From: Alexander Lobakin <alexandr.lobakin@intel.com>
To: linux-hardening@vger.kernel.org, x86@kernel.org
Cc: Alexander Lobakin <alexandr.lobakin@intel.com>,
Jesse Brandeburg <jesse.brandeburg@intel.com>,
Kristen Carlson Accardi <kristen@linux.intel.com>,
Kees Cook <keescook@chromium.org>,
Miklos Szeredi <miklos@szeredi.hu>,
Ard Biesheuvel <ardb@kernel.org>, Tony Luck <tony.luck@intel.com>,
Bruce Schlobohm <bruce.schlobohm@intel.com>,
Jessica Yu <jeyu@kernel.org>, kernel test robot <lkp@intel.com>,
Miroslav Benes <mbenes@suse.cz>,
Evgenii Shatokhin <eshatokhin@virtuozzo.com>,
Jonathan Corbet <corbet@lwn.net>,
Masahiro Yamada <masahiroy@kernel.org>,
Michal Marek <michal.lkml@markovi.net>,
Nick Desaulniers <ndesaulniers@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Arnd Bergmann <arnd@arndb.de>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Nathan Chancellor <nathan@kernel.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Marios Pomonis <pomonis@google.com>,
Sami Tolvanen <samitolvanen@google.com>,
linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org,
linux-arch@vger.kernel.org, live-patching@vger.kernel.org,
llvm@lists.linux.dev
Subject: [PATCH v8 12/14] module: use a scripted approach for FG-KASLR
Date: Thu, 2 Dec 2021 23:32:12 +0100 [thread overview]
Message-ID: <20211202223214.72888-13-alexandr.lobakin@intel.com> (raw)
In-Reply-To: <20211202223214.72888-1-alexandr.lobakin@intel.com>
Use the same methods and scripts to generate an LD script for every
module containing all the output text sections.
The only difference there is that we don't need to reserve any space
as the memory for every section is being allocated dynamically.
Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
---
.gitignore | 1 +
include/asm-generic/vmlinux.lds.h | 12 ++++++++++++
init/Kconfig | 15 ++++++++++++++-
scripts/Makefile.modfinal | 19 ++++++++++++++++---
scripts/generate_text_sections.pl | 9 ++++++++-
scripts/module.lds.S | 14 +++++++++++++-
6 files changed, 64 insertions(+), 6 deletions(-)
diff --git a/.gitignore b/.gitignore
index 7afd412dadd2..a39d0eb87395 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,6 +26,7 @@
*.gz
*.i
*.ko
+*.lds
*.lex.c
*.ll
*.lst
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index 8ddc08baf50c..13718807c027 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -127,6 +127,18 @@
#define TEXT_MAIN .text
#endif
+/*
+ * Same for modules. However, LD_DEAD_CODE_DATA_ELIMINATION doesn't touch
+ * them, so no need to check for it here.
+ */
+#if defined(CONFIG_LTO_CLANG) && !defined(CONFIG_MODULE_FG_KASLR)
+#define TEXT_MAIN_MODULE .text .text.[0-9a-zA-Z_]*
+#elif defined(CONFIG_MODULE_FG_KASLR)
+#define TEXT_MAIN_MODULE .text.__unused__
+#else
+#define TEXT_MAIN_MODULE .text
+#endif
+
/*
* Used by scripts/generate_text_sections.pl to inject text sections,
* harmless if FG-KASLR is disabled.
diff --git a/init/Kconfig b/init/Kconfig
index 1f7e57d323bb..1cbd0ffcb6c0 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2363,7 +2363,6 @@ config UNUSED_KSYMS_WHITELIST
config MODULE_FG_KASLR
bool "Module Function Granular Layout Randomization"
default FG_KASLR
- depends on BROKEN
help
This option randomizes the module text section by reordering the text
section by function at module load time. In order to use this
@@ -2372,6 +2371,20 @@ config MODULE_FG_KASLR
If unsure, say N.
+config MODULE_FG_KASLR_SHIFT
+ int "Module FG-KASLR granularity (functions per section shift)"
+ depends on MODULE_FG_KASLR
+ range 0 16
+ default 0
+ help
+ This sets the number of functions that will be put in each section
+ as a power of two.
+ Decreasing the value increases the randomization, but also increases
+ the size of the final kernel module due to the amount of sections.
+ 0 means that a separate section will be created for each function.
+ 16 almost disables the randomization, leaving only the manual
+ separation.
