From: Ulf Magnusson <ulfalizer@gmail.com>
To: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Kees Cook <keescook@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Nicolas Pitre <nicolas.pitre@linaro.org>,
"Luis R . Rodriguez" <mcgrof@suse.com>,
Randy Dunlap <rdunlap@infradead.org>,
Sam Ravnborg <sam@ravnborg.org>,
Michal Marek <michal.lkml@markovi.net>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Pavel Machek <pavel@ucw.cz>,
linux-s390 <linux-s390@vger.kernel.org>,
Jiri Kosina <jkosina@suse.cz>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Tejun Heo <tj@kernel.org>, Ingo Molnar <mingo@kernel.org>,
"Van De Ven, Arjan" <arjan.van.de.ven@intel.com>
Subject: Re: [RFC PATCH 4/7] kconfig: support new special property shell=
Date: Tue, 13 Feb 2018 09:55:37 +0100 [thread overview]
Message-ID: <20180213085537.dj7w2hqdxucjpzl2@huvuddator> (raw)
In-Reply-To: <CAK7LNASLW+XXqFphu+nYsqcBux-jBqyDW9T=-N5udbOcJ3=zmA@mail.gmail.com>
On Tue, Feb 13, 2018 at 01:10:34AM +0900, Masahiro Yamada wrote:
> 2018-02-13 0:46 GMT+09:00 Kees Cook <keescook@chromium.org>:
> > On Mon, Feb 12, 2018 at 2:44 AM, Masahiro Yamada
> > <yamada.masahiro@socionext.com> wrote:
> >> Linus said:
> >>
> >>> But yes, I also reacted to your earlier " It can't silently rewrite it
> >>> to _REGULAR because the compiler support for _STRONG regressed."
> >>> Because it damn well can. If the compiler doesn't support
> >>> -fstack-protector-strong, we can just fall back on -fstack-protector.
> >>> Silently. No extra crazy complex logic for that either.
> >>
> >>
> >> If I understood his comment correctly,
> >> we do not need either WANT_* or _AUTO.
> >>
> >>
> >> Kees' comment:
> >>
> >>> In the stack-protector case, this becomes quite important, since the
> >>> goal is to record the user's selection regardless of compiler
> >>> capability. For example, if someone selects _REGULAR, it shouldn't
> >>> "upgrade" to _STRONG. (Similarly for _NONE.)
> >>
> >> No. Kconfig will not do this silently.
> >>
> >> "make oldconfig" (or "make silentoldconfig" as well)
> >> always ask users about new symbols.
> >
> > The case I want to make sure can never happen is to have a config
> > setting that ends up not actually being true. For example, if
> > CONFIG_CC_STACKPROTECTOR appears in /proc/config.gz but the kernel
> > wasn't actually built with a stack protector, that's bad. We end up in
> > a place where the user can't trust the config to represent the actual
> > results of the build.
> >
> > So, as long as the Kconfig options are strongly tied to the compiler
> > capabilities, we're good on that front.
> >
> >> So, I can suggest to remove _REGULAR and _NONE.
> >>
> >> We have just two bool options, like follows.
> >>
> >> ------------------->8-----------------
> >> config CC_STACKPROTECTOR
> >> bool "Use stack protector"
> >> depends on CC_HAS_STACKPROTECTOR
> >>
> >> config CC_STACKPROTECTOR_STRONG
> >> bool "Use strong strong stack protector"
> >> depends on CC_STACKPROTECTOR
> >> depends on CC_HAS_STACKPROTECTOR_STRONG
> >> -------------------->8------------------
> >>
> >> This will work well for all{yes,mod,no}config.
> >
> > This two-option arrangement is fine (though it assumes there won't be
> > another stack protector option in the future).
> >
> > The issue I have is this removes _AUTO, which I think can be solved in
> > the two-option arrangement too. The purpose of _AUTO is to effectively
> > enable stack-protector by default. As this option has been available
> > for over 10 years, and all distros enable it, it's an obvious
> > candidate to be enabled-by-default, especially since it kills a class
> > of exploits (as mentioned in my commit log: BlueBorne was trivially
> > defeated with stack-protector). So it should be possible to make these
> > two options "default y", yes?
>
>
> Yes.
>
> Both should be "default y" to keep the equivalent behavior
> since the current default is _AUTO.
>
Since the discussions in this thread are going in a million different
directions and making my head hurt, ping me if I'm needed re. the WANT_*
stuff or anything else. Masahiro's two-symbol version is much simpler
and neater if the caveats re. "fallback" are minor enough to not matter.
