From: Masahiro Yamada <yamada.masahiro@socionext.com>
To: linux-kbuild@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Kees Cook <keescook@chromium.org>,
Nicholas Piggin <npiggin@gmail.com>,
"Luis R . Rodriguez" <mcgrof@suse.com>,
Randy Dunlap <rdunlap@infradead.org>,
Ulf Magnusson <ulfalizer@gmail.com>,
Sam Ravnborg <sam@ravnborg.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Masahiro Yamada <yamada.masahiro@socionext.com>
Subject: [PATCH v5 23/31] stack-protector: test compiler capability in Kconfig and drop AUTO mode
Date: Mon, 28 May 2018 18:22:00 +0900 [thread overview]
Message-ID: <1527499328-13213-24-git-send-email-yamada.masahiro@socionext.com> (raw)
In-Reply-To: <1527499328-13213-1-git-send-email-yamada.masahiro@socionext.com>
Move the test for -fstack-protector(-strong) option to Kconfig.
If the compiler does not support the option, the corresponding menu
is automatically hidden. If STRONG is not supported, it will fall
back to REGULAR. If REGULAR is not supported, it will be disabled.
This means, AUTO is implicitly handled by the dependency solver of
Kconfig, hence removed.
I also turned the 'choice' into only two boolean symbols. The use of
'choice' is not a good idea here, because all of all{yes,mod,no}config
would choose the first visible value, while we want allnoconfig to
disable as many features as possible.
X86 has additional shell scripts in case the compiler supports those
options, but generates broken code. I added CC_HAS_SANE_STACKPROTECTOR
to test this. I had to add -m32 to gcc-x86_32-has-stack-protector.sh
to make it work correctly.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Acked-by: Kees Cook <keescook@chromium.org>
---
Changes in v5: None
Changes in v4: None
Changes in v3: None
Changes in v2: None
Makefile | 93 ++-----------------------------
arch/Kconfig | 32 ++++-------
arch/x86/Kconfig | 11 +++-
scripts/gcc-x86_32-has-stack-protector.sh | 7 +--
scripts/gcc-x86_64-has-stack-protector.sh | 5 --
5 files changed, 28 insertions(+), 120 deletions(-)
diff --git a/Makefile b/Makefile
index defb383..80e0800 100644
--- a/Makefile
+++ b/Makefile
@@ -675,55 +675,11 @@ ifneq ($(CONFIG_FRAME_WARN),0)
KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif
-# This selects the stack protector compiler flag. Testing it is delayed
-# until after .config has been reprocessed, in the prepare-compiler-check
-# target.
-ifdef CONFIG_CC_STACKPROTECTOR_AUTO
- stackp-flag := $(call cc-option,-fstack-protector-strong,$(call cc-option,-fstack-protector))
- stackp-name := AUTO
-else
-ifdef CONFIG_CC_STACKPROTECTOR_REGULAR
- stackp-flag := -fstack-protector
- stackp-name := REGULAR
-else
-ifdef CONFIG_CC_STACKPROTECTOR_STRONG
- stackp-flag := -fstack-protector-strong
- stackp-name := STRONG
-else
- # If either there is no stack protector for this architecture or
- # CONFIG_CC_STACKPROTECTOR_NONE is selected, we're done, and $(stackp-name)
- # is empty, skipping all remaining stack protector tests.
- #
- # Force off for distro compilers that enable stack protector by default.
- KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
-endif
-endif
-endif
-# Find arch-specific stack protector compiler sanity-checking script.
-ifdef stackp-name
-ifneq ($(stackp-flag),)
- stackp-path := $(srctree)/scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh
- stackp-check := $(wildcard $(stackp-path))
- # If the wildcard test matches a test script, run it to check functionality.
- ifdef stackp-check
- ifneq ($(shell $(CONFIG_SHELL) $(stackp-check) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
- stackp-broken := y
- endif
- endif
- ifndef stackp-broken
- # If the stack protector is functional, enable code that depends on it.
- KBUILD_CPPFLAGS += -DCONFIG_CC_STACKPROTECTOR
- # Either we've already detected the flag (for AUTO) or we'll fail the
- # build in the prepare-compiler-check rule (for specific flag).
