either partial or full RELRO, depending on the state of the BIND_NOW knob. Add a RELRO knob so that the option can be disabled if desired, and so that builds using the GNU toolchain are equivalent to those using the standard Clang/LLVM toolchain. Reviewed by: markj MFC after: 3 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35545 --- share/mk/bsd.lib.mk | 5 +++++ share/mk/bsd.opts.mk | 1 + share/mk/bsd.prog.mk | 5 +++++ tools/build/options/WITHOUT_RELRO | 4 ++++ tools/build/options/WITH_BIND_NOW | 7 +++++++ tools/build/options/WITH_RELRO | 5 +++++ 6 files changed, 27 insertions(+) diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk index 5c7b73c5a8a9..9ba08a7ca619 100644 --- a/share/mk/bsd.lib.mk +++ b/share/mk/bsd.lib.mk @@ -79,6 +79,11 @@ TAG_ARGS= -T ${TAGS:[*]:S/ /,/g} .if ${MK_BIND_NOW} != "no" LDFLAGS+= -Wl,-znow .endif +.if ${MK_RELRO} == "no" +LDFLAGS+= -Wl,-znorelro +.else +LDFLAGS+= -Wl,-zrelro +.endif .if ${MK_RETPOLINE} != "no" .if ${COMPILER_FEATURES:Mretpoline} && ${LINKER_FEATURES:Mretpoline} CFLAGS+= -mretpoline diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk index 7e5c985957f0..d448656bd96d 100644 --- a/share/mk/bsd.opts.mk +++ b/share/mk/bsd.opts.mk @@ -64,6 +64,7 @@ __DEFAULT_YES_OPTIONS = \ NIS \ NLS \ OPENSSH \ + RELRO \ SSP \ TESTS \ TOOLCHAIN \ diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk index 6b8da09edaf0..eed7d652fad1 100644 --- a/share/mk/bsd.prog.mk +++ b/share/mk/bsd.prog.mk @@ -41,6 +41,11 @@ MK_DEBUG_FILES= no .if ${MK_BIND_NOW} != "no" LDFLAGS+= -Wl,-znow .endif +.if ${MK_RELRO} == "no" +LDFLAGS+= -Wl,-znorelro +.else +LDFLAGS+= -Wl,-zrelro +.endif .if ${MK_PIE} != "no" # Static PIE is not yet supported/tested. .if !defined(NO_SHARED) || ${NO_SHARED:tl} == "no" diff --git a/tools/build/options/WITHOUT_RELRO b/tools/build/options/WITHOUT_RELRO new file mode 100644 index 000000000000..f5b661f5916d --- /dev/null +++ b/tools/build/options/WITHOUT_RELRO @@ -0,0 +1,4 @@ +Do not apply the Relocation Read-Only (RELRO) vulnerability mitigation. +See also the +.Va BIND_NOW +option. diff --git a/tools/build/options/WITH_BIND_NOW b/tools/build/options/WITH_BIND_NOW index 02e4c37352b4..a2d3ac7e7779 100644 --- a/tools/build/options/WITH_BIND_NOW +++ b/tools/build/options/WITH_BIND_NOW @@ -3,3 +3,10 @@ Build all binaries with the .Dv DF_BIND_NOW flag set to indicate that the run-time loader should perform all relocation processing at process startup rather than on demand. +The combination of the +.Va BIND_NOW +and +.Va RELRO +options provide "full" Relocation Read-Only (RELRO) support. +With full RELRO the entire GOT is made read-only after performing relocation at +startup, avoiding GOT overwrite attacks. diff --git a/tools/build/options/WITH_RELRO b/tools/build/options/WITH_RELRO new file mode 100644 index 000000000000..cfc344dd9cfe --- /dev/null +++ b/tools/build/options/WITH_RELRO @@ -0,0 +1,5 @@ +Build all binaries with the Relocation Read-Only (RELRO) vulnerability +mitigation applied. +See also the +.Va BIND_NOW +option.