linux-hardening.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Alexander Lobakin <alexandr.lobakin@intel.com>
To: linux-hardening@vger.kernel.org, x86@kernel.org
Cc: Alexander Lobakin <alexandr.lobakin@intel.com>,
	Borislav Petkov <bp@alien8.de>,
	Jesse Brandeburg <jesse.brandeburg@intel.com>,
	Kristen Carlson Accardi <kristen@linux.intel.com>,
	Kees Cook <keescook@chromium.org>,
	Miklos Szeredi <miklos@szeredi.hu>,
	Ard Biesheuvel <ardb@kernel.org>, Tony Luck <tony.luck@intel.com>,
	Bruce Schlobohm <bruce.schlobohm@intel.com>,
	Jessica Yu <jeyu@kernel.org>, kernel test robot <lkp@intel.com>,
	Miroslav Benes <mbenes@suse.cz>,
	Evgenii Shatokhin <eshatokhin@virtuozzo.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Masahiro Yamada <masahiroy@kernel.org>,
	Michal Marek <michal.lkml@markovi.net>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Thomas Gleixner <tglx@linutronix.de>,
	Will Deacon <will@kernel.org>, Ingo Molnar <mingo@redhat.com>,
	Christoph Hellwig <hch@lst.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Andy Lutomirski <luto@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Arnd Bergmann <arnd@arndb.de>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Nathan Chancellor <nathan@kernel.org>,
	Masami Hiramatsu <mhiramat@kernel.org>,
	Marios Pomonis <pomonis@google.com>,
	Sami Tolvanen <samitolvanen@google.com>,
	"H.J. Lu" <hjl.tools@gmail.com>, Nicolas Pitre <nico@fluxnic.net>,
	linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org,
	linux-arch@vger.kernel.org, live-patching@vger.kernel.org,
	llvm@lists.linux.dev
Subject: [PATCH v10 07/15] Makefile: add config options and build scripts for FG-KASLR
Date: Wed,  9 Feb 2022 19:57:44 +0100	[thread overview]
Message-ID: <20220209185752.1226407-8-alexandr.lobakin@intel.com> (raw)
In-Reply-To: <20220209185752.1226407-1-alexandr.lobakin@intel.com>

From: Kristen Carlson Accardi <kristen@linux.intel.com>

Add Kconfig symbols CONFIG_ARCH_SUPPORTS_FG_KASLR and
CONFIG_FG_KASLR. The first is hidden and used to indicate that
a particular architecture supports it, the second allows a user
to enable FG-KASLR when the former is set to 'y'.
Make Kbuild not consolidate function sections back into `.text`
on linking if CONFIG_FG_KASLR is enabled (even with
CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=y) as the feature itself
relies on functions still being separated in the final vmlinux.

Alexander Lobakin:

Improve KBUILD_CFLAGS{,_MODULE} management in the top Makefile:
don't turn on -f{data,function}-sections with ClangLTO as this is a
no-op provoking a full rebuild.
Add ".symtab_shndx" to the list of known sections since it is going
to be supported by the architecture-specific code. Otherwise LD
emits a warning when there are more than 64k sections and
CONFIG_LD_ORPHAN_WARN=y.
Turn ".text" LD script wildcard into ".text.__unused__" to make sure
all kernel code will land into our special sections.
Make FG-KASLR depend on `-z unique-symbol`. With every function being
in a separate section (randomly ordered each boot), position-based
search is impossible. This flag is likely to be widely available
(on non-LLD builds).

Signed-off-by: Kristen Carlson Accardi <kristen@linux.intel.com>
Suggested-by: Kees Cook <keescook@chromium.org> # coexistence with DCE
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Co-developed-by: Alexander Lobakin <alexandr.lobakin@intel.com>
Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
---
 Makefile                          | 17 ++++++++++++++---
 arch/Kconfig                      |  6 +++++-
 include/asm-generic/vmlinux.lds.h | 20 ++++++++++++++++++--
 include/linux/linkage.h           |  9 +++++----
 init/Kconfig                      | 19 +++++++++++++++++--
 5 files changed, 59 insertions(+), 12 deletions(-)

diff --git a/Makefile b/Makefile
index fbe2d13028f4..4328d53d8b25 100644
--- a/Makefile
+++ b/Makefile
@@ -872,7 +872,7 @@ KBUILD_CFLAGS += -fno-inline-functions-called-once
 endif
 