+
endif # MODULES
config MODULES_TREE_LOOKUP
diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal
index 7f39599e9fae..9353ce78a74e 100644
--- a/scripts/Makefile.modfinal
+++ b/scripts/Makefile.modfinal
@@ -28,13 +28,24 @@ quiet_cmd_cc_o_c = CC [M] $@
%.mod.o: %.mod.c FORCE
$(call if_changed_dep,cc_o_c)
+ifdef CONFIG_MODULE_FG_KASLR
+quiet_cmd_gen_modules_lds = GEN [M] $@
+ cmd_gen_modules_lds = \
+ $(PERL) $(srctree)/scripts/generate_text_sections.pl \
+ -s $(CONFIG_MODULE_FG_KASLR_SHIFT) $(filter %.o, $^) \
+ < $(filter %.lds, $^) > $@
+
+%.lds: %$(mod-prelink-ext).o scripts/module.lds FORCE
+ $(call if_changed,gen_modules_lds)
+endif
+
ARCH_POSTLINK := $(wildcard $(srctree)/arch/$(SRCARCH)/Makefile.postlink)
quiet_cmd_ld_ko_o = LD [M] $@
cmd_ld_ko_o += \
$(LD) -r $(KBUILD_LDFLAGS) \
$(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \
- -T scripts/module.lds -o $@ $(filter %.o, $^); \
+ -T $(filter %.lds, $^) -o $@ $(filter %.o, $^); \
$(if $(ARCH_POSTLINK), $(MAKE) -f $(ARCH_POSTLINK) $@, true)
quiet_cmd_btf_ko = BTF [M] $@
@@ -56,13 +67,15 @@ if_changed_except = $(if $(call newer_prereqs_except,$(2))$(cmd-check), \
# Re-generate module BTFs if either module's .ko or vmlinux changed
-$(modules): %.ko: %$(mod-prelink-ext).o %.mod.o scripts/module.lds $(if $(KBUILD_BUILTIN),vmlinux) FORCE
+$(modules): %.ko: %$(mod-prelink-ext).o %.mod.o
+$(modules): %.ko: $(if $(CONFIG_MODULE_FG_KASLR),%.lds,scripts/module.lds)
+$(modules): %.ko: $(if $(KBUILD_BUILTIN),vmlinux) FORCE
+$(call if_changed_except,ld_ko_o,vmlinux)
ifdef CONFIG_DEBUG_INFO_BTF_MODULES
+$(if $(newer-prereqs),$(call cmd,btf_ko))
endif
-targets += $(modules) $(modules:.ko=.mod.o)
+targets += $(modules) $(modules:.ko=.mod.o) $(if $(CONFIG_MODULE_FG_KASLR),$(modules:.ko=.lds))
# Add FORCE to the prequisites of a target to force it to be always rebuilt.
# ---------------------------------------------------------------------------
diff --git a/scripts/generate_text_sections.pl b/scripts/generate_text_sections.pl
index 6871045fb7a6..d4c5614d9481 100755
--- a/scripts/generate_text_sections.pl
+++ b/scripts/generate_text_sections.pl
@@ -45,6 +45,7 @@ my $readelf = $ENV{'READELF'} || die "$0: ERROR: READELF not set?";
## text sections array
my @sections = ();
my $has_ccf = 0;
+my $vmlinux = 0;
## max alignment found to reserve some space
my $max_align = 64;
@@ -73,6 +74,12 @@ sub read_sections {
$has_ccf = 1;
}
+ ## If we're processing a module, don't reserve any space
+ ## at the end as its sections are being allocated separately.
+ if ($name eq ".sched.text") {
+ $vmlinux = 1;
+ }
+
if (!($name =~ /^\.text\.[0-9a-zA-Z_]*((\.constprop|\.isra|\.part)\.[0-9])*(|\.[0-9cfi]*)$/)) {
next;
}
@@ -132,7 +139,7 @@ sub print_reserve {
## If we have text sections aligned with 64 bytes or more, make
## sure we reserve some space for them to not overlap _etext
## while shuffling sections.
- if (!$count) {
+ if (!$vmlinux or !$count) {
return;
}
diff --git a/scripts/module.lds.S b/scripts/module.lds.S
index 1d0e1e4dc3d2..6e957aa614b1 100644
--- a/scripts/module.lds.S
+++ b/scripts/module.lds.S
@@ -3,6 +3,11 @@
* Archs are free to supply their own linker scripts. ld will
* combine them automatically.
