From: Laura Abbott <labbott@redhat.com>
To: Kees Cook <keescook@chromium.org>, kernel-hardening@lists.openwall.com
Cc: linux-kernel@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
Emese Revfy <re.emese@gmail.com>,
Josh Triplett <josh@joshtriplett.org>,
pageexec@freemail.hu, spender@grsecurity.net, mmarek@suse.com,
yamada.masahiro@socionext.com, linux-kbuild@vger.kernel.org,
minipli@ld-linux.so, linux@armlinux.org.uk,
catalin.marinas@arm.com, linux@rasmusvillemoes.dk,
david.brown@linaro.org, benh@kernel.crashing.org,
tglx@linutronix.de, akpm@linux-foundation.org,
jlayton@poochiereds.net, sam@ravnborg.org
Subject: Re: [PATCH v4 0/4] Introduce the initify gcc plugin
Date: Mon, 19 Dec 2016 10:24:05 -0800 [thread overview]
Message-ID: <2b452e83-d74a-8d41-1f00-1764b2c767f1@redhat.com> (raw)
In-Reply-To: <1481925984-98605-1-git-send-email-keescook@chromium.org>
On 12/16/2016 02:06 PM, Kees Cook wrote:
> Hi,
>
> This is a continuation of Emese Revfy's initify plugin upstreaming. This
> is based on her v3, but updated with various fixes from her github tree.
> Additionally, I split off the printf attribute fixes and sent those
> separately.
>
> This is the initify gcc plugin. The kernel already has a mechanism to
> free up code and data memory that is only used during kernel or module
> initialization. This plugin will teach the compiler to find more such
> code and data that can be freed after initialization. It reduces memory
> usage. The initify gcc plugin can be useful for embedded systems.
>
> Originally it was a CII project supported by the Linux Foundation.
>
> This plugin is the part of grsecurity/PaX.
>
> The plugin supports all gcc versions from 4.5 to 7.0.
>
> Changes on top of the PaX version (since March 6.). These are the important
> ones:
> * move all local strings to init.rodata.str and exit.rodata.str
> (not just __func__)
> * report all initified strings and functions
> (GCC_PLUGIN_INITIFY_VERBOSE config option)
> * automatically discover init/exit functions and apply the __init or
> __exit attributes on them
>
> You can find more about the changes here:
> https://github.com/ephox-gcc-plugins/initify
>
> This patch set is based on v4.9-rc2.
>
> Some build statistics about the plugin:
>
> On allyes config (amd64, gcc-6):
> * 8412 initified strings
> * 167 initified functions
>
> On allmod config (i386, gcc-6):
> * 8597 initified strings
> * 159 initified functions
>
> On allyes config (amd64, gcc-6):
>
> section vanilla vanilla + initify change
> -----------------------------------------------------------------------
> .rodata 21746728 (0x14bd428) 21488680 (0x147e428) -258048
> .init.data 1338376 (0x146c08) 1683016 (0x19ae48) +344640
> .text 78270904 (0x4aa51b8) 78228280 (0x4a9ab38) -42624
> .init.text 1184725 (0x1213d5) 1223257 (0x12aa59) +38532
> .exit.data 104 (0x000068) 17760 (0x004560) +17656
> .exit.text 174473 (0x02a989) 175763 (0x02ae93) +1290
>
> FileSiz (vanilla) FileSiz (vanilla + initify) change
> ------------------------------------------------------------------------
> 00 102936576 (0x622b000) 102678528 (0x61ec000) -258048
> 03 28680192 (0x1b5a000) 29081600 (0x1bbc000) +401408
>
> 00 .text .notes __ex_table .rodata __bug_table .pci_fixup .builtin_fw
> .tracedata __ksymtab __ksymtab_gpl __ksymtab_strings __init_rodata
> __param __modver
> 03 .init.text .altinstr_aux .init.data .x86_cpu_dev.init
> .parainstructions .altinstructions .altinstr_replacement
> .iommu_table .apicdrivers .exit.text .exit.data .smp_locks .bss .brk
>
>
> On defconfig (amd64, gcc-6):
> * 1957 initified strings
> * 29 initified functions
>
> On defconfig (amd64, gcc-6):
>
> section vanilla vanilla + initify change