 # Prefer linking with the `-z unique-symbol` if available, this eliminates
-# position-based search
+# position-based search. Also is a requirement for FG-KASLR
 ifeq ($(CONFIG_LD_HAS_Z_UNIQUE_SYMBOL)$(CONFIG_LIVEPATCH),yy)
 KBUILD_LDFLAGS += -z unique-symbol
 endif
@@ -881,7 +881,7 @@ endif
 # `include/linux/linkage.h` for explanation. This flag is to enable GAS to
 # insert the name of the previous section instead of `%S` inside .pushsection
 ifdef CONFIG_HAVE_ASM_FUNCTION_SECTIONS
-ifneq ($(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION)$(CONFIG_LTO_CLANG),)
+ifneq ($(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION)$(CONFIG_LTO_CLANG)$(CONFIG_FG_KASLR),)
 SECSUBST_AFLAGS := -Wa,--sectname-subst
 KBUILD_AFLAGS_KERNEL += $(SECSUBST_AFLAGS)
 KBUILD_CFLAGS_KERNEL += $(SECSUBST_AFLAGS)
@@ -895,8 +895,19 @@ KBUILD_CFLAGS_MODULE += -Wa,--sectname-subst
 endif
 endif # CONFIG_HAVE_ASM_FUNCTION_SECTIONS
 
+# ClangLTO implies `-ffunction-sections -fdata-sections`, no need
+# to specify them manually and trigger a pointless full rebuild
+ifndef CONFIG_LTO_CLANG
+ifneq ($(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION)$(CONFIG_FG_KASLR),)
+KBUILD_CFLAGS_KERNEL += -ffunction-sections
+endif
+
+ifdef CONFIG_LD_DEAD_CODE_DATA_ELIMINATION
+KBUILD_CFLAGS_KERNEL += -fdata-sections
+endif
+endif # CONFIG_LTO_CLANG
+
 ifdef CONFIG_LD_DEAD_CODE_DATA_ELIMINATION
-KBUILD_CFLAGS_KERNEL += -ffunction-sections -fdata-sections
 LDFLAGS_vmlinux += --gc-sections
 endif
 
diff --git a/arch/Kconfig b/arch/Kconfig
index 550f0599e211..e06aeeea39f4 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -1326,7 +1326,11 @@ config ARCH_SUPPORTS_ASM_FUNCTION_SECTIONS
 	bool
 	help
 	  An arch should select this if it can be built and run with its
-	  asm functions placed into separate sections to improve DCE and LTO.
+	  asm functions placed into separate sections to improve DCE, LTO
+	  and FG-KASLR.
+
+config ARCH_SUPPORTS_FG_KASLR
+	bool
 
 source "kernel/gcov/Kconfig"
 
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index e7b8a84e0e64..586465b2abb2 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -100,14 +100,12 @@
  * sections to be brought in with rodata.
  */
 #if defined(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION) || defined(CONFIG_LTO_CLANG)
-#define TEXT_MAIN SECT_WILDCARD(.text)
 #define DATA_MAIN SECT_WILDCARD(.data) .data..L* .data..compoundliteral* .data.$__unnamed_* .data.$L*
 #define SDATA_MAIN SECT_WILDCARD(.sdata)
 #define RODATA_MAIN SECT_WILDCARD(.rodata) .rodata..L*
 #define BSS_MAIN SECT_WILDCARD(.bss) .bss..compoundliteral*
 #define SBSS_MAIN SECT_WILDCARD(.sbss)
 #else
-#define TEXT_MAIN .text
 #define DATA_MAIN .data
 #define SDATA_MAIN .sdata
 #define RODATA_MAIN .rodata
@@ -115,6 +113,23 @@
 #define SBSS_MAIN .sbss
 #endif
 
+/*
+ * LTO_CLANG, LD_DEAD_CODE_DATA_ELIMINATION and FG_KASLR options enable
+ * -ffunction-sections, which produces separately named .text sections. In
+ * the case of CONFIG_FG_KASLR, they need to stay distict so they can be
+ * separately randomized. Without CONFIG_FG_KASLR, the separate .text
+ * sections can be collected back into a common section, which makes the
+ * resulting image slightly smaller
+ */
+#if (defined(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION) || \
+     defined(CONFIG_LTO_CLANG)) && !defined(CONFIG_FG_KASLR)
+#define TEXT_MAIN		SECT_WILDCARD(.text)
+#elif defined(CONFIG_FG_KASLR)
+#define TEXT_MAIN		.text.__unused__
+#else
+#define TEXT_MAIN		.text
+#endif
+
 /*
  * GCC 4.5 and later have a 32 bytes section alignment for structures.
  * Except GCC 4.9, that feels the need to align on 64 bytes.
@@ -843,6 +858,7 @@
 #define ELF_DETAILS							\
 		.comment 0 : { *(.comment) }				\
 		.symtab 0 : { *(.symtab) }				\
+		.symtab_shndx 0 : { *(.symtab_shndx) }			\
 		.strtab 0 : { *(.strtab) }				\
 		.shstrtab 0 : { *(.shstrtab) }
 
diff --git a/include/linux/linkage.h b/include/linux/linkage.h
index f3b966a6427e..95ca162a868c 100644
--- a/include/linux/linkage.h
+++ b/include/linux/linkage.h
@@ -75,11 +75,12 @@
 
