Control-flow application capabilities for x86_64-linux-gnu release binaries #30677

issue hebasto openend this issue on August 19, 2024
  1. hebasto commented at 4:34 pm on August 19, 2024: member

    When building static binaries for x86_64-linux-gnu, one can verify that both Control-flow Enforcement Technology (CET) capabilities–indirect branch tracking (IBT) and shadow stack–are enabled by running the following command:

    0$ readelf -n src/bitcoind | grep feature
1      Properties: x86 feature: IBT, SHSTK

    However, that is not the case for the Guix binaries:

    0$ readelf -n bin/bitcoind | grep feature
1      Properties: x86 feature used: x86, x87, XMM, YMM, XSAVE
  2. hebasto added the label Linux/Unix on Aug 19, 2024
  3. hebasto added the label Build system on Aug 19, 2024
  4. fanquake commented at 4:56 pm on August 19, 2024: member

    When building static binaries for x86_64-linux-gnu, one can verify that both … are enabled by running the following command.

    I’m guessing this is the case because your distro enables both of these by default in its compiler. You can’t generally assume this.

    that is not the case for the Guix binaries:

    Can you elaborate? I guess you mean the ELF .note isn’t present (iirc LIEF only recently added support for checking it directly), but we have a check for atleast control flow instructions being present: https://github.com/bitcoin/bitcoin/blob/ee367170cb2acf82b6ff8e0ccdbc1cce09730662/contrib/devtools/security-check.py#L108.

  5. hebasto commented at 6:46 pm on August 19, 2024: member

    When building static binaries for x86_64-linux-gnu, one can verify that both … are enabled by running the following command.

    I’m guessing this is the case because your distro enables both of these by default in its compiler. You can’t generally assume this.

    I’m using Ubuntu 24.04 with the system’s default GCC 13.2.0.

    Specifying -fcf-protection=branch enables IBT, while -fcf-protection=return enables SHSTK. The ./configure script sets -fcf-protection=full, which is equivalent to:

    specifying both branch and return.

    So, I don’t think I make any general assumption here.

    that is not the case for the Guix binaries:

    Can you elaborate? I guess you mean the ELF .note isn’t present…

    Yes, that’s what I’m saying.

  6. hebasto commented at 7:16 pm on August 19, 2024: member
    Should we adjust glibc Hardware Capability Tunables?
  7. fanquake commented at 12:14 pm on August 20, 2024: member

    Should we adjust glibc Hardware Capability Tunables?

    Why?

  8. sipa commented at 7:55 pm on August 21, 2024: member
    Does the ELF flag control whether the feature will be enabled at runtime?
  9. hebasto commented at 11:14 am on August 22, 2024: member

    Does the ELF flag control whether the feature will be enabled at runtime?

    I don’t think so. From https://docs.kernel.org/next/arch/x86/shstk.html:

    The kernel does not process these applications markers directly.

    However, the linker will not place these markers if all object files are not properly instrumented. The cet-report=error linker flag can make these checks visible.


hebasto fanquake sipa

Labels
Linux/Unix Build system

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-21 09:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me