:)
Cheers,
Ulf
next prev parent reply other threads:[~2018-02-13 8:55 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-08 16:19 [RFC PATCH 0/7] Kconfig: add new special property shell= to test compiler options in Kconfig Masahiro Yamada
2018-02-08 16:19 ` [RFC PATCH 1/7] kbuild: remove kbuild cache Masahiro Yamada
2018-02-08 16:19 ` [RFC PATCH 2/7] kconfig: add xrealloc() helper Masahiro Yamada
2018-02-08 16:19 ` [RFC PATCH 3/7] kconfig: remove const qualifier from sym_expand_string_value() Masahiro Yamada
2018-02-08 16:19 ` [RFC PATCH 4/7] kconfig: support new special property shell= Masahiro Yamada
2018-02-09 5:30 ` Ulf Magnusson
2018-02-09 9:19 ` Masahiro Yamada
2018-02-09 12:46 ` Ulf Magnusson
2018-02-09 20:46 ` Kees Cook
2018-02-10 5:48 ` Ulf Magnusson
2018-02-10 7:12 ` Masahiro Yamada
2018-02-10 7:49 ` Ulf Magnusson
2018-02-10 8:05 ` Ulf Magnusson
2018-02-10 8:55 ` Ulf Magnusson
2018-02-10 9:21 ` Ulf Magnusson
2018-02-10 18:05 ` Randy Dunlap
2018-02-11 2:00 ` Kevin Easton
2018-02-10 19:23 ` Kees Cook
2018-02-10 20:08 ` Linus Torvalds
2018-02-11 4:13 ` Kees Cook
2018-02-11 4:46 ` Linus Torvalds
2018-02-11 7:28 ` Linus Torvalds
2018-02-11 10:34 ` Ulf Magnusson
2018-02-11 17:56 ` Kees Cook
2018-02-11 18:13 ` Linus Torvalds
2018-02-11 19:39 ` Kees Cook
2018-02-11 19:53 ` Linus Torvalds
2018-02-11 20:06 ` Linus Torvalds
2018-02-11 21:10 ` Arnd Bergmann
2018-02-11 21:19 ` Kees Cook
2018-02-11 21:50 ` Linus Torvalds
2018-02-12 10:44 ` Arnd Bergmann
2018-02-12 10:44 ` Arnd Bergmann
2018-02-11 22:29 ` Geert Uytterhoeven
2018-02-15 23:38 ` [RFC PATCH 4/7] kconfig: support new special property shell Palmer Dabbelt
2018-02-11 21:11 ` [RFC PATCH 4/7] kconfig: support new special property shell= Kees Cook
2018-02-11 19:42 ` Linus Torvalds
2018-02-12 8:26 ` Peter Zijlstra
2018-02-12 10:27 ` Thomas Gleixner
2018-02-12 11:52 ` Peter Zijlstra
2018-02-12 16:19 ` David Woodhouse
2018-02-12 16:19 ` David Woodhouse
2018-02-12 16:56 ` Kees Cook
2018-02-12 17:05 ` Peter Zijlstra
2018-02-12 17:33 ` Kees Cook
2018-02-12 17:36 ` David Woodhouse
2018-02-12 17:36 ` David Woodhouse
2018-02-12 17:37 ` Kees Cook
2018-02-12 17:00 ` Peter Zijlstra
2018-02-11 18:34 ` Ulf Magnusson
2018-02-11 21:05 ` Kees Cook
2018-02-11 21:35 ` Ulf Magnusson
2018-02-11 20:29 ` Ulf Magnusson
2018-02-11 20:42 ` Ulf Magnusson
2018-02-12 12:54 ` Ulf Magnusson
2018-02-12 14:21 ` Masahiro Yamada
2018-02-12 14:23 ` Masahiro Yamada
2018-02-12 14:32 ` Ulf Magnusson
2018-02-12 14:29 ` Ulf Magnusson
2018-02-12 14:53 ` Ulf Magnusson
2018-02-12 15:22 ` Masahiro Yamada
2018-02-12 15:35 ` Ulf Magnusson
2018-02-11 21:22 ` Ulf Magnusson
2018-02-12 14:39 ` Masahiro Yamada
2018-02-12 15:24 ` Kees Cook
2018-02-12 23:48 ` Randy Dunlap
2018-02-13 1:41 ` Masahiro Yamada
2018-02-13 1:53 ` Randy Dunlap
2018-02-13 8:35 ` Arnd Bergmann
2018-02-13 8:59 ` Masahiro Yamada
2018-02-12 10:44 ` Masahiro Yamada
2018-02-12 11:44 ` Ulf Magnusson
2018-02-12 11:49 ` Ulf Magnusson
2018-02-12 13:53 ` Masahiro Yamada
2018-02-12 14:13 ` Ulf Magnusson
2018-02-12 15:46 ` Kees Cook
2018-02-12 16:10 ` Masahiro Yamada
2018-02-13 8:55 ` Ulf Magnusson [this message]
2018-02-11 16:54 ` Kees Cook
2018-02-08 16:19 ` [RFC PATCH 5/7] kconfig: invoke silentoldconfig when compiler is updated Masahiro Yamada
2018-02-08 17:19 ` Masahiro Yamada
2018-02-08 17:45 ` Linus Torvalds
2018-02-08 16:19 ` [RFC PATCH 6/7] kconfig: add basic environments to evaluate C flags in Kconfig Masahiro Yamada
2018-02-08 16:19 ` [RFC PATCH 7/7] Test stackprotector options in Kconfig to kill CC_STACKPROTECTOR_AUTO Masahiro Yamada
2018-02-08 18:30 ` Kees Cook
2018-02-09 4:13 ` Masahiro Yamada
2018-02-08 16:43 ` [RFC PATCH 0/7] Kconfig: add new special property shell= to test compiler options in Kconfig Greg Kroah-Hartman
2018-02-08 17:19 ` Linus Torvalds
2018-02-08 17:39 ` Masahiro Yamada
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180213085537.dj7w2hqdxucjpzl2@huvuddator \
--to=ulfalizer@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arjan.van.de.ven@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=michal.lkml@markovi.net \
--cc=mingo@kernel.org \
--cc=nicolas.pitre@linaro.org \
--cc=pavel@ucw.cz \
--cc=rdunlap@infradead.org \
--cc=sam@ravnborg.org \
--cc=schwidefsky@de.ibm.com \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=yamada.masahiro@socionext.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.