 /*
  * Allow ASM symbols to have their own unique sections if they are being
- * generated by the compiler for C functions (DCE, LTO). Correlates with
- * the presence of the `-ffunction-section` in KBUILD_CFLAGS.
+ * generated by the compiler for C functions (DCE, FG-KASLR, LTO). Correlates
+ * with the presence of the `-ffunction-section` in KBUILD_CFLAGS.
  */
 #if defined(CONFIG_HAVE_ASM_FUNCTION_SECTIONS) && \
     ((defined(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION) && !defined(MODULE)) || \
+     (defined(CONFIG_FG_KASLR) && !defined(MODULE)) || \
      (defined(CONFIG_LTO_CLANG)))
 
 #define SYM_PUSH_SECTION(name)				\
@@ -91,13 +92,13 @@
 #define __ASM_PUSH_SECTION(name)			\
 	".pushsection %S." name ", \"ax\""
 
-#else /* !(CONFIG_HAVE_ASM_FUNCTION_SECTIONS && (DCE || LTO)) */
+#else /* !(CONFIG_HAVE_ASM_FUNCTION_SECTIONS && (DCE || FG_KASLR || LTO)) */
 
 #define SYM_PUSH_SECTION(name)
 #define SYM_POP_SECTION()
 #define __ASM_PUSH_SECTION(name)
 
-#endif /* !(CONFIG_HAVE_ASM_FUNCTION_SECTIONS && (DCE || LTO)) */
+#endif /* !(CONFIG_HAVE_ASM_FUNCTION_SECTIONS && (DCE || FG_KASLR || LTO)) */
 
 #define ASM_PUSH_SECTION(name)				\
 	__ASM_PUSH_SECTION(__stringify(name))
diff --git a/init/Kconfig b/init/Kconfig
index 4acfc80f22df..26f9a6e52dbd 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1393,8 +1393,9 @@ config HAVE_ASM_FUNCTION_SECTIONS
 	help
 	  This enables asm function sections if both architecture and
 	  toolchain support it. It allows creating a separate section
-	  for each function written in assembly in order to improve DCE
-	  and LTO (works the same way as -ffunction-sections for C code).
+	  for each function written in assembly in order to improve DCE,
+	  LTO and FG-KASLR (works the same way as -ffunction-sections
+	  for C code).
 
 config HAVE_LD_DEAD_CODE_DATA_ELIMINATION
 	bool
@@ -2061,6 +2062,20 @@ config PROFILING
 config TRACEPOINTS
 	bool
 
+config FG_KASLR
+	bool "Function Granular Kernel Address Space Layout Randomization"
+	depends on ARCH_SUPPORTS_FG_KASLR
+	depends on $(cc-option,-ffunction-sections)
+	depends on LD_HAS_Z_UNIQUE_SYMBOL || !LIVEPATCH
+	help
+	  This option improves the randomness of the kernel text
+	  over basic Kernel Address Space Layout Randomization (KASLR)
+	  by reordering the kernel text at boot time. This feature
+	  uses information generated at compile time to re-layout the
+	  kernel text section at boot time at function level granularity.
+
+	  If unsure, say N.
+
 endmenu		# General setup
 