- KBUILD_CFLAGS += $(stackp-flag)
- else
- # We have to make sure stack protector is unconditionally disabled if
- # the compiler is broken (in case we're going to continue the build in
- # AUTO mode).
- KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
- endif
-endif
-endif
+stackp-flags-$(CONFIG_CC_HAS_STACKPROTECTOR_NONE) := -fno-stack-protector
+stackp-flags-$(CONFIG_CC_STACKPROTECTOR) := -fstack-protector
+stackp-flags-$(CONFIG_CC_STACKPROTECTOR_STRONG) := -fstack-protector-strong
+
+KBUILD_CFLAGS += $(stackp-flags-y)
ifeq ($(cc-name),clang)
KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,)
@@ -1102,7 +1058,7 @@ endif
# prepare2 creates a makefile if using a separate output directory.
# From this point forward, .config has been reprocessed, so any rules
# that need to depend on updated CONFIG_* values can be checked here.
-prepare2: prepare3 prepare-compiler-check outputmakefile asm-generic
+prepare2: prepare3 outputmakefile asm-generic
prepare1: prepare2 $(version_h) $(autoksyms_h) include/generated/utsrelease.h \
include/config/auto.conf
@@ -1128,43 +1084,6 @@ uapi-asm-generic:
PHONY += prepare-objtool
prepare-objtool: $(objtool_target)
-# Check for CONFIG flags that require compiler support. Abort the build
-# after .config has been processed, but before the kernel build starts.
-#
-# For security-sensitive CONFIG options, we don't want to fallback and/or
-# silently change which compiler flags will be used, since that leads to
-# producing kernels with different security feature characteristics
-# depending on the compiler used. (For example, "But I selected
-# CC_STACKPROTECTOR_STRONG! Why did it build with _REGULAR?!")
-PHONY += prepare-compiler-check
-prepare-compiler-check: FORCE
-# Make sure compiler supports requested stack protector flag.
-ifdef stackp-name
- # Warn about CONFIG_CC_STACKPROTECTOR_AUTO having found no option.
- ifeq ($(stackp-flag),)
- @echo CONFIG_CC_STACKPROTECTOR_$(stackp-name): \
- Compiler does not support any known stack-protector >&2
- else
- # Fail if specifically requested stack protector is missing.
- ifeq ($(call cc-option, $(stackp-flag)),)
- @echo Cannot use CONFIG_CC_STACKPROTECTOR_$(stackp-name): \
- $(stackp-flag) not supported by compiler >&2 && exit 1
- endif
- endif
-endif
-# Make sure compiler does not have buggy stack-protector support. If a
-# specific stack-protector was requested, fail the build, otherwise warn.
-ifdef stackp-broken
- ifeq ($(stackp-name),AUTO)
- @echo CONFIG_CC_STACKPROTECTOR_$(stackp-name): \
- $(stackp-flag) available but compiler is broken: disabling >&2
- else
- @echo Cannot use CONFIG_CC_STACKPROTECTOR_$(stackp-name): \
- $(stackp-flag) available but compiler is broken >&2 && exit 1
- endif
-endif
- @:
-
# Generate some files
# ---------------------------------------------------------------------------
diff --git a/arch/Kconfig b/arch/Kconfig
index 75dd23a..1556ef4 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -539,13 +539,16 @@ config HAVE_CC_STACKPROTECTOR
bool
help
An arch should select this symbol if:
- - its compiler supports the -fstack-protector option
- it has implemented a stack canary (e.g. __stack_chk_guard)
-choice
- prompt "Stack Protector buffer overflow detection"
+config CC_HAS_STACKPROTECTOR_NONE
+ def_bool $(cc-option,-fno-stack-protector)
+
+config CC_STACKPROTECTOR
+ bool "Stack Protector buffer overflow detection"
depends on HAVE_CC_STACKPROTECTOR
- default CC_STACKPROTECTOR_AUTO
+ depends on $(cc-option,-fstack-protector)
+ default y
help
This option turns on the "stack-protector" GCC feature. This
feature puts, at the beginning of functions, a canary value on
@@ -555,14 +558,6 @@ choice
overwrite the canary, which gets detected and the attack is then
neutralized via a kernel panic.
