From 5fea61163408370fa6adadb8d039d717539bd730 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 9 Feb 2025 10:58:59 +0000 Subject: [PATCH] docs: mention promotion of `stackclashprotection` hardening flag to default enabled --- doc/stdenv/stdenv.chapter.md | 8 ++++---- nixos/doc/manual/release-notes/rl-2505.section.md | 2 ++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md index cd20185b8ffc..80059a78733c 100644 --- a/doc/stdenv/stdenv.chapter.md +++ b/doc/stdenv/stdenv.chapter.md @@ -1560,6 +1560,10 @@ intel_drv.so: undefined symbol: vgaHWFreeHWRec Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call. +#### `stackclashprotection` {#stackclashprotection} + +This flag adds the `-fstack-clash-protection` compiler option, which causes growth of a program's stack to access each successive page in order. This should force the guard page to be accessed and cause an attempt to "jump over" this guard page to crash. + ### Hardening flags disabled by default {#sec-hardening-flags-disabled-by-default} The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services. @@ -1599,10 +1603,6 @@ This should be turned off or fixed for build errors such as: sorry, unimplemented: __builtin_clear_padding not supported for variable length aggregates ``` -#### `stackclashprotection` {#stackclashprotection} - -This flag adds the `-fstack-clash-protection` compiler option, which causes growth of a program's stack to access each successive page in order. This should force the guard page to be accessed and cause an attempt to "jump over" this guard page to crash. - #### `pacret` {#pacret} This flag adds the `-mbranch-protection=pac-ret` compiler option on aarch64-linux targets. This uses ARM v8.3's Pointer Authentication feature to sign function return pointers before adding them to the stack. The pointer's authenticity is then validated before returning to its destination. This dramatically increases the difficulty of ROP exploitation techniques. diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index 8067b2aad670..d62c6914a6c9 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -460,6 +460,8 @@ - `networking.wireguard` now has an optional networkd backend. It is enabled by default when `networking.useNetworkd` is enabled, and it can be enabled alongside scripted networking with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option. +- The `stackclashprotection` hardening flag has been enabled by default on compilers that support it. + - `services.avahi.ipv6` now defaults to true. - The Home Assistant module has new options {option}`services.home-assistant.blueprints.automation`, `services.home-assistant.blueprints.script`, and {option}`services.home-assistant.blueprints.template` that allow for the declarative installation of [blueprints](https://www.home-assistant.io/docs/blueprint/) into the appropriate configuration directories.