> -----------------------------------------------------------------------
> .rodata 2524240 (0x268450) 2462800 (0x259450) -61440
> .init.data 560256 (0x088c80) 644000 (0x09d3a0) +83744
> .text 9377367 (0x8f1657) 9373079 (0x8f0597) -4288
> .init.text 438586 (0x06b13a) 441828 (0x06bde4) +3242
> .exit.data 0 832 (0x000340) +832
> .exit.text 8857 (0x002299) 8857 (0x002299) 0
>
> FileSiz (vanilla) FileSiz (vanilla + initify) change
> ------------------------------------------------------------------------
> 00 13398016 (0xcc7000) 13336576 (0xcb8000) -61440
> 03 2203648 (0x21a000) 2293760 (0x230000) +90112
>
> 00 .text .notes __ex_table .rodata __bug_table .pci_fixup .builtin_fw
> .tracedata __ksymtab __ksymtab_gpl __ksymtab_strings __init_rodata
> __param __modver
> 03 .init.text .altinstr_aux .init.data .x86_cpu_dev.init
> .parainstructions .altinstructions .altinstr_replacement
> .iommu_table .apicdrivers .exit.text .exit.data .smp_locks .bss .brk
>
> One thing of note is that this plugin triggers false positive warnings
> from the modpost section mismatch detector. Further work is needed to
> deal with this.
>
>
> Changed from v3:
> * Refresh from Emese's latest version.
>
> Changed from v2:
> * Check all uses when walking a use-def chain.
> * Check all uses of initialized local variables and initify them if they
> have only nocapture uses. Previously only uses in call arguments
> determined whether the initializer value could be initified.
> * Handle the format gcc attribute from the plugin too.
> * Verify nocapture parameters of calls. Track uses of these parameters
> and verify that all uses are not captured. Verify only the nocapture
> attribute (The format attribute should be verified too.).
> * Fixed wrong indexing of function arguments.
> * Fixed decl comparison. When comparing two decls the tree codes must be
> the same.
> * Search capture uses of the return value. Use negative nocapture
> attribute parameter on a function argument to verify that the return
> value is not captured.
> * Stop the search for capture uses if there is a cast to integer type.
> * Removed unnecessary duplication hook.
> * Handle cloned functions with a changed argument list.
> * Check visited tree nodes to avoid an infinite loop.
> * Add a new initify plugin option: enable_init_to_exit_moves. Move a
> function to the exit section if it is called by __init and __exit
> functions too.
> * Added plugin option to disable the search of capture uses in nocapture
> functions. We must be able to disable verification of nocapture
> functions because there is a lot of asm code in the str* and mem*
> functions on i386.
> * Added some more nocapture attributes.
> * Added some more printf attributes.
> * Added some unverified_nocapture attributes.
> * Make is_kernel_rodata() nocapture.
> * Added comment for the nocapture attribute from Kees.
>
> Changes from v1:
> * Removed unnecessary nocapture attributes from boot code
> (Reported-by: PaX Team <pageexec@freemail.hu>)
> * Removed nocapture attributes from functions that return
> the marked parameter
> (Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>)
> * Added nocapture attribute to strlen()
> * Updated gcc-common.h from PaX
> * Don't forcibly constify initified string types
> this caused the size reduction of the .data section
> (initify_plugin.c)
> * Added the section mismatch problem in the commit message
>
I gave this a spin on arm64 and it seems to boot up and run okay
with just the "select HAVE_GCC_PLUGIN_INITIFY_INIT_EXIT if GCC_PLUGINS"
added for arm64. The patches could probably use more review but
I think it would be good to just fold this in for arm64 for ease of
testing.