-config CC_STACKPROTECTOR_NONE
- bool "None"
- help
- Disable "stack-protector" GCC feature.
-
-config CC_STACKPROTECTOR_REGULAR
- bool "Regular"
- help
Functions will have the stack-protector canary logic added if they
have an 8-byte or larger character array on the stack.
@@ -574,7 +569,10 @@ config CC_STACKPROTECTOR_REGULAR
by about 0.3%.
config CC_STACKPROTECTOR_STRONG
- bool "Strong"
+ bool "Strong Stack Protector"
+ depends on CC_STACKPROTECTOR
+ depends on $(cc-option,-fstack-protector-strong)
+ default y
help
Functions will have the stack-protector canary logic added in any
of the following conditions:
@@ -592,14 +590,6 @@ config CC_STACKPROTECTOR_STRONG
about 20% of all kernel functions, which increases the kernel code
size by about 2%.
-config CC_STACKPROTECTOR_AUTO
- bool "Automatic"
- help
- If the compiler supports it, the best available stack-protector
- option will be chosen.
-
-endchoice
-
config LD_DEAD_CODE_DATA_ELIMINATION
bool
help
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 2236505..9ab335f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -126,7 +126,7 @@ config X86
select HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD if X86_64
select HAVE_ARCH_VMAP_STACK if X86_64
select HAVE_ARCH_WITHIN_STACK_FRAMES
- select HAVE_CC_STACKPROTECTOR
+ select HAVE_CC_STACKPROTECTOR if CC_HAS_SANE_STACKPROTECTOR
select HAVE_CMPXCHG_DOUBLE
select HAVE_CMPXCHG_LOCAL
select HAVE_CONTEXT_TRACKING if X86_64
@@ -345,6 +345,15 @@ config PGTABLE_LEVELS
default 2
source "init/Kconfig"
+
+config CC_HAS_SANE_STACKPROTECTOR
+ bool
+ default $(success,$(srctree)/scripts/gcc-x86_64-has-stack-protector.sh $(CC)) if 64BIT
+ default $(success,$(srctree)/scripts/gcc-x86_32-has-stack-protector.sh $(CC))
+ help
+ We have to make sure stack protector is unconditionally disabled if
+ the compiler produces broken code.
+
source "kernel/Kconfig.freezer"
menu "Processor type and features"
diff --git a/scripts/gcc-x86_32-has-stack-protector.sh b/scripts/gcc-x86_32-has-stack-protector.sh
index 6b2aeef..f5c1194 100755
--- a/scripts/gcc-x86_32-has-stack-protector.sh
+++ b/scripts/gcc-x86_32-has-stack-protector.sh
@@ -1,9 +1,4 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
-echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -O0 -fstack-protector - -o - 2> /dev/null | grep -q "%gs"
-if [ "$?" -eq "0" ] ; then
- echo y
-else
- echo n
-fi
+echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -m32 -O0 -fstack-protector - -o - 2> /dev/null | grep -q "%gs"
diff --git a/scripts/gcc-x86_64-has-stack-protector.sh b/scripts/gcc-x86_64-has-stack-protector.sh
index 4a48bdc..3755af0 100755
--- a/scripts/gcc-x86_64-has-stack-protector.sh
+++ b/scripts/gcc-x86_64-has-stack-protector.sh
@@ -2,8 +2,3 @@
# SPDX-License-Identifier: GPL-2.0
echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -O0 -mcmodel=kernel -fno-PIE -fstack-protector - -o - 2> /dev/null | grep -q "%gs"
-if [ "$?" -eq "0" ] ; then
- echo y
-else
- echo n
-fi
--
2.7.4
next prev parent reply other threads:[~2018-05-28 9:25 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-28 9:21 [PATCH v5 00/31] kconfig: move compiler capability tests to Kconfig Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 01/31] kbuild: remove kbuild cache Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 02/31] kbuild: remove CONFIG_CROSS_COMPILE support Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 03/31] kconfig: reference environment variables directly and remove 'option env=' Masahiro Yamada
2018-06-08 17:53 ` [v5, " Andrei Vagin
