From: Will Deacon <will@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: Fangrui Song <maskray@google.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Ard Biesheuvel <ardb@kernel.org>,
Peter Collingbourne <pcc@google.com>,
James Morse <james.morse@arm.com>, Borislav Petkov <bp@suse.de>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
Russell King <linux@armlinux.org.uk>,
Masahiro Yamada <masahiroy@kernel.org>,
Arvind Sankar <nivedita@alum.mit.edu>,
Nick Desaulniers <ndesaulniers@google.com>,
Nathan Chancellor <natechancellor@gmail.com>,
Arnd Bergmann <arnd@arndb.de>,
x86@kernel.org, clang-built-linux@googlegroups.com,
linux-arch@vger.kernel.org, linux-efi@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 3/9] efi/libstub: Remove .note.gnu.property
Date: Wed, 24 Jun 2020 11:43:56 +0100 [thread overview]
Message-ID: <20200624104356.GA6134@willie-the-truck> (raw)
In-Reply-To: <202006232143.66828CD3@keescook>
On Tue, Jun 23, 2020 at 09:44:11PM -0700, Kees Cook wrote:
> On Tue, Jun 23, 2020 at 08:31:42PM -0700, 'Fangrui Song' via Clang Built Linux wrote:
> > On 2020-06-23, Kees Cook wrote:
> > > In preparation for adding --orphan-handling=warn to more architectures,
> > > make sure unwanted sections don't end up appearing under the .init
> > > section prefix that libstub adds to itself during objcopy.
> > >
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > > drivers/firmware/efi/libstub/Makefile | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
> > > index 75daaf20374e..9d2d2e784bca 100644
> > > --- a/drivers/firmware/efi/libstub/Makefile
> > > +++ b/drivers/firmware/efi/libstub/Makefile
> > > @@ -66,6 +66,9 @@ lib-$(CONFIG_X86) += x86-stub.o
> > > CFLAGS_arm32-stub.o := -DTEXT_OFFSET=$(TEXT_OFFSET)
> > > CFLAGS_arm64-stub.o := -DTEXT_OFFSET=$(TEXT_OFFSET)
> > >
> > > +# Remove unwanted sections first.
> > > +STUBCOPY_FLAGS-y += --remove-section=.note.gnu.property
> > > +
> > > #
> > > # For x86, bootloaders like systemd-boot or grub-efi do not zero-initialize the
> > > # .bss section, so the .bss section of the EFI stub needs to be included in the
> >
> > arch/arm64/Kconfig enables ARM64_PTR_AUTH by default. When the config is on
> >
> > ifeq ($(CONFIG_ARM64_BTI_KERNEL),y)
> > branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI) := -mbranch-protection=pac-ret+leaf+bti
> > else
> > branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
> > endif
> >
> > This option creates .note.gnu.property:
> >
> > % readelf -n drivers/firmware/efi/libstub/efi-stub.o
> >
> > Displaying notes found in: .note.gnu.property
> > Owner Data size Description
> > GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0
> > Properties: AArch64 feature: PAC
> >
> > If .note.gnu.property is not desired in drivers/firmware/efi/libstub, specifying
> > -mbranch-protection=none can override -mbranch-protection=pac-ret+leaf
>
> We want to keep the branch protection enabled. But since it's not a
> "regular" ELF, we don't need to keep the property that identifies the
> feature.
For the kernel Image, how do we remove these sections? The objcopy flags
in arch/arm64/boot/Makefile look both insufficient and out of date. My
vmlinux ends up with both a ".notes" and a ".init.note.gnu.property"
segment.
