Why does Intel Provide a Separate Distribution of GNU Binary Utilities (Binutils) for Intel® Software Guard Extensions on Linux*?

• The Intel® Software Guard Extensions (Intel® SGX) Installation Guide for Linux* recommends to download mitigation tools, named as.ld.objdump.gold.r2.tar.gz, from the binary Intel SGX Linux repository.
• Unable to validate how the Intel-provided Binutils are different from the standard up-to-date Binutils.

Intel provides a subset of the standard GNU Binutils 2.35, without modifications, because many of the Linux distributions' repositories have not updated to either 2.35 or 2.36. Intel will continue to provide the Bunutils 2.35 subset until the repositories of most Linux distributions have Binutils 2.35 or later.

Intel recommends to link Intel SGX applications with ld.gold rather than ld because ld.gold enforces read-only executable segments when linking code. Read-only non-executable memory segments help harden enclaves because they aid in preventing buffer overflow and other memory attacks. Attackers cannot write to or execute code in these memory segments. ld.gold has also been reported to be a faster linker than ld.

Link with:

ld.gold --rosegment

or,

-Wl,-fuse-ld=gold –Wl,--rosegment

The Intel SGX Installation Guide for Linux is in the Documentation folder of the latest release of the Intel® Software Guard Extensions SDK for Linux*.