2018-05-28 9:21 ` [PATCH v5 04/31] kconfig: remove string expansion in file_lookup() Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 05/31] kconfig: remove string expansion for mainmenu after yyparse() Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 06/31] kconfig: remove sym_expand_string_value() Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 07/31] kconfig: make default prompt of mainmenu less specific Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 08/31] kconfig: add built-in function support Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 09/31] kconfig: add 'shell' built-in function Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 10/31] kconfig: replace $(UNAME_RELEASE) with function call Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 11/31] kconfig: begin PARAM state only when seeing a command keyword Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 12/31] kconfig: support user-defined function and recursively expanded variable Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 13/31] kconfig: support simply " Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 14/31] kconfig: support append assignment operator Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 15/31] kconfig: expand lefthand side of assignment statement Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 16/31] kconfig: add 'info', 'warning-if', and 'error-if' built-in functions Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 17/31] kconfig: add 'filename' and 'lineno' built-in variables Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 18/31] kconfig: error out if a recursive variable references itself Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 19/31] Documentation: kconfig: document a new Kconfig macro language Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 20/31] kconfig: test: add Kconfig macro language tests Masahiro Yamada
2018-05-28 9:21 ` [PATCH v5 21/31] kconfig: show compiler version text in the top comment Masahiro Yamada
2018-06-07 8:42 ` Geert Uytterhoeven
2018-06-07 8:58 ` Masahiro Yamada
2018-06-08 7:04 ` Masahiro Yamada
2018-06-08 8:22 ` Geert Uytterhoeven
2018-05-28 9:21 ` [PATCH v5 22/31] kconfig: add basic helper macros to scripts/Kconfig.include Masahiro Yamada
2018-05-28 9:22 ` Masahiro Yamada [this message]
2018-05-28 9:22 ` [PATCH v5 24/31] kconfig: add CC_IS_GCC and GCC_VERSION Masahiro Yamada
2018-06-04 21:49 ` Stefan Agner
2018-06-05 0:07 ` Masahiro Yamada
2018-06-05 5:50 ` Stefan Agner
2018-06-05 6:27 ` Masahiro Yamada
2018-06-05 8:37 ` Stefan Agner
2018-05-28 9:22 ` [PATCH v5 25/31] kconfig: add CC_IS_CLANG and CLANG_VERSION Masahiro Yamada
2018-05-28 9:22 ` [PATCH v5 26/31] gcov: remove CONFIG_GCOV_FORMAT_AUTODETECT Masahiro Yamada
2018-05-28 9:22 ` [PATCH v5 27/31] kcov: test compiler capability in Kconfig and correct dependency Masahiro Yamada
2018-06-10 14:19 ` Masahiro Yamada
2018-05-28 9:22 ` [PATCH v5 28/31] gcc-plugins: move GCC version check for PowerPC to Kconfig Masahiro Yamada
2018-05-28 9:22 ` [PATCH v5 29/31] gcc-plugins: test plugin support in Kconfig and clean up Makefile Masahiro Yamada
2018-05-28 9:22 ` [PATCH v5 30/31] gcc-plugins: allow to enable GCC_PLUGINS for COMPILE_TEST Masahiro Yamada
2018-05-28 9:22 ` [PATCH v5 31/31] Documentation: kconfig: add recommended way to describe compiler support Masahiro Yamada
2018-05-28 12:23 ` [PATCH v5 00/31] kconfig: move compiler capability tests to Kconfig Masahiro Yamada
2018-05-30 0:38 ` Masahiro Yamada
2018-06-01 8:31 ` Arnd Bergmann
2018-06-01 10:29 ` Masahiro Yamada
2018-06-01 11:09 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1527499328-13213-24-git-send-email-yamada.masahiro@socionext.com \
--to=yamada.masahiro@socionext.com \
--cc=keescook@chromium.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=npiggin@gmail.com \
--cc=rdunlap@infradead.org \
--cc=sam@ravnborg.org \
--cc=torvalds@linux-foundation.org \
--cc=ulfalizer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.