From 975692c23a20756a07b0d14931da89d41d6b7b9b Mon Sep 17 00:00:00 2001 From: inference Date: Mon, 29 Jan 2024 20:43:00 +0000 Subject: [PATCH] Add Linux Memory Protection Keys reference link --- documentation/hardened_malloc.xhtml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/documentation/hardened_malloc.xhtml b/documentation/hardened_malloc.xhtml index 05e8c65..405133a 100644 --- a/documentation/hardened_malloc.xhtml +++ b/documentation/hardened_malloc.xhtml @@ -1,7 +1,7 @@ - + @@ -92,12 +92,13 @@

For extra security, CONFIG_SEAL_METADATA=true can be used in - order to control whether Memory Protection Keys are used to disable access to - all writable allocator state outside of the memory allocator code. It's - currently disabled by default due to a significant performance cost for this use - case on current-generation hardware. Whether or not this feature is enabled, the - metadata is all contained within an isolated memory region with high-entropy - random guard regions around it.

+ order to control whether + Memory Protection Keys + are used to disable access to all writable allocator state outside of the memory + allocator code. It's currently disabled by default due to a significant + performance cost for this use case on current-generation hardware. Whether or + not this feature is enabled, the metadata is all contained within an isolated + memory region with high-entropy random guard regions around it.

For low-memory systems, VARIANT=light can be used to compile the light variant of hardened_malloc, which sacrifices some security for much less memory usage. This option still produces a more hardened memory allocator than