Thanks,
Laura
WARNING: multiple messages have this Message-ID (diff)
From: Laura Abbott <labbott@redhat.com>
To: Kees Cook <keescook@chromium.org>, kernel-hardening@lists.openwall.com
Cc: linux-kernel@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
Emese Revfy <re.emese@gmail.com>,
Josh Triplett <josh@joshtriplett.org>,
pageexec@freemail.hu, spender@grsecurity.net, mmarek@suse.com,
yamada.masahiro@socionext.com, linux-kbuild@vger.kernel.org,
minipli@ld-linux.so, linux@armlinux.org.uk,
catalin.marinas@arm.com, linux@rasmusvillemoes.dk,
david.brown@linaro.org, benh@kernel.crashing.org,
tglx@linutronix.de, akpm@linux-foundation.org,
jlayton@poochiereds.net, sam@ravnborg.org
Subject: [kernel-hardening] Re: [PATCH v4 0/4] Introduce the initify gcc plugin
Date: Mon, 19 Dec 2016 10:24:05 -0800 [thread overview]
Message-ID: <2b452e83-d74a-8d41-1f00-1764b2c767f1@redhat.com> (raw)
In-Reply-To: <1481925984-98605-1-git-send-email-keescook@chromium.org>
On 12/16/2016 02:06 PM, Kees Cook wrote:
> Hi,
>
> This is a continuation of Emese Revfy's initify plugin upstreaming. This
> is based on her v3, but updated with various fixes from her github tree.
> Additionally, I split off the printf attribute fixes and sent those
> separately.
>
> This is the initify gcc plugin. The kernel already has a mechanism to
> free up code and data memory that is only used during kernel or module
> initialization. This plugin will teach the compiler to find more such
> code and data that can be freed after initialization. It reduces memory
> usage. The initify gcc plugin can be useful for embedded systems.
>
> Originally it was a CII project supported by the Linux Foundation.
>
> This plugin is the part of grsecurity/PaX.
>
> The plugin supports all gcc versions from 4.5 to 7.0.
>
> Changes on top of the PaX version (since March 6.). These are the important
> ones:
> * move all local strings to init.rodata.str and exit.rodata.str
> (not just __func__)
> * report all initified strings and functions
> (GCC_PLUGIN_INITIFY_VERBOSE config option)
> * automatically discover init/exit functions and apply the __init or
> __exit attributes on them
>
> You can find more about the changes here:
> https://github.com/ephox-gcc-plugins/initify
>
> This patch set is based on v4.9-rc2.
>
> Some build statistics about the plugin:
>
> On allyes config (amd64, gcc-6):
> * 8412 initified strings
> * 167 initified functions
>
> On allmod config (i386, gcc-6):
> * 8597 initified strings
> * 159 initified functions
>
> On allyes config (amd64, gcc-6):
>
> section vanilla vanilla + initify change
> -----------------------------------------------------------------------
> .rodata 21746728 (0x14bd428) 21488680 (0x147e428) -258048
> .init.data 1338376 (0x146c08) 1683016 (0x19ae48) +344640
> .text 78270904 (0x4aa51b8) 78228280 (0x4a9ab38) -42624
> .init.text 1184725 (0x1213d5) 1223257 (0x12aa59) +38532
> .exit.data 104 (0x000068) 17760 (0x004560) +17656
> .exit.text 174473 (0x02a989) 175763 (0x02ae93) +1290
>
> FileSiz (vanilla) FileSiz (vanilla + initify) change
> ------------------------------------------------------------------------
> 00 102936576 (0x622b000) 102678528 (0x61ec000) -258048
> 03 28680192 (0x1b5a000) 29081600 (0x1bbc000) +401408
>
> 00 .text .notes __ex_table .rodata __bug_table .pci_fixup .builtin_fw
> .tracedata __ksymtab __ksymtab_gpl __ksymtab_strings __init_rodata
> __param __modver
> 03 .init.text .altinstr_aux .init.data .x86_cpu_dev.init
> .parainstructions .altinstructions .altinstr_replacement
> .iommu_table .apicdrivers .exit.text .exit.data .smp_locks .bss .brk
>
>
> On defconfig (amd64, gcc-6):
> * 1957 initified strings
> * 29 initified functions
>
> On defconfig (amd64, gcc-6):
>
> section vanilla vanilla + initify change
> -----------------------------------------------------------------------
> .rodata 2524240 (0x268450) 2462800 (0x259450) -61440
> .init.data 560256 (0x088c80) 644000 (0x09d3a0) +83744
> .text 9377367 (0x8f1657) 9373079 (0x8f0597) -4288
> .init.text 438586 (0x06b13a) 441828 (0x06bde4) +3242
> .exit.data 0 832 (0x000340) +832
> .exit.text 8857 (0x002299) 8857 (0x002299) 0
>
> FileSiz (vanilla) FileSiz (vanilla + initify) change
> ------------------------------------------------------------------------
> 00 13398016 (0xcc7000) 13336576 (0xcb8000) -61440
> 03 2203648 (0x21a000) 2293760 (0x230000) +90112
>
> 00 .text .notes __ex_table .rodata __bug_table .pci_fixup .builtin_fw
> .tracedata __ksymtab __ksymtab_gpl __ksymtab_strings __init_rodata
> __param __modver
> 03 .init.text .altinstr_aux .init.data .x86_cpu_dev.init
> .parainstructions .altinstructions .altinstr_replacement
> .iommu_table .apicdrivers .exit.text .exit.data .smp_locks .bss .brk
>
> One thing of note is that this plugin triggers false positive warnings
> from the modpost section mismatch detector. Further work is needed to
> deal with this.
