[PATCH] D66426: [lld] Enable a watermark of loadable sections to be generated and placed in a note section

Fangrui Song via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Tue Dec 3 11:38:29 PST 2019 

MaskRay added a comment.

@chrisjackson You replied via email, so there is no record on Phabricator. I am attaching your response below.

In D66426#1766527 <https://reviews.llvm.org/D66426#1766527>, @JonChesterfield wrote:

> In D66426#1761836 <https://reviews.llvm.org/D66426#1761836>, @chrisjackson wrote:
>
> > A post-link modification could recalculate and update the hash, but this would only occur in a deliberate attempt to subvert the watermark mechanism
>
>
> I think it follows that this patch only detects accidental modifications to the binary that occur after linking. That seems to put it in the realm of network transmission errors, disk bit rot, optical media errors and so forth.
>
> In which case, why only guard a subset of the binary, instead of computing a sha256 of all the compiled artifacts and checking that at install/network copy time? Then there is again no linker patch required.
>
> Unless this is intended to catch people who deliberately change the binary, but lack the skills to then update the hash, which is surely vanishingly few people. Fewer when provided with convenient tools to recalculate the hash.


@chrisjackson wrote:
The watermark is intended to detect changes in the loadable image of the binary, not all of the ELF file e.g. ignore debug data. As you've stated, it is there to detect post-link modifications to the loadable segments.

https://lists.llvm.org/pipermail/llvm-dev/2019-November/137319.html

> The whole point of the watermark is to show that no post-link modifications have been made, and if the watermark itself is added post-link, it does not achieve this aim: someone could either deliberately or accidentally add a step prior to the watermarking happening.

I am still confused. What I infer from the sentence is that strip/llvm-strip is still allowed. To make .note.llvm.watermark survive strip/llvm-strip, you place it into a PT_NOTE segment. So post-link modification is still possible, then why can't you use another tool to compute the watermark and append a section? In my comment, there are some other questions that are not answered. I have suggested an approach that will not slow down the whole build time.


CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D66426/new/

https://reviews.llvm.org/D66426

More information about the llvm-commits mailing list