[Pal, LibOS] Enable read-only relocation (-z relro)

Previously, read-only relocation (-z relro) did not work because
the linker script shim.lds missed DATA_SEGMENT_RELRO_END, thus
program segment GNU_RELRO was missing. This commit adds this keyword
and adds -z to force the PAL dynamic linker to resolve all symbols
during start-up (no lazy binding).

LibOS/shim/src/Makefile

@@ -24,7 +24,7 @@ endif
 ASFLAGS	= -Wa,--noexecstack -x assembler-with-cpp -I../include
 
 LDFLAGS	= -shared -nostdlib --version-script shim.map -T shim.lds \
-	  -z combreloc -z relro -z defs \
+	  -z combreloc -z relro -z now -z defs \
 	  -dynamic-link=libpal.so \
 	  -rpath-link=$(abspath $(RUNTIME_DIR))
 LDFLAGS-debug = $(patsubst shim.map,shim-debug.map,$(LDFLAGS))

LibOS/shim/src/shim.lds

@@ -72,6 +72,7 @@ SECTIONS
   .dynamic       : { *(.dynamic) }
   .got           : { *(.got) *(.igot) }
   .got.plt       : { *(.got.plt) *(.igot.plt) }
+  . = DATA_SEGMENT_RELRO_END (0, .);
   .data :
   {
     /* the rest of data segment */

Pal/src/host/Linux-SGX/Makefile

@@ -85,7 +85,7 @@ $(addsuffix .o,$(urts-asm-objs)): %.o: %.S $(headers)
 
 pal-sgx: $(addsuffix .o,$(urts-objs) $(urts-asm-objs)) $(graphene_lib)
 	@echo [ host/Linux-SGX/$@ ]
-	@$(CC) $(CFLAGS) -pie $^ -lc -pthread -o $@
+	@$(CC) $(CFLAGS) -Wl,-z,relro,-z,now -pie $^ -lc -pthread -o $@
 
 debugger/sgx_gdb.so: debugger/sgx_gdb.c debugger/sgx_gdb.h sgx_arch.h
 	@echo [ host/Linux-SGX/$@ ]

Pal/src/host/Linux-SGX/Makefile.am

@@ -13,7 +13,7 @@ ASFLAGS = -DPIC -DSHARED -fPIC -DASSEMBLER -Wa,--noexecstack \
 	  -x assembler-with-cpp -DIN_ENCLAVE
 LDFLAGS	= -shared -nostdlib -z combreloc -z defs \
 	  --version-script $(HOST_DIR)/pal.map -T $(HOST_DIR)/enclave.lds \
-	  --hash-style=gnu
+	  --hash-style=gnu -z relro -z now
 ARFLAGS	=
 
 CRYPTO_PROVIDER = mbedtls

Pal/src/host/Linux-SGX/enclave.lds

@@ -10,6 +10,7 @@ PHDRS
   dynamic PT_DYNAMIC;
   tls PT_TLS;
   gnu_stack PT_GNU_STACK;
+  gnu_relro 0x6474e552;
 }
 
 SECTIONS
@@ -68,6 +69,7 @@ SECTIONS
   .jcr           : { KEEP(*(.jcr)) } :data
   .got           : { *(.got) *(.igot) } :data
   .got.plt       : { *(.got.plt) *(.igot.plt) } :data
+  . = DATA_SEGMENT_RELRO_END (0, .);
   .data          :
   {
     section_data = .;

Pal/src/host/Linux/Makefile.am

@@ -12,7 +12,8 @@ CFLAGS += $(EXTRAFLAGS)
 ASFLAGS = -DPIC -DSHARED -fPIC -DASSEMBLER -Wa,--noexecstack \
 	  -x assembler-with-cpp
 LDFLAGS	= -shared -nostdlib -z combreloc -z defs \
-	  --version-script $(HOST_DIR)/pal.map -T $(HOST_DIR)/pal.lds
+	  --version-script $(HOST_DIR)/pal.map -T $(HOST_DIR)/pal.lds \
+	  -z relro -z now
 ARFLAGS	=
 
 ifeq ($(WERROR),1)

Pal/src/host/Linux/pal.lds

@@ -66,6 +66,7 @@ SECTIONS
   .dynamic       : { *(.dynamic) }
   .got           : { *(.got) *(.igot) }
   .got.plt       : { *(.got.plt) *(.igot.plt) }
+  . = DATA_SEGMENT_RELRO_END (0, .);
   .data :
   {
     /* the rest of data segment */