From Fedora Project Wiki
(Add reference to #7249)
m (fix the link to the pdf for CFT)
Line 95: Line 95:
 
* [https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html|<code>-fstack-clash-protection</code>]
 
* [https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html|<code>-fstack-clash-protection</code>]
 
* [https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_macros.html|<code>_GLIBCXX_ASSERTIONS</code>]
 
* [https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_macros.html|<code>_GLIBCXX_ASSERTIONS</code>]
* [https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf|Control Flow Enforcement Technology]
+
* [https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf Control Flow Enforcement Technology]
  
 
== Release Notes ==
 
== Release Notes ==

Revision as of 09:40, 9 January 2018


Hardening Flags Updates for Fedora 28

Summary

This system-wide change covers changes to the hardening flags in Fedora 28.

Owner

Current status

  • Targeted release: Fedora 28
  • Last updated: 2018-01-09
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

  • Compile all binaries with stack clash protection (-fstack-clash-protection). As a result, all stack overflows (i.e., situations where the allocated stack is completely exhausted) will reliably result in crashes.
  • Enable C++ standard library hardening with -D_GLIBCXX_ASSERTIONS. This turns on cheap range checks for C++ arrays, vectors, and strings.
  • Enable control flow protection on x86-64 using -fcf-protection=full -mcet.
  • Enable .got.plt isolation in binutils, to support a read-only GOT with lazy binding on systems which provide support for memory protection keys.

Benefit to Fedora

Fedora will benefit from additional security hardening provided by the GNU toolchain.

Scope

  • Proposal owners: Propose changes to redhat-rpm-config to implement the new flags.
  • Other developers: The redhat-rpm-config changes need to be merged. For packages which bypass the RPM compiler flags injection mechanism, developers need to manually implement the new flags.
  • Policies and guidelines: N/A (not needed for this Change; covered by the existing Packaging Guidelines)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

The C++ standard library hardening may detect some invalid out-of-bounds access which have gone unnoticed before.

How To Test

Changes/Annobin will be used to track the implementation of the hardening flags.

User Experience

There will not be any user-visible differences.

Dependencies

Testing depends on Changes/Annobin.

Contingency Plan

  • Contingency mechanism: Revert change to redhat-rpm-config, or make them specific to supported architectures only.
    • An ABI-compliant -fstack-clash-protection implementation has not yet been demonstrated for 32-bit ARM (armhfp). It may be necessary to disable the hardening there.
  • Contingency deadline: final mass rebuild
  • Blocks release? no
  • Blocks product? N/A

Documentation

Release Notes

Fedora 28 has been built with updated hardening flags, as provided by the GNU toolchain. Compared to previous releases, the following changes have been made to the way programs are built:

  • Stack clash protection is enabled.
  • Lightweight assertions have been switched on in the C++ standard run-time library.
  • On x86-64, binaries have been built in a way that they will support Control Flow Enforcement Technology (CET) in the future.
  • On systems which support memory protection keys, lazy binding now uses a read-only GOT.