Will
WARNING: multiple messages have this Message-ID (diff)
From: Will Deacon <will@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
linux-arch@vger.kernel.org, linux-efi@vger.kernel.org,
Arnd Bergmann <arnd@arndb.de>, Fangrui Song <maskray@google.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Masahiro Yamada <masahiroy@kernel.org>,
x86@kernel.org, Nick Desaulniers <ndesaulniers@google.com>,
Russell King <linux@armlinux.org.uk>,
linux-kernel@vger.kernel.org,
Nathan Chancellor <natechancellor@gmail.com>,
clang-built-linux@googlegroups.com,
Arvind Sankar <nivedita@alum.mit.edu>,
Ingo Molnar <mingo@redhat.com>, James Morse <james.morse@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@suse.de>,
Peter Collingbourne <pcc@google.com>,
Ard Biesheuvel <ardb@kernel.org>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v3 3/9] efi/libstub: Remove .note.gnu.property
Date: Wed, 24 Jun 2020 11:43:56 +0100 [thread overview]
Message-ID: <20200624104356.GA6134@willie-the-truck> (raw)
In-Reply-To: <202006232143.66828CD3@keescook>
On Tue, Jun 23, 2020 at 09:44:11PM -0700, Kees Cook wrote:
> On Tue, Jun 23, 2020 at 08:31:42PM -0700, 'Fangrui Song' via Clang Built Linux wrote:
> > On 2020-06-23, Kees Cook wrote:
> > > In preparation for adding --orphan-handling=warn to more architectures,
> > > make sure unwanted sections don't end up appearing under the .init
> > > section prefix that libstub adds to itself during objcopy.
> > >
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > > drivers/firmware/efi/libstub/Makefile | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
> > > index 75daaf20374e..9d2d2e784bca 100644
> > > --- a/drivers/firmware/efi/libstub/Makefile
> > > +++ b/drivers/firmware/efi/libstub/Makefile
> > > @@ -66,6 +66,9 @@ lib-$(CONFIG_X86) += x86-stub.o
> > > CFLAGS_arm32-stub.o := -DTEXT_OFFSET=$(TEXT_OFFSET)
> > > CFLAGS_arm64-stub.o := -DTEXT_OFFSET=$(TEXT_OFFSET)
> > >
> > > +# Remove unwanted sections first.
> > > +STUBCOPY_FLAGS-y += --remove-section=.note.gnu.property
> > > +
> > > #
> > > # For x86, bootloaders like systemd-boot or grub-efi do not zero-initialize the
> > > # .bss section, so the .bss section of the EFI stub needs to be included in the
> >
> > arch/arm64/Kconfig enables ARM64_PTR_AUTH by default. When the config is on
> >
> > ifeq ($(CONFIG_ARM64_BTI_KERNEL),y)
> > branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI) := -mbranch-protection=pac-ret+leaf+bti
> > else
> > branch-prot-flags-$(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET) := -mbranch-protection=pac-ret+leaf
> > endif
> >
> > This option creates .note.gnu.property:
> >
> > % readelf -n drivers/firmware/efi/libstub/efi-stub.o
> >
> > Displaying notes found in: .note.gnu.property
> > Owner Data size Description
> > GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0
> > Properties: AArch64 feature: PAC
> >
> > If .note.gnu.property is not desired in drivers/firmware/efi/libstub, specifying
> > -mbranch-protection=none can override -mbranch-protection=pac-ret+leaf
>
> We want to keep the branch protection enabled. But since it's not a
> "regular" ELF, we don't need to keep the property that identifies the
> feature.
For the kernel Image, how do we remove these sections? The objcopy flags
in arch/arm64/boot/Makefile look both insufficient and out of date. My
vmlinux ends up with both a ".notes" and a ".init.note.gnu.property"
segment.
