Page MenuHomeFreeBSD

Add RELRO build knob, default to enabled
ClosedPublic

Authored by emaste on Jun 22 2022, 1:39 PM.
Tags
None
Referenced Files
F102926286: D35545.diff
Mon, Nov 18, 8:15 PM
Unknown Object (File)
Sat, Nov 16, 5:26 PM
Unknown Object (File)
Sun, Nov 10, 8:17 PM
Unknown Object (File)
Tue, Nov 5, 6:55 PM
Unknown Object (File)
Fri, Nov 1, 4:50 AM
Unknown Object (File)
Oct 10 2024, 8:51 PM
Unknown Object (File)
Oct 3 2024, 12:14 AM
Unknown Object (File)
Sep 30 2024, 12:14 AM
Subscribers

Details

Summary

Note that lld enables relro by default, so that we already had either partial or full RELRO, depending on the state of the BIND_NOW knob.

Add a RELRO knob so that the option can be disabled if desired, and so that builds using the GNU toolchain are equivalent to those using the standard Clang/LLVM toolchain.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

share/mk/bsd.prog.mk
48

What about bsd.lib.mk?

tools/build/options/WITH_RELRO
2

Do you plan to add documentation anywhere explaining what the mitigation does? In particular, you need to also set WITH_BIND_NOW to get "full" RELRO.

share/mk/bsd.prog.mk
48

should be applicable only to linking binaries, i.e. .plt and .got.plt

tools/build/options/WITH_RELRO
2

Not quite sure where it should go - this WITH_RELRO won't actually be used with the option on by default. Maybe describe partial/full RELRO in the BIND_NOW option?

tools/build/options/WITH_RELRO
2

Or add here

Binaries will not have a GNU_RELRO segment and the .plt and .got.plt sections will not be switched to read-only after applying relocations.
See also BIND_NOW.

Or maybe src.conf isn't the right place to try to explain this, and we should have text in security(7) or a man page on elf hardening?

tools/build/options/WITH_RELRO
2

Perhaps in BIND_NOW

The combination of the
.Va BIND_NOW
and
.Va RELRO
options provide "full" Relocation Read-Only (RELRO) support.
With full RELRO the entire GOT is made read-only after performing relocation at
startup, avoiding GOT overwrite attacks.

share/mk/bsd.prog.mk
48

I don't really follow. RELRO applies to shared libs too.

tools/build/options/WITH_RELRO
2

I think it'd make the most sense to describe the mitigation in security.7 (or anywhere that's not src.conf.5), but mention briefly the relationship between RELRO and BIND_NOW here. Your last suggestion seems fine to me. I'd also add "see the WITH_BIND_NOW option" to the description of WITH_RELRO.

share/mk/bsd.prog.mk
48

Yes of course, just a braino.

tools/build/options/WITH_RELRO
2

security.7 needs a more major overhaul, I should document it more fully there in the future. For now I think the last suggestion along with a xref is fine. The xref would have to be in both WITH_RELRO and WITHOUT_RELRO.

  • add to bsd.lib.mk also
  • describe full RELRO in WITH_BIND_NOW
  • add cross reference to BIND_NOW
markj added inline comments.
tools/build/options/WITH_RELRO
2

Yeah, I think it's fine to deal with full documentation of the mitigation later.

This revision is now accepted and ready to land.Jun 22 2022, 3:17 PM
This revision was automatically updated to reflect the committed changes.