 source "arch/Kconfig"
-- 
2.34.1


  parent reply	other threads:[~2022-02-09 19:02 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-09 18:57 [PATCH v10 00/15] Function Granular KASLR Alexander Lobakin
2022-02-09 18:57 ` [PATCH v10 01/15] modpost: fix removing numeric suffixes Alexander Lobakin
2022-05-03  0:57   ` Masahiro Yamada
2022-05-03  7:31   ` Petr Mladek
2022-05-23 18:04   ` Masahiro Yamada
2022-05-24 11:33     ` Alexander Lobakin
2022-05-24 13:40       ` Masahiro Yamada
2022-02-09 18:57 ` [PATCH v10 02/15] livepatch: avoid position-based search if `-z unique-symbol` is available Alexander Lobakin
2022-02-11 17:41   ` Josh Poimboeuf
2022-02-11 18:05     ` Fāng-ruì Sòng
2022-02-11 18:35       ` Josh Poimboeuf
2022-02-14 12:24         ` Alexander Lobakin
2022-02-14 18:10           ` Josh Poimboeuf
2022-02-16 20:32             ` Joe Lawrence
2022-02-16 22:13               ` Josh Poimboeuf
2022-02-16 15:15         ` Miroslav Benes
2022-02-16 20:01           ` Josh Poimboeuf
2022-02-18 16:31           ` Alexander Lobakin
2022-02-18 20:08             ` Josh Poimboeuf
2022-02-14 12:14     ` Alexander Lobakin
2022-02-14 18:57       ` Josh Poimboeuf
2022-02-16 15:06     ` Miroslav Benes
2022-02-16 19:57       ` Josh Poimboeuf
2022-02-17  7:45         ` Miroslav Benes
2022-02-09 18:57 ` [PATCH v10 03/15] kallsyms: randomize /proc/kallsyms output order Alexander Lobakin
2022-02-09 18:57 ` [PATCH v10 04/15] arch: introduce asm function sections Alexander Lobakin
2022-02-09 18:57 ` [PATCH v10 05/15] x86: support " Alexander Lobakin
2022-02-11 15:45   ` Peter Zijlstra
2022-02-14 11:49     ` Alexander Lobakin
2022-02-09 18:57 ` [PATCH v10 06/15] x86: decouple ORC table sorting into a separate file Alexander Lobakin
2022-02-09 18:57 ` Alexander Lobakin [this message]
2022-02-09 18:57 ` [PATCH v10 08/15] x86/tools: Add relative relocs for randomized functions Alexander Lobakin
2022-02-09 18:57 ` [PATCH v10 09/15] x86: Add support for function granular KASLR Alexander Lobakin
2022-02-09 18:57 ` [PATCH v10 10/15] FG-KASLR: use a scripted approach to handle .text.* sections Alexander Lobakin
2022-02-11 15:37   ` Peter Zijlstra
2022-02-14 11:34     ` Alexander Lobakin
2022-02-14 11:59       ` Peter Zijlstra
2022-02-14 12:30         ` Alexander Lobakin
2022-02-09 18:57 ` [PATCH v10 11/15] x86/boot: allow FG-KASLR to be selected Alexander Lobakin
2022-02-09 18:57 ` [PATCH v10 12/15] module: add arch-indep FG-KASLR for randomizing function layout Alexander Lobakin
2022-02-09 18:57 ` [PATCH v10 13/15] module: use a scripted approach for FG-KASLR Alexander Lobakin
2022-02-09 18:57 ` [PATCH v10 14/15] Documentation: add documentation " Alexander Lobakin
2022-02-09 18:57 ` [PATCH v10 15/15] maintainers: add MAINTAINERS entry " Alexander Lobakin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220209185752.1226407-8-alexandr.lobakin@intel.com \
    --to=alexandr.lobakin@intel.com \
    --cc=ardb@kernel.org \
    --cc=arnd@arndb.de \
    --cc=bp@alien8.de \
    --cc=bruce.schlobohm@intel.com \
    --cc=corbet@lwn.net \
    --cc=dave.hansen@linux.intel.com \
    --cc=davem@davemloft.net \
    --cc=eshatokhin@virtuozzo.com \
    --cc=hch@lst.de \
    --cc=herbert@gondor.apana.org.au \
    --cc=hjl.tools@gmail.com \
    --cc=hpa@zytor.com \
    --cc=jesse.brandeburg@intel.com \
    --cc=jeyu@kernel.org \
    --cc=jpoimboe@redhat.com \
    --cc=keescook@chromium.org \
    --cc=kristen@linux.intel.com \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=live-patching@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=llvm@lists.linux.dev \
    --cc=luto@kernel.org \
    --cc=masahiroy@kernel.org \
    --cc=mbenes@suse.cz \
    --cc=mhiramat@kernel.org \
    --cc=michal.lkml@markovi.net \
    --cc=miklos@szeredi.hu \
    --cc=mingo@redhat.com \
    --cc=nathan@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=nico@fluxnic.net \
    --cc=peterz@infradead.org \
    --cc=pomonis@google.com \
    --cc=samitolvanen@google.com \
    --cc=tglx@linutronix.de \
    --cc=tony.luck@intel.com \
    --cc=will@kernel.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).