Hi, I will take a shot at answer some of these, with the caveat that I am not too familiar with this either. My answers could be completely wrong. "Richard W.M. Jones" <rjones@xxxxxxxxxx> writes: > On Fri, Oct 22, 2021 at 02:22:22PM +0100, Richard W.M. Jones wrote: >> >> I could use some help on this thread about Fedora hardening flags and >> getting them right for OCaml code: >> >> https://github.com/ocaml/ocaml/issues/8648 Did you know that missing cf-protection support is okay in terms of functionality but incomplete support is not? cf-protection is a feature enabled when both the processor and the process claim they have cf-protection support. If either of them is missing that support, the application will still run fine (cf-protection is disabled). If both of them claim cf-protection support, but the cf-protection implementation in the application is incomplete (eg, missing endbr assembler instructions) the application will fail at runtime. > I should have been more specific so people don't have to search the > messages. Here are some questions: > > (1) Should we add annotations to assembler (*.S) files? Yes. assembler files need two sets of modifications, in general: - Adding `endbr` and friends at valid targets of indirect branches. When a CPU/process combination with CET/cf-protection enabled encounters an indirect branch, a missing endbr at the target will make it abort. - Adding a .gnu.property.note to mark that the assembly has all the changes needed to enable cf-protection. > (2) If (1), then what annotations precisely should we add and how? Here's what these two sets of changes looked like for a tiny assembly file I was playing around with: https://github.com/dotnet/runtime/issues/40100#issuecomment-713882012 The changes did not get merged/reviewed; there might be bugs in my prototype. > (4) (Big ask) What do we need to do to enable cf-protection in > the compiler? I think this would be the same set of changes that you do manually in (1)? Emitting endbr64 at the right places and placing the property note in any generated files? Then again, I spoke with some Java folks at a few years ago about this and they pointed out that if the programming language itself provides strong guarantees that prevent the security exploits that cf-protection guards against, there's little need to fix the language compiler to emit the endbr instructions. If OCaml code isn't vulnerable to return-oriented-programming and similar attacks, cf-protection would be of limited benefit. Cheers, Omair -- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0 _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
