Article ID: 000059266 Content Type: Install & Setup Last Reviewed: 07/23/2021

Why does Intel Provide a Separate Distribution of GNU Binary Utilities (Binutils) for Intel® Software Guard Extensions on Linux*?

Environment

linux

BUILT IN - ARTICLE INTRO SECOND COMPONENT
Summary

Intel provides a subset of the standard Binutils version 2.35 that includes Load Value Injection mitigations.

Description
  • The Intel® Software Guard Extensions (Intel® SGX) Installation Guide for Linux* recommends to download mitigation tools, named as.ld.objdump.gold.r2.tar.gz, from the binary Intel SGX Linux repository.
  • Unable to validate how the Intel-provided Binutils are different from the standard up-to-date Binutils.
Resolution

Intel provides a subset of the standard GNU Binutils 2.35, without modifications, because many of the Linux distributions' repositories have not updated to either 2.35 or 2.36. Intel will continue to provide the Bunutils 2.35 subset until the repositories of most Linux distributions have Binutils 2.35 or later.

Additional information

Intel recommends to link Intel SGX applications with ld.gold rather than ld because ld.gold enforces read-only executable segments when linking code. Read-only non-executable memory segments help harden enclaves because they aid in preventing buffer overflow and other memory attacks. Attackers cannot write to or execute code in these memory segments. ld.gold has also been reported to be a faster linker than ld.

Link with:

ld.gold --rosegment

or,

-Wl,-fuse-ld=gold –Wl,--rosegment

The Intel SGX Installation Guide for Linux is in the Documentation folder of the latest release of the Intel® Software Guard Extensions SDK for Linux*.

Related Products

This article applies to 1 products