-
-
Notifications
You must be signed in to change notification settings - Fork 13.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cc-wrapper: add support for shadowstack
hardening flag
#326819
Merged
Merged
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
c68739f
bootstrap-tools-musl: match bootstrap-tools hardeningUnsupportedFlags
risicle b207b6e
cc-wrapper: add support for shadowstack hardening flag
risicle 3ebc7bb
glibc: add option enableCETRuntimeDefault to runtime-enable CET by de…
risicle 41cae89
glibc: enableCETRuntimeDefault for pkgsExtraHardening
risicle 5ce990e
doc/stdenv: add section on shadowstack hardening flag
risicle a30f794
pcre: expose enableJit argument, disable shadowstack when enabled
risicle 7a4736e
llvm: disable shadowstack hardening flag
risicle b84da12
lix: disable shadowstack hardening flag
risicle 0dacfda
nix: disable shadowstack hardening flag
risicle File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
pkgs/development/libraries/glibc/2.39-revert-cet-default-disable.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
Revert 55d63e731253de82e96ed4ddca2e294076cd0bc5 | ||
|
||
--- b/sysdeps/x86/cpu-features.c | ||
+++ a/sysdeps/x86/cpu-features.c | ||
@@ -110,7 +110,7 @@ | ||
if (!CPU_FEATURES_CPU_P (cpu_features, RTM_ALWAYS_ABORT)) | ||
CPU_FEATURE_SET_ACTIVE (cpu_features, RTM); | ||
|
||
+#if CET_ENABLED | ||
-#if CET_ENABLED && 0 | ||
CPU_FEATURE_SET_ACTIVE (cpu_features, IBT); | ||
CPU_FEATURE_SET_ACTIVE (cpu_features, SHSTK); | ||
#endif | ||
reverted: | ||
--- b/sysdeps/x86/cpu-tunables.c | ||
+++ a/sysdeps/x86/cpu-tunables.c | ||
@@ -35,17 +35,6 @@ | ||
break; \ | ||
} | ||
|
||
-#define CHECK_GLIBC_IFUNC_CPU_BOTH(f, cpu_features, name, len) \ | ||
- _Static_assert (sizeof (#name) - 1 == len, #name " != " #len); \ | ||
- if (tunable_str_comma_strcmp_cte (&f, #name)) \ | ||
- { \ | ||
- if (f.disable) \ | ||
- CPU_FEATURE_UNSET (cpu_features, name) \ | ||
- else \ | ||
- CPU_FEATURE_SET_ACTIVE (cpu_features, name) \ | ||
- break; \ | ||
- } | ||
- | ||
/* Disable a preferred feature NAME. We don't enable a preferred feature | ||
which isn't available. */ | ||
#define CHECK_GLIBC_IFUNC_PREFERRED_OFF(f, cpu_features, name, len) \ | ||
@@ -142,13 +131,11 @@ | ||
} | ||
break; | ||
case 5: | ||
- { | ||
- CHECK_GLIBC_IFUNC_CPU_BOTH (n, cpu_features, SHSTK, 5); | ||
- } | ||
if (n.disable) | ||
{ | ||
CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, LZCNT, 5); | ||
CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, MOVBE, 5); | ||
+ CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, SHSTK, 5); | ||
CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, SSSE3, 5); | ||
CHECK_GLIBC_IFUNC_CPU_OFF (n, cpu_features, XSAVE, 5); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -115,6 +115,7 @@ let | |
"format" | ||
"fortify" | ||
"fortify3" | ||
"shadowstack" | ||
"pic" | ||
"pie" | ||
"relro" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are the first packages that
pkgsExtraHardening
is making an explicit domain‐specific hardening vs. functionality/performance trade‐off for, rather than just blanket‐defaulting a hardening switch on and letting individual packages decide what to do, right?I’m not opposed necessarily, just want to check that this is something new that’s happening. I do worry a little about bit rot as package options drift without anyone checking
pkgsExtraHardening
. And it might be hard to make judgement calls in future when you’re faced with whether to turn all JITs ever off for security reasons.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if this answers the question, but here I think is the starting point that lead to this: #326819 (comment) . TLDR: legacy PCRE JIT is broken with shadow stack, so either JIT or shadow stack have to be disabled, and the latter has cascade effects.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, okay. The fact that it would require disabling it for all the downstream packages makes this make sense to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is the first time we're overriding an actual package.