>
>
> Changed from v3:
> * Refresh from Emese's latest version.
>
> Changed from v2:
> * Check all uses when walking a use-def chain.
> * Check all uses of initialized local variables and initify them if they
> have only nocapture uses. Previously only uses in call arguments
> determined whether the initializer value could be initified.
> * Handle the format gcc attribute from the plugin too.
> * Verify nocapture parameters of calls. Track uses of these parameters
> and verify that all uses are not captured. Verify only the nocapture
> attribute (The format attribute should be verified too.).
> * Fixed wrong indexing of function arguments.
> * Fixed decl comparison. When comparing two decls the tree codes must be
> the same.
> * Search capture uses of the return value. Use negative nocapture
> attribute parameter on a function argument to verify that the return
> value is not captured.
> * Stop the search for capture uses if there is a cast to integer type.
> * Removed unnecessary duplication hook.
> * Handle cloned functions with a changed argument list.
> * Check visited tree nodes to avoid an infinite loop.
> * Add a new initify plugin option: enable_init_to_exit_moves. Move a
> function to the exit section if it is called by __init and __exit
> functions too.
> * Added plugin option to disable the search of capture uses in nocapture
> functions. We must be able to disable verification of nocapture
> functions because there is a lot of asm code in the str* and mem*
> functions on i386.
> * Added some more nocapture attributes.
> * Added some more printf attributes.
> * Added some unverified_nocapture attributes.
> * Make is_kernel_rodata() nocapture.
> * Added comment for the nocapture attribute from Kees.
>
> Changes from v1:
> * Removed unnecessary nocapture attributes from boot code
> (Reported-by: PaX Team <pageexec@freemail.hu>)
> * Removed nocapture attributes from functions that return
> the marked parameter
> (Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>)
> * Added nocapture attribute to strlen()
> * Updated gcc-common.h from PaX
> * Don't forcibly constify initified string types
> this caused the size reduction of the .data section
> (initify_plugin.c)
> * Added the section mismatch problem in the commit message
>
I gave this a spin on arm64 and it seems to boot up and run okay
with just the "select HAVE_GCC_PLUGIN_INITIFY_INIT_EXIT if GCC_PLUGINS"
added for arm64. The patches could probably use more review but
I think it would be good to just fold this in for arm64 for ease of
testing.
