[PATCH] D66426: [lld] Enable a watermark of loadable sections to be generated and placed in a note section
Rui Ueyama via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Tue Dec 10 22:34:37 PST 2019
ruiu added a comment.
>> As I understand it, the scenario is:
>>
>> 1. Do link; 2) Run the watermark tool to append .note.llvm.watermark; 3) Release SDK; 4) Downstream vendors modify .data and ship to end users; 5) End users verify that .note.llvm.watermark does not match computed watermark of loadable contents.
>>
>> The build process before 3) are all controlled. The process should ensure there is no modification to .data between 1) and 2). How do you guarantee a linker side feature can prevent modification? How can you prevent the following:
>> 2. Do link and generate .note.llvm.watermark in one step 1.5) Modify .data 2) Run the watermark tool to update .note.llvm.watermark
>
> This is a motivation to not have an external tool on the watermarking. That being said, as @chrisjackson has said on more than one occasion, this isn't intended to be a security feature so we are not attempting to detect a malicious attacker. It could be possible for downstream LLD producers to add a local salt to the watermark to make it more secure, should they so choose, I suppose.
This is actually going to be an interesting problem. Do your users make post-link modifications to executables by intention or by accident? If it's intentional, you are raising a bar of an arms race, and they'll catch up by adding --update-watermark option or something to their tool, so that they'll update a watermark when a binary is modified, which nullifies the point of this change.
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D66426/new/
https://reviews.llvm.org/D66426
More information about the llvm-commits
mailing list