www/innovations.html - diff

Return to innovations.html CVS log

Up to [local] / www

version 1.104, 2023/02/01 19:12:06

version 1.105, 2023/02/03 06:37:51

Line 220

the perspective of userland reading its own memory, or the kernel

trying to read memory in a system call. Many sloppy practices in

userland code had to be repaired to allow this. The linker option

--execute-only is enabled by default. In order of development: arm64,

<b>--execute-only<b> is enabled by default. In order of development: arm64,

riscv64, hppa, octeon, sparc64 (sun4u only), amd64, powerpc64,

powerpc (G5 only).

Mark Kettenis, Theo de Raadt, Visa Hankala, Miod Vallat,

Line 228

Theo Buehler, Robert Nagy, Christian Weisgerber in ports.

Dec 2022 - Feb 2023, still ongoing.

<li>On all architectures which lack hardware-enforcement of xonly,

prevent system-call reading (via copyin/copyinst) of the program's

system calls are now prevented from reading (via copyin/copyinst)

main text, ld.so text, sigtramp text, or libc.so text.

inside the program's main text, ld.so text, sigtramp text, or

libc.so text.

Theo de Raadt, Jan 2023.

<li>Architectures which lack xonly mmu-enforcement can still benefit

from switching to --execute-only binaries if the cpu generates

different traps for instruction-fetch versus data-fetch. The

VM system will not allowed momeory to be read before it was

executed which is valuable together with library relinking.

Architectures switched over include sparc64 (sun4v), loongson.

Theo de Raadt, Feb 2023.

</ul>

<h3>Functions</h3>