Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 03 Nov 2020 11:34:22 +0100
From: Florian Weimer <>
To: Szabolcs Nagy <>
Cc:,  Jeremy Linton <>,
  Catalin Marinas <>,  Mark Rutland
 <>,  Will Deacon <>,  Mark Brown
 <>,  Kees Cook <>,  Salvatore
 Mesoraca <>,  Lennart Poettering
 <>,  Topi Miettinen <>,,,,
Subject: Re: [PATCH 3/4] aarch64: Use mmap to add PROT_BTI instead of
 mprotect [BZ #26831]

* Szabolcs Nagy:

> Re-mmap executable segments if possible instead of using mprotect
> to add PROT_BTI. This allows using BTI protection with security
> policies that prevent mprotect with PROT_EXEC.
> If the fd of the ELF module is not available because it was kernel
> mapped then mprotect is used and failures are ignored.  It is
> expected that linux kernel will add PROT_BTI when mapping a module
> (current linux as of version 5.9 does not do this).
> Computing the mapping parameters follows the logic of
> _dl_map_object_from_fd more closely now.

What's the performance of this on execve-heavy workloads, such as kernel
or glibc builds?  Hopefully it's cheap because these mappings have not
been faulted in yet.

Red Hat GmbH, , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.