[LibOS] Move checkpoint special sections to RELRO segment

Currently, `.cp_name.*` and other checkpoint sections are included in the `.rodata` section in the output. However, these sections require relocation, and are thus marked writable. This causes the entire text segment of `libsysdb.so` to become RWX. This change adds `.data.rel.ro` section to the linker script and moves these sections there. Additionally, other `.data.rel.ro.*` sections in input files are also moved there, improving RELRO coverage. Signed-off-by: Marcelina Kościelnicka <mwk@invisiblethingslab.com>
gramineproject · Jun 26, 2023 · 0684091 · 0684091
1 parent f8bc7de
commit 0684091
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 9 deletions.
diff --git a/.ci/check-rwx.py b/.ci/check-rwx.py
@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+
+import argparse
+import sys
+from elftools.elf.elffile import ELFFile
+from elftools.elf.constants import P_FLAGS
+
+argparser = argparse.ArgumentParser()
+argparser.add_argument('infile', type=argparse.FileType('rb'))
+
+args = argparser.parse_args()
+
+elf = ELFFile(args.infile)
+for i, segment in enumerate(elf.iter_segments()):
+    if segment.header.p_flags & P_FLAGS.PF_X and segment.header.p_flags & P_FLAGS.PF_W:
+        print(f"error: segment {i} is both writable and executable")
+        sys.exit(1)
diff --git a/.ci/lib/stage-test-direct.jenkinsfile b/.ci/lib/stage-test-direct.jenkinsfile
@@ -1,4 +1,9 @@
 stage('test-direct') {
+    sh '''
+        .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/libsysdb.so
+        .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/direct/libpal.so
+    '''
+
     try {
         timeout(time: 20, unit: 'MINUTES') {
             sh '''

diff --git a/.ci/lib/stage-test-sgx.jenkinsfile b/.ci/lib/stage-test-sgx.jenkinsfile
@@ -1,5 +1,8 @@
 stage('test-sgx') {
     sh '''
+        .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/libsysdb.so
+        .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/sgx/loader
+        .ci/check-rwx.py "$GRAMINE_PKGLIBDIR"/sgx/libpal.so
         .ci/check-no-syscall.sh "$GRAMINE_PKGLIBDIR"/runtime/glibc/libc.so.6
         if test -f "$GRAMINE_PKGLIBDIR"/runtime/musl/libc.so
         then

diff --git a/libos/include/libos_checkpoint.h b/libos/include/libos_checkpoint.h
@@ -112,7 +112,7 @@ struct libos_cp_store {
 typedef int (*cp_func)(CP_FUNC_ARGS);
 typedef int (*rs_func)(RS_FUNC_ARGS);
 
-extern const char* __cp_name;
+extern const char* const __cp_name;
 extern const cp_func __cp_func; // TODO: This should be declared as an array of unspecified size.
 extern const rs_func __rs_func[];
 
@@ -215,7 +215,7 @@ enum {
     })
 
 #define BEGIN_CP_FUNC(name)                                                                \
-    const char* cp_name_##name __attribute__((section(".cp_name." #name))) = #name;        \
+    const char* const cp_name_##name __attribute__((section(".cp_name." #name))) = #name;  \
     extern DEFINE_CP_FUNC(name);                                                           \
     extern DEFINE_RS_FUNC(name);                                                           \
     const cp_func cp_func_##name __attribute__((section(".cp_func." #name))) = &cp_##name; \

diff --git a/libos/src/arch/x86_64/libos.lds b/libos/src/arch/x86_64/libos.lds
@@ -50,13 +50,6 @@ SECTIONS
   {
     /* the rest of rodata */
     *(.rodata .rodata.*)
-    . = ALIGN(8);
-    __cp_name = .;
-    *(SORT(.cp_name.*));
-    __cp_func = .;
-    *(SORT(.cp_func.*));
-    __rs_func = .;
-    *(SORT(.rs_func.*));
   }
   .eh_frame_hdr  : { *(.eh_frame_hdr) }
   .eh_frame      : ONLY_IF_RO { *(.eh_frame) }
@@ -75,6 +68,18 @@ SECTIONS
     KEEP (*(SORT_BY_INIT_PRIORITY(.init_array.*) .init_array))
     __init_array_end = .;
   }
+  .data.rel.ro :
+  {
+    /* the rest of RELRO data segment */
+    *(.data.rel.ro .data.rel.ro.*)
+    . = ALIGN(8);
+    __cp_name = .;
+    *(SORT(.cp_name.*));
+    __cp_func = .;
+    *(SORT(.cp_func.*));
+    __rs_func = .;
+    *(SORT(.rs_func.*));
+  }
   . = DATA_SEGMENT_RELRO_END (0, .);
   .data :
   {