From: Nick Desaulniers <ndesaulniers@google.com>
To: Masahiro Yamada <masahiroy@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>
Cc: Fangrui Song <maskray@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Nick Clifton <nickc@redhat.com>,
axboe@kernel.dk, brijesh.singh@amd.com, hpa@zytor.com,
kirill.shutemov@linux.intel.com, linux-kernel@vger.kernel.org,
llvm@lists.linux.dev, michael.roth@amd.com, n.schier@avm.de,
nathan@kernel.org, sathyanarayanan.kuppuswamy@linux.intel.com,
trix@redhat.com, x86@kernel.org,
Nick Desaulniers <ndesaulniers@google.com>,
Michal Marek <michal.lkml@markovi.net>,
linux-kbuild@vger.kernel.org
Subject: [PATCH v2 1/2] Makefile: link with -z noexecstack --no-warn-rwx-segments
Date: Wed, 10 Aug 2022 15:24:40 -0700 [thread overview]
Message-ID: <20220810222442.2296651-1-ndesaulniers@google.com> (raw)
In-Reply-To: <20220809013653.xtmeekefwkbo46vk@google.com>
Users of GNU ld (BFD) from binutils 2.39+ will observe multiple
instances of a new warning when linking kernels in the form:
ld: warning: vmlinux: missing .note.GNU-stack
section implies executable stack
ld: NOTE: This behaviour is deprecated and will be removed in a future
version of the linker
ld: warning: vmlinux has a LOAD segment with RWX permissions
Generally, we would like to avoid the stack being executable. Because
there could be a need for the stack to be executable, assembler sources
have to opt-in to this security feature via explicit creation of the
.note.GNU-stack feature (which compilers create by default) or command
line flag --noexecstack. Or we can simply tell the linker the production
of such sections is irrelevant and to link the stack as --noexecstack.
LLVM's LLD linker defaults to -z noexecstack, so this flag isn't
strictly necessary when linking with LLD, only BFD, but it doesn't hurt
to be explicit here for all linkers IMO. --no-warn-rwx-segments is
currently BFD specific and only available in the current latest release,
so it's wrapped in an ld-option check.
While the kernel makes extensive usage of ELF sections, it doesn't use
permissions from ELF segments.
Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06f73@kernel.dk/
Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
Link: https://github.com/llvm/llvm-project/issues/57009
Reported-by: Jens Axboe <axboe@kernel.dk>
Suggested-by: Fangrui Song <maskray@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
---
Makefile | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Makefile b/Makefile
index dc6295f91263..230e6e7679f9 100644
--- a/Makefile
+++ b/Makefile
@@ -1033,6 +1033,11 @@ KBUILD_CFLAGS += $(KCFLAGS)
KBUILD_LDFLAGS_MODULE += --build-id=sha1
LDFLAGS_vmlinux += --build-id=sha1
+KBUILD_LDFLAGS += -z noexecstack
+ifeq ($(CONFIG_LD_IS_BFD),y)
+KBUILD_LDFLAGS += $(call ld-option,--no-warn-rwx-segments)
+endif
+
ifeq ($(CONFIG_STRIP_ASM_SYMS),y)
LDFLAGS_vmlinux += $(call ld-option, -X,)
endif
--
2.37.1.559.g78731f0fdb-goog
next prev parent reply other threads:[~2022-08-10 22:24 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-08 19:23 [PATCH] x86: assemble with -Wa,--noexecstack to avoid BFD 2.39 warning Nick Desaulniers
2022-08-08 19:31 ` Nathan Chancellor
2022-08-08 20:31 ` Nick Desaulniers
2022-08-08 21:08 ` Linus Torvalds
2022-08-09 1:36 ` Fangrui Song
2022-08-10 22:24 ` Nick Desaulniers [this message]
2022-08-10 22:24 ` [PATCH v2 2/2] x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments Nick Desaulniers
2022-08-10 22:24 ` [PATCH v2 0/2] link " Nick Desaulniers
2022-08-11 1:06 ` Jens Axboe
2022-08-11 1:34 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220810222442.2296651-1-ndesaulniers@google.com \
--to=ndesaulniers@google.com \
--cc=axboe@kernel.dk \
--cc=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=maskray@google.com \
--cc=michael.roth@amd.com \
--cc=michal.lkml@markovi.net \
--cc=mingo@redhat.com \
--cc=n.schier@avm.de \
--cc=nathan@kernel.org \
--cc=nickc@redhat.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=trix@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.