Further detail compile-time options.

2023-06-13 12:54:27 +01:00 · 2023-06-13 12:54:27 +01:00 · 76d576dd29
commit 76d576dd29
parent db2d9a87b7
1 changed files with 11 additions and 1 deletions
--- a/security/hardened_malloc.adoc
+++ b/security/hardened_malloc.adoc
@ -1,6 +1,6 @@
 = GrapheneOS hardened_malloc

-Version: 0.1.0.11
+Version: 0.1.0.12


 This documentation contains instructions to use
@ -37,9 +37,19 @@ no impact on the security properties of hardened_malloc.
 * Minimum number of arenas: 1
 * Maximum number of arenas: 256

+For extra security, `CONFIG_SEAL_METADATA=true` can be used in order to control whether Memory
+Protection Keys are used to disable access to all writable allocator state outside of the memory
+allocator code. It's currently disabled by default due to a significant performance cost for this
+use case on current generation hardware. Whether or not this feature is enabled, the metadata is all
+contained within an isolated memory region with high entropy random guard regions around it.
+
 For low-memory systems, `VARIANT=light` can be used to compile the light variant of hardened_malloc,
 which sacrifices some security for much less memory usage.

+For all compile-time options, see the
+https://github.com/GrapheneOS/hardened_malloc#configuration[configuration section] of
+hardened_malloc's extensive official documentation.
+
 == Copy Compiled hardened_malloc Library

 `# cp out/libhardened_malloc.so <target_path>`