Thanks,
Laura
next prev parent reply other threads:[~2016-12-19 18:24 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-16 22:06 [PATCH v4 0/4] Introduce the initify gcc plugin Kees Cook
2016-12-16 22:06 ` [kernel-hardening] " Kees Cook
2016-12-16 22:06 ` [PATCH v4 1/4] gcc-plugins: Add " Kees Cook
2016-12-16 22:06 ` [kernel-hardening] " Kees Cook
2016-12-16 22:45 ` PaX Team
2016-12-16 22:45 ` [kernel-hardening] " PaX Team
2016-12-16 22:45 ` PaX Team
2016-12-16 23:02 ` Kees Cook
2016-12-16 23:02 ` [kernel-hardening] " Kees Cook
2016-12-16 23:02 ` Kees Cook
2016-12-16 23:15 ` PaX Team
2016-12-16 23:15 ` [kernel-hardening] " PaX Team
2016-12-16 23:15 ` PaX Team
2016-12-16 22:06 ` [PATCH v4 2/4] util: Move type casts into is_kernel_rodata Kees Cook
2016-12-16 22:06 ` [kernel-hardening] " Kees Cook
2016-12-16 22:06 ` [PATCH v4 3/4] initify: Mark functions with the __nocapture attribute Kees Cook
2016-12-16 22:06 ` [kernel-hardening] " Kees Cook
2016-12-16 22:06 ` [PATCH v4 4/4] initify: Mark functions with the __unverified_nocapture attribute Kees Cook
2016-12-16 22:06 ` [kernel-hardening] " Kees Cook
2016-12-16 22:19 ` [PATCH v4 0/4] Introduce the initify gcc plugin Kees Cook
2016-12-16 22:19 ` [kernel-hardening] " Kees Cook
2016-12-16 22:19 ` Kees Cook
2016-12-19 11:10 ` Emese Revfy
2016-12-19 11:10 ` [kernel-hardening] " Emese Revfy
2016-12-19 11:10 ` Emese Revfy
2017-01-04 0:23 ` Kees Cook
2017-01-04 0:23 ` [kernel-hardening] " Kees Cook
2017-01-04 0:23 ` Kees Cook
2017-01-11 0:24 ` Emese Revfy
2017-01-11 0:24 ` [kernel-hardening] " Emese Revfy
2017-01-11 0:24 ` Emese Revfy
2017-01-11 1:09 ` Kees Cook
2017-01-11 1:09 ` [kernel-hardening] " Kees Cook
2017-01-11 1:09 ` Kees Cook
2017-01-12 21:41 ` Emese Revfy
2017-01-12 21:41 ` [kernel-hardening] " Emese Revfy
2017-01-12 21:41 ` Emese Revfy
2017-01-12 23:27 ` Kees Cook
2017-01-12 23:27 ` [kernel-hardening] " Kees Cook
2017-01-12 23:27 ` Kees Cook
2017-01-12 23:40 ` Kees Cook
2017-01-12 23:40 ` [kernel-hardening] " Kees Cook
2017-01-12 23:40 ` Kees Cook
2017-01-17 20:31 ` Emese Revfy
2017-01-17 20:31 ` [kernel-hardening] " Emese Revfy
2017-01-17 20:31 ` Emese Revfy
2017-01-19 1:22 ` Kees Cook
2017-01-19 1:22 ` [kernel-hardening] " Kees Cook
2017-01-19 1:22 ` Kees Cook
2017-02-15 0:23 ` Emese Revfy
2017-02-15 0:23 ` [kernel-hardening] " Emese Revfy
2017-02-15 0:23 ` Emese Revfy
2017-02-15 19:27 ` Kees Cook
2017-02-15 19:27 ` [kernel-hardening] " Kees Cook
2017-02-15 19:27 ` Kees Cook
2017-02-20 21:42 ` Emese Revfy
2017-02-20 21:42 ` [kernel-hardening] " Emese Revfy
2017-02-20 21:42 ` Emese Revfy
2016-12-19 18:24 ` Laura Abbott [this message]
2016-12-19 18:24 ` [kernel-hardening] " Laura Abbott
2017-01-04 0:23 ` Kees Cook
2017-01-04 0:23 ` [kernel-hardening] " Kees Cook
2017-01-04 0:23 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2b452e83-d74a-8d41-1f00-1764b2c767f1@redhat.com \
--to=labbott@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=benh@kernel.crashing.org \
--cc=catalin.marinas@arm.com \
--cc=david.brown@linaro.org \
--cc=jlayton@poochiereds.net \
--cc=josh@joshtriplett.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=linux@rasmusvillemoes.dk \
--cc=minipli@ld-linux.so \
--cc=mmarek@suse.com \
--cc=pageexec@freemail.hu \
--cc=re.emese@gmail.com \
--cc=sam@ravnborg.org \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=yamada.masahiro@socionext.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.