Page MenuHomeFreeBSD

Add RELRO build knob, default to enabled
ClosedPublic

Authored by emaste on Jun 22 2022, 1:39 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 10, 4:30 PM
Unknown Object (File)
Fri, Dec 6, 3:28 AM
Unknown Object (File)
Tue, Nov 26, 5:03 AM
Unknown Object (File)
Tue, Nov 26, 5:02 AM
Unknown Object (File)
Tue, Nov 26, 5:01 AM
Unknown Object (File)
Tue, Nov 26, 5:01 AM
Unknown Object (File)
Nov 21 2024, 6:43 AM
Unknown Object (File)
Nov 18 2024, 10:41 PM
Subscribers

Details

Summary

Note that lld enables relro by default, so that we already had either partial or full RELRO, depending on the state of the BIND_NOW knob.

Add a RELRO knob so that the option can be disabled if desired, and so that builds using the GNU toolchain are equivalent to those using the standard Clang/LLVM toolchain.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

share/mk/bsd.prog.mk
48

What about bsd.lib.mk?

tools/build/options/WITH_RELRO
3

Do you plan to add documentation anywhere explaining what the mitigation does? In particular, you need to also set WITH_BIND_NOW to get "full" RELRO.

share/mk/bsd.prog.mk
48

should be applicable only to linking binaries, i.e. .plt and .got.plt

tools/build/options/WITH_RELRO
3

Not quite sure where it should go - this WITH_RELRO won't actually be used with the option on by default. Maybe describe partial/full RELRO in the BIND_NOW option?

tools/build/options/WITH_RELRO
3

Or add here

Binaries will not have a GNU_RELRO segment and the .plt and .got.plt sections will not be switched to read-only after applying relocations.
See also BIND_NOW.

Or maybe src.conf isn't the right place to try to explain this, and we should have text in security(7) or a man page on elf hardening?

tools/build/options/WITH_RELRO
3

Perhaps in BIND_NOW

The combination of the
.Va BIND_NOW
and
.Va RELRO
options provide "full" Relocation Read-Only (RELRO) support.
With full RELRO the entire GOT is made read-only after performing relocation at
startup, avoiding GOT overwrite attacks.

share/mk/bsd.prog.mk
48

I don't really follow. RELRO applies to shared libs too.

tools/build/options/WITH_RELRO
3

I think it'd make the most sense to describe the mitigation in security.7 (or anywhere that's not src.conf.5), but mention briefly the relationship between RELRO and BIND_NOW here. Your last suggestion seems fine to me. I'd also add "see the WITH_BIND_NOW option" to the description of WITH_RELRO.

share/mk/bsd.prog.mk
48

Yes of course, just a braino.

tools/build/options/WITH_RELRO
3

security.7 needs a more major overhaul, I should document it more fully there in the future. For now I think the last suggestion along with a xref is fine. The xref would have to be in both WITH_RELRO and WITHOUT_RELRO.

  • add to bsd.lib.mk also
  • describe full RELRO in WITH_BIND_NOW
  • add cross reference to BIND_NOW
markj added inline comments.
tools/build/options/WITH_RELRO
3

Yeah, I think it's fine to deal with full documentation of the mitigation later.

This revision is now accepted and ready to land.Jun 22 2022, 3:17 PM
This revision was automatically updated to reflect the committed changes.