*/
+
+#include <asm-generic/vmlinux.lds.h>
+
+#undef SANITIZER_DISCARDS
+
#ifdef CONFIG_CFI_CLANG
# include <asm/page.h>
# define ALIGN_CFI ALIGN(PAGE_SIZE)
@@ -58,9 +63,16 @@ SECTIONS {
*/
.text : ALIGN_CFI {
*(.text.__cfi_check)
- *(.text .text.[0-9a-zA-Z_]* .text..L.cfi*)
+ *(TEXT_MAIN_MODULE)
+ *(.text..L.cfi.jumptable .text..L.cfi.jumptable.*)
+ }
+#elif defined(CONFIG_MODULE_FG_KASLR)
+ .text : {
+ *(TEXT_MAIN_MODULE)
}
#endif
+
+ TEXT_FG_KASLR
}
/* bring in arch-specific sections */
--
2.33.1
next prev parent reply other threads:[~2021-12-02 22:33 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-02 22:32 [PATCH v8 00/14] Function Granular KASLR Alexander Lobakin
2021-12-02 22:32 ` [PATCH v8 01/14] x86: Makefile: Add build and config option for CONFIG_FG_KASLR Alexander Lobakin
2021-12-02 22:32 ` [PATCH v8 02/14] x86/tools: Add relative relocs for randomized functions Alexander Lobakin
2021-12-02 22:32 ` [PATCH v8 03/14] x86: Add support for function granular KASLR Alexander Lobakin
2021-12-03 9:18 ` Peter Zijlstra
2021-12-03 13:57 ` Alexander Lobakin
2021-12-03 10:34 ` Peter Zijlstra
2021-12-02 22:32 ` [PATCH v8 04/14] linkage: add macros for putting ASM functions into own sections Alexander Lobakin
2021-12-03 9:31 ` Peter Zijlstra
2021-12-03 14:08 ` Alexander Lobakin
2021-12-02 22:32 ` [PATCH v8 05/14] x86: conditionally place regular ASM functions into separate sections Alexander Lobakin
2021-12-03 9:44 ` Peter Zijlstra
2021-12-03 14:10 ` Alexander Lobakin
2021-12-03 16:34 ` Peter Zijlstra
2021-12-03 16:51 ` H.J. Lu
2021-12-03 19:46 ` Nicolas Pitre
2021-12-04 8:31 ` Ard Biesheuvel
2021-12-04 8:55 ` Peter Zijlstra
2021-12-10 11:01 ` Alexander Lobakin
2021-12-10 13:20 ` Nicolas Pitre
2021-12-02 22:32 ` [PATCH v8 06/14] FG-KASLR: use a scripted approach to handle .text.* sections Alexander Lobakin
2021-12-03 9:54 ` Peter Zijlstra
2021-12-02 22:32 ` [PATCH v8 07/14] kallsyms: Hide layout Alexander Lobakin
2021-12-03 10:00 ` Peter Zijlstra
2021-12-03 10:03 ` Ard Biesheuvel
2021-12-07 5:31 ` Josh Poimboeuf
2021-12-02 22:32 ` [PATCH v8 08/14] livepatch: only match unique symbols when using FG-KASLR Alexander Lobakin
2021-12-03 10:05 ` Peter Zijlstra
2021-12-03 14:14 ` Alexander Lobakin
2021-12-06 6:03 ` Josh Poimboeuf
2021-12-02 22:32 ` [PATCH v8 09/14] x86/boot: allow FG-KASLR to be selected Alexander Lobakin
2021-12-02 22:32 ` [PATCH v8 10/14] arm64/crypto: conditionally place ASM functions into separate sections Alexander Lobakin
2021-12-02 22:32 ` [PATCH v8 11/14] module: Reorder functions Alexander Lobakin
2021-12-03 10:23 ` Peter Zijlstra
2021-12-02 22:32 ` Alexander Lobakin [this message]
2021-12-02 22:32 ` [PATCH v8 13/14] Documentation: add documentation for FG-KASLR Alexander Lobakin
2021-12-02 22:32 ` [PATCH v8 14/14] maintainers: add MAINTAINERS entry " Alexander Lobakin
2021-12-03 10:38 ` [PATCH v8 00/14] Function Granular KASLR Peter Zijlstra
2021-12-03 14:41 ` Alexander Lobakin
2021-12-03 16:32 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211202223214.72888-13-alexandr.lobakin@intel.com \
--to=alexandr.lobakin@intel.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=bruce.schlobohm@intel.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=eshatokhin@virtuozzo.com \
--cc=herbert@gondor.apana.org.au \
--cc=hpa@zytor.com \
--cc=jesse.brandeburg@intel.com \
--cc=jeyu@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kristen@linux.intel.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=lkp@intel.com \
--cc=llvm@lists.linux.dev \
--cc=luto@kernel.org \
--cc=masahiroy@kernel.org \
--cc=mbenes@suse.cz \
--cc=mhiramat@kernel.org \
--cc=michal.lkml@markovi.net \
--cc=miklos@szeredi.hu \
--cc=mingo@redhat.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=peterz@infradead.org \
--cc=pomonis@google.com \
--cc=samitolvanen@google.com \
--cc=tglx@linutronix.de \
--cc=tony.luck@intel.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.