version 1.52, 2023/04/08 10:56:51 |
version 1.53, 2023/04/08 11:05:00 |
|
|
--execute-only is enabled by default. In order of development: arm64, |
--execute-only is enabled by default. In order of development: arm64, |
riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon, and sparc64 |
riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon, and sparc64 |
(sun4u only; unfinished). |
(sun4u only; unfinished). |
<li>On all architectures which lack hardware-enforcement of xonly, |
|
system calls are now prevented from reading (via <a |
|
href="https://man.openbsd.org/copyin.9">copyin(9)</a>/copyinst) |
|
inside the program's main text, ld.so text, sigtramp text, or libc.so |
|
text. |
|
<li>These can still benefit from switching to --execute-only binaries if the |
<li>These can still benefit from switching to --execute-only binaries if the |
cpu generates different traps for instruction-fetch versus data-fetch. |
cpu generates different traps for instruction-fetch versus data-fetch. |
The VM system will not allow memory to be read before it was executed |
The VM system will not allow memory to be read before it was executed |