Will
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-06-24 10:44 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-24 1:49 [PATCH v3 0/9] Warn on orphan section placement Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 1:49 ` [PATCH v3 1/9] vmlinux.lds.h: Add .gnu.version* to DISCARDS Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 1:49 ` [PATCH v3 2/9] vmlinux.lds.h: Add .symtab, .strtab, and .shstrtab to STABS_DEBUG Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 15:39 ` Arvind Sankar
2020-06-24 15:39 ` Arvind Sankar
2020-06-24 15:39 ` Arvind Sankar
2020-06-24 16:16 ` Fangrui Song
2020-06-24 16:16 ` Fangrui Song
2020-06-24 17:11 ` Arvind Sankar
2020-06-24 17:11 ` Arvind Sankar
2020-06-24 17:11 ` Arvind Sankar
2020-06-24 17:26 ` Fangrui Song
2020-06-24 17:26 ` Fangrui Song
2020-06-24 17:35 ` Arvind Sankar
2020-06-24 17:35 ` Arvind Sankar
2020-06-24 17:35 ` Arvind Sankar
2020-06-24 1:49 ` [PATCH v3 3/9] efi/libstub: Remove .note.gnu.property Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 3:31 ` Fangrui Song
2020-06-24 3:31 ` Fangrui Song
2020-06-24 4:44 ` Kees Cook
2020-06-24 4:44 ` Kees Cook
2020-06-24 10:43 ` Will Deacon [this message]
2020-06-24 10:43 ` Will Deacon
2020-06-24 10:46 ` Ard Biesheuvel
2020-06-24 10:46 ` Ard Biesheuvel
2020-06-24 10:46 ` Ard Biesheuvel
2020-06-24 11:26 ` Will Deacon
2020-06-24 11:26 ` Will Deacon
2020-06-24 11:26 ` Will Deacon
2020-06-24 13:48 ` Dave Martin
2020-06-24 13:48 ` Dave Martin
2020-06-24 13:48 ` Dave Martin
2020-06-24 15:26 ` Will Deacon
2020-06-24 15:26 ` Will Deacon
2020-06-24 15:26 ` Will Deacon
2020-06-24 16:26 ` Dave Martin
2020-06-24 16:26 ` Dave Martin
2020-06-24 16:26 ` Dave Martin
2020-06-24 15:21 ` Kees Cook
2020-06-24 15:21 ` Kees Cook
2020-06-24 15:21 ` Kees Cook
2020-06-24 15:31 ` Ard Biesheuvel
2020-06-24 15:31 ` Ard Biesheuvel
2020-06-24 15:31 ` Ard Biesheuvel
2020-06-24 15:45 ` Kees Cook
2020-06-24 15:45 ` Kees Cook
2020-06-24 15:45 ` Kees Cook
2020-06-24 15:48 ` Ard Biesheuvel
2020-06-24 15:48 ` Ard Biesheuvel
2020-06-24 15:48 ` Ard Biesheuvel
2020-06-24 16:29 ` Dave Martin
2020-06-24 16:29 ` Dave Martin
2020-06-24 16:29 ` Dave Martin
2020-06-24 16:40 ` Ard Biesheuvel
2020-06-24 16:40 ` Ard Biesheuvel
2020-06-24 16:40 ` Ard Biesheuvel
2020-06-24 17:16 ` Dave Martin
2020-06-24 17:16 ` Dave Martin
2020-06-24 17:16 ` Dave Martin
2020-06-24 18:23 ` Ard Biesheuvel
2020-06-24 18:23 ` Ard Biesheuvel
2020-06-24 18:23 ` Ard Biesheuvel
2020-06-24 18:57 ` Ard Biesheuvel
2020-06-24 18:57 ` Ard Biesheuvel
2020-06-24 18:57 ` Ard Biesheuvel
2020-06-24 1:49 ` [PATCH v3 4/9] x86/build: Warn on orphan section placement Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 18:36 ` kernel test robot
2020-06-27 15:44 ` Kees Cook
2020-06-27 15:44 ` Kees Cook
2020-06-29 14:54 ` Marco Elver
2020-06-29 14:54 ` Marco Elver
2020-06-29 15:26 ` Kees Cook
2020-06-29 15:26 ` Kees Cook
2020-06-24 1:49 ` [PATCH v3 5/9] x86/boot: " Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 1:49 ` [PATCH v3 6/9] arm/build: " Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 1:49 ` [PATCH v3 7/9] arm/boot: " Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 1:49 ` [PATCH v3 8/9] arm64/build: Use common DISCARDS in linker script Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 1:49 ` [PATCH v3 9/9] arm64/build: Warn on orphan section placement Kees Cook
2020-06-24 1:49 ` Kees Cook
2020-06-24 7:57 ` Will Deacon
2020-06-24 7:57 ` Will Deacon
2020-06-24 15:36 ` Kees Cook
2020-06-24 15:36 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200624104356.GA6134@willie-the-truck \
--to=will@kernel.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=bp@suse.de \
--cc=catalin.marinas@arm.com \
--cc=clang-built-linux@googlegroups.com \
--cc=james.morse@arm.com \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mark.rutland@arm.com \
--cc=masahiroy@kernel.org \
--cc=maskray@google.com \
--cc=mingo@redhat.com \
--cc=natechancellor@gmail.com \
--cc=ndesaulniers@google.com \
--cc=nivedita@alum.mit.edu \
--cc=pcc@google.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.