cmd/link: support full relro #45681

Foxboron · 2021-04-21T21:59:20Z

Most Linux distributions today enable PIE and full RELRO on all binaries
to make exploitation harder. When buildmode=pie is used we enable full
relro as that is probably what most people want regardless.

This introduces a negligible startup time for binaries.

https://fedoraproject.org/wiki/Changes/Harden_All_Packages
https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro

Related #44480

google-cla · 2021-04-21T21:59:25Z

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers

It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

Foxboron · 2021-04-21T22:00:11Z

@googlebot I signed it!

gopherbot · 2021-04-21T22:03:25Z

This PR (HEAD: 20ab0e5) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/312509 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

gopherbot · 2021-04-21T22:05:28Z

Message from Go Bot:

Patch Set 1:

Congratulations on opening your first change. Thank you for your contribution!

Next steps:
A maintainer will review your change and provide feedback. See
https://golang.org/doc/contribute.html#review for more info and tips to get your
patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.

During May-July and Nov-Jan the Go project is in a code freeze, during which
little code gets reviewed or merged. If a reviewer responds with a comment like
R=go1.11 or adds a tag like "wait-release", it means that this CL will be
reviewed as part of the next development cycle. See https://golang.org/s/release
for more details.

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-04-21T22:13:48Z

Message from Cherry Zhang:

Patch Set 1: Run-TryBot+1

(2 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-04-21T22:13:49Z

Message from Go Bot:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-04-21T22:13:49Z

Message from Cherry Zhang:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-04-21T22:30:00Z

Message from Morten Linderud:

Patch Set 1:

(2 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-04-21T22:33:56Z

Message from Go Bot:

Patch Set 1: TryBot-Result+1

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-04-21T22:33:57Z

Message from Cherry Zhang:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-04-21T22:42:46Z

Message from Morten Linderud:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-04-21T22:49:21Z

Message from Cherry Zhang:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-04-21T22:56:31Z

Message from Morten Linderud:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-04-21T23:00:07Z

Message from Ian Lance Taylor:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-04-24T11:12:12Z

This PR (HEAD: b80f284) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/312509 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

gopherbot · 2021-04-27T10:10:53Z

Message from Morten Linderud:

Patch Set 2:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-05-08T07:48:23Z

Message from Cherry Mui:

Patch Set 1: Run-TryBot+1

(2 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-05-08T07:48:24Z

Message from Cherry Mui:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-05-08T07:48:24Z

Message from Cherry Mui:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-05-08T07:48:25Z

Message from Cherry Mui:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-11-08T11:09:38Z

Message from Morten Linderud:

Patch Set 1:

(2 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-11-08T11:09:39Z

Message from Go Bot:

Patch Set 1: TryBot-Result+1

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-11-08T11:09:40Z

Message from Cherry Mui:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-11-08T11:09:41Z

Message from Morten Linderud:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-11-08T11:09:41Z

Message from Cherry Mui:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2021-11-08T11:09:42Z

Message from Morten Linderud:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2022-05-07T10:33:20Z

This PR (HEAD: b85c7f7) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/312509 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

gopherbot · 2022-05-07T17:33:16Z

Message from Ian Lance Taylor:

Patch Set 4: Run-TryBot+1 Code-Review+1

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2022-05-07T17:36:50Z

Message from Gopher Robot:

Patch Set 4:

(2 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2022-05-07T17:47:32Z

Message from Gopher Robot:

Patch Set 4: TryBot-Result+1

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2022-05-09T20:19:30Z

Message from Cherry Mui:

Patch Set 4:

(4 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2022-05-09T21:22:17Z

Message from Ian Lance Taylor:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2022-05-09T21:37:53Z

Message from Cherry Mui:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2022-05-09T21:41:53Z

Message from Cherry Mui:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2022-05-09T22:08:45Z

Message from Ian Lance Taylor:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

y27988 · 2022-10-13T07:28:14Z

Why is this feature not merged into the main branch?

Foxboron · 2022-10-13T07:40:36Z

I have failed to followup on this a properly sadly. The review cycle takes a while (understandably) so it doesn't end up super high on my todo list :)

gopherbot · 2022-11-08T21:05:56Z

Message from Ian Lance Taylor:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2022-11-08T21:11:06Z

Message from Morten Linderud:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2022-11-08T22:29:07Z

Message from Ian Lance Taylor:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2023-02-19T16:26:19Z

Message from Nick Revin:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2023-02-21T05:31:32Z

Message from Ian Lance Taylor:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2023-02-25T19:33:25Z

Message from Nick Revin:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2023-03-02T15:28:07Z

Message from Morten Linderud:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2023-03-04T23:32:00Z

Message from Nick Revin:

Patch Set 4:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2023-03-05T01:55:03Z

Message from Ian Lance Taylor:

Patch Set 4: -Code-Review

Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

-bindnow linker option enables full RELRO on ELF targets. This options defaults to false and preserves current behavior - partial relro for buildmode=pie. Also, the following changes were made to align internal linker's behavior with external ELF linkers: - GNU_RELRO segment is marked Read-only - .dynamic is a relro section for partial and full RELRO - .got is a relro section for partial and full RELRO - .got.plt is a relro section for full RELRO only Supersedes #45681 (golang.org/cl/312509) Change-Id: I51c4ef07b14beceb7cd6fd989f323e45f89a63ca GitHub-Last-Rev: bc68264 GitHub-Pull-Request: #58869 Reviewed-on: https://go-review.googlesource.com/c/go/+/473495 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Run-TryBot: Cherry Mui <[email protected]> Reviewed-by: Than McIntosh <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>

This reverts https://go.dev/cl/c/go/+/473495. Reason for revert: breaks some Google-internal tests. This revert will be temporary until we can gather more info on the nature of the failures and hopefully develop an upstream test case, etc. Updates #45681. Change-Id: Ib628ddc53bc5489e4f76c0f4ad809b75e899102c Reviewed-on: https://go-review.googlesource.com/c/go/+/571415 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Cherry Mui <[email protected]>

This is a partial roll-forward of CL 473495, which was subsequently reverted. The second half of CL 473495 will appear in a future CL. In this patch we introduce a new Go linker "-bindnow" command line flag, and update the Go command to permit the use of the -Wl,-z,now option, to allow users to produce binaries that have immediate binding. Updates #45681. Change-Id: Idd61b0d6597bcd37b16c343714c55a4ef6dfb534 Reviewed-on: https://go-review.googlesource.com/c/go/+/571416 Reviewed-by: Cherry Mui <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>

This is the second of two CLs to roll forward the changes in CL 473495, which was subsequently reverted. In this patch we move the .dynamic and .got sections from the writable data segment to the relro segment if the platform supports relro and we're producing a PIE binary, and also moves .got.plt into relro if eager binding is in effect (e.g. -bindnow or -Wl,-z,now). Updates #45681. Change-Id: I9f4fba6e825b96d1b5e27fb75844450dd0a650b3 Reviewed-on: https://go-review.googlesource.com/c/go/+/571417 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Cherry Mui <[email protected]>

This patch re-enables the portion of the TestElfBindNow test that verifies that selected sections are in a read-only segment. Turns out we can't always check for read-only ".got" on all architectures (on ppc64le for example ".got" will only turn up if there is CGO use), so always look for readonly ".dynamic", but only look for readonly ".got" if the section is present. Updates #45681. Change-Id: I4687ae3cf9a81818268925e17700170ba34204a7 Reviewed-on: https://go-review.googlesource.com/c/go/+/581115 Reviewed-by: Cherry Mui <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>

This patch re-enables the portion of the TestElfBindNow test that verifies that selected sections are in a read-only segment. Turns out we can't always check for read-only ".got" on all architectures (on ppc64le for example ".got" will only turn up if there is CGO use), so always look for readonly ".dynamic", but only look for readonly ".got" if the section is present. Updates golang#45681. Change-Id: I4687ae3cf9a81818268925e17700170ba34204a7 Reviewed-on: https://go-review.googlesource.com/c/go/+/581115 Reviewed-by: Cherry Mui <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Fixes RSA mod overflow timing channel Addressing review comments Addresses review comment about newline

This patch fixes a problem with how the .dynamic and .got sections are handled during PIE linking on ELF targets. These sections were being given addresses that overlapped with the .data.rel.ro section, which resulted in binaries that worked correctly but confused the binutils "strip" tool (which, confusingly, produced non-working stripped output when used on Go PIE binaries without returning a non-zero exit status). The new RELRO PIE code path preserves .dynamic and .got as their own independent sections, while ensuring that they make it into the RELRO segment. A new test verifies that we can successfully strip and run Go PIE binaries, and also that we don't wind up with any sections whose address ranges overlap. Fixes #67261. Updates #45681. Change-Id: If874be05285252a9b074d4a1fc6a4023b9a28b5e Reviewed-on: https://go-review.googlesource.com/c/go/+/584595 Reviewed-by: Cherry Mui <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>

google-cla bot added the cla: no Used by googlebot to label PRs as having an invalid CLA. The text of this label should not change. label Apr 21, 2021

google-cla bot added cla: yes Used by googlebot to label PRs as having a valid CLA. The text of this label should not change. and removed cla: no Used by googlebot to label PRs as having an invalid CLA. The text of this label should not change. labels Apr 21, 2021

Foxboron mentioned this pull request May 13, 2021

Provide a more sophisticated way to select up to n initrd image files for generating bundles Foxboron/sbctl#65

Closed

Foxboron force-pushed the morten/full-relro branch from 54b4266 to b85c7f7 Compare May 7, 2022 10:31

nrvnrvn mentioned this pull request Mar 4, 2023

cmd/link: add option to enable full RELRO for ELF #58869

Closed

Foxboron closed this Nov 1, 2023

cmd/link: support full relro #45681

cmd/link: support full relro #45681

Conversation

Foxboron commented Apr 21, 2021

google-cla bot commented Apr 21, 2021

What to do if you already signed the CLA

Individual signers

Corporate signers

Foxboron commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 21, 2021

gopherbot commented Apr 24, 2021

gopherbot commented Apr 27, 2021

gopherbot commented May 8, 2021

gopherbot commented May 8, 2021

gopherbot commented May 8, 2021

gopherbot commented May 8, 2021

gopherbot commented Nov 8, 2021

gopherbot commented Nov 8, 2021

gopherbot commented Nov 8, 2021

gopherbot commented Nov 8, 2021

gopherbot commented Nov 8, 2021

gopherbot commented Nov 8, 2021

gopherbot commented May 7, 2022

gopherbot commented May 7, 2022

gopherbot commented May 7, 2022

gopherbot commented May 7, 2022

gopherbot commented May 9, 2022

gopherbot commented May 9, 2022

gopherbot commented May 9, 2022

gopherbot commented May 9, 2022

gopherbot commented May 9, 2022

y27988 commented Oct 13, 2022

Foxboron commented Oct 13, 2022

gopherbot commented Nov 8, 2022

gopherbot commented Nov 8, 2022

gopherbot commented Nov 8, 2022

gopherbot commented Feb 19, 2023

gopherbot commented Feb 21, 2023

gopherbot commented Feb 25, 2023

gopherbot commented Mar 2, 2023

gopherbot commented Mar 4, 2023

gopherbot commented Mar 5, 2023