From: Masahiro Yamada <yamada.masahiro@socionext.com>
To: Kees Cook <keescook@chromium.org>
Cc: Ulf Magnusson <ulfalizer@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Nicolas Pitre <nicolas.pitre@linaro.org>,
"Luis R . Rodriguez" <mcgrof@suse.com>,
Randy Dunlap <rdunlap@infradead.org>,
Sam Ravnborg <sam@ravnborg.org>,
Michal Marek <michal.lkml@markovi.net>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Pavel Machek <pavel@ucw.cz>,
linux-s390 <linux-s390@vger.kernel.org>,
Jiri Kosina <jkosina@suse.cz>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Tejun Heo <tj@kernel.org>, Ingo Molnar <mingo@kernel.org>,
"Van De Ven, Arjan" <arjan.van.de.ven@intel.com>
Subject: Re: [RFC PATCH 4/7] kconfig: support new special property shell=
Date: Tue, 13 Feb 2018 01:10:34 +0900 [thread overview]
Message-ID: <CAK7LNASLW+XXqFphu+nYsqcBux-jBqyDW9T=-N5udbOcJ3=zmA@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5jJJEApa6qUS1-AZvt2RaSUDjUhV5Ysjs2mdy_KrwMkiUQ@mail.gmail.com>
2018-02-13 0:46 GMT+09:00 Kees Cook <keescook@chromium.org>:
> On Mon, Feb 12, 2018 at 2:44 AM, Masahiro Yamada
> <yamada.masahiro@socionext.com> wrote:
>> Linus said:
>>
>>> But yes, I also reacted to your earlier " It can't silently rewrite it
>>> to _REGULAR because the compiler support for _STRONG regressed."
>>> Because it damn well can. If the compiler doesn't support
>>> -fstack-protector-strong, we can just fall back on -fstack-protector.
>>> Silently. No extra crazy complex logic for that either.
>>
>>
>> If I understood his comment correctly,
>> we do not need either WANT_* or _AUTO.
>>
>>
>> Kees' comment:
>>
>>> In the stack-protector case, this becomes quite important, since the
>>> goal is to record the user's selection regardless of compiler
>>> capability. For example, if someone selects _REGULAR, it shouldn't
>>> "upgrade" to _STRONG. (Similarly for _NONE.)
>>
>> No. Kconfig will not do this silently.
>>
>> "make oldconfig" (or "make silentoldconfig" as well)
>> always ask users about new symbols.
>
> The case I want to make sure can never happen is to have a config
> setting that ends up not actually being true. For example, if
> CONFIG_CC_STACKPROTECTOR appears in /proc/config.gz but the kernel
> wasn't actually built with a stack protector, that's bad. We end up in
> a place where the user can't trust the config to represent the actual
> results of the build.
>
> So, as long as the Kconfig options are strongly tied to the compiler
> capabilities, we're good on that front.
>
>> So, I can suggest to remove _REGULAR and _NONE.
>>
>> We have just two bool options, like follows.
>>
>> ------------------->8-----------------
>> config CC_STACKPROTECTOR
>> bool "Use stack protector"
>> depends on CC_HAS_STACKPROTECTOR
>>
>> config CC_STACKPROTECTOR_STRONG
>> bool "Use strong strong stack protector"
>> depends on CC_STACKPROTECTOR
>> depends on CC_HAS_STACKPROTECTOR_STRONG
>> -------------------->8------------------
>>
>> This will work well for all{yes,mod,no}config.
>
> This two-option arrangement is fine (though it assumes there won't be
> another stack protector option in the future).
>
> The issue I have is this removes _AUTO, which I think can be solved in
> the two-option arrangement too. The purpose of _AUTO is to effectively
> enable stack-protector by default. As this option has been available
> for over 10 years, and all distros enable it, it's an obvious
> candidate to be enabled-by-default, especially since it kills a class
> of exploits (as mentioned in my commit log: BlueBorne was trivially
> defeated with stack-protector). So it should be possible to make these
> two options "default y", yes?
Yes.
Both should be "default y" to keep the equivalent behavior
since the current default is _AUTO.
>> We will not have a case where
>> -fstack-protector-strong is supported, but -fstack-protector is not.
>
> Correct.
>
> -Kees
>
> --
> Kees Cook
> Pixel Security
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Best Regards
Masahiro Yamada
next prev parent reply other threads:[~2018-02-12 16:10 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-08 16:19 [RFC PATCH 0/7] Kconfig: add new special property shell= to test compiler options in Kconfig Masahiro Yamada
2018-02-08 16:19 ` [RFC PATCH 1/7] kbuild: remove kbuild cache Masahiro Yamada
2018-02-08 16:19 ` [RFC PATCH 2/7] kconfig: add xrealloc() helper Masahiro Yamada
2018-02-08 16:19 ` [RFC PATCH 3/7] kconfig: remove const qualifier from sym_expand_string_value() Masahiro Yamada
2018-02-08 16:19 ` [RFC PATCH 4/7] kconfig: support new special property shell= Masahiro Yamada
2018-02-09 5:30 ` Ulf Magnusson
2018-02-09 9:19 ` Masahiro Yamada
2018-02-09 12:46 ` Ulf Magnusson
2018-02-09 20:46 ` Kees Cook
2018-02-10 5:48 ` Ulf Magnusson
2018-02-10 7:12 ` Masahiro Yamada
2018-02-10 7:49 ` Ulf Magnusson
2018-02-10 8:05 ` Ulf Magnusson
2018-02-10 8:55 ` Ulf Magnusson
2018-02-10 9:21 ` Ulf Magnusson
2018-02-10 18:05 ` Randy Dunlap
2018-02-11 2:00 ` Kevin Easton
2018-02-10 19:23 ` Kees Cook
2018-02-10 20:08 ` Linus Torvalds
2018-02-11 4:13 ` Kees Cook
2018-02-11 4:46 ` Linus Torvalds
2018-02-11 7:28 ` Linus Torvalds
2018-02-11 10:34 ` Ulf Magnusson
2018-02-11 17:56 ` Kees Cook
2018-02-11 18:13 ` Linus Torvalds
2018-02-11 19:39 ` Kees Cook
2018-02-11 19:53 ` Linus Torvalds
2018-02-11 20:06 ` Linus Torvalds
2018-02-11 21:10 ` Arnd Bergmann
2018-02-11 21:19 ` Kees Cook
2018-02-11 21:50 ` Linus Torvalds
2018-02-12 10:44 ` Arnd Bergmann
2018-02-12 10:44 ` Arnd Bergmann
2018-02-11 22:29 ` Geert Uytterhoeven
2018-02-15 23:38 ` [RFC PATCH 4/7] kconfig: support new special property shell Palmer Dabbelt
2018-02-11 21:11 ` [RFC PATCH 4/7] kconfig: support new special property shell= Kees Cook
2018-02-11 19:42 ` Linus Torvalds
2018-02-12 8:26 ` Peter Zijlstra
2018-02-12 10:27 ` Thomas Gleixner
2018-02-12 11:52 ` Peter Zijlstra
2018-02-12 16:19 ` David Woodhouse
2018-02-12 16:19 ` David Woodhouse
2018-02-12 16:56 ` Kees Cook
2018-02-12 17:05 ` Peter Zijlstra
2018-02-12 17:33 ` Kees Cook
2018-02-12 17:36 ` David Woodhouse
2018-02-12 17:36 ` David Woodhouse
2018-02-12 17:37 ` Kees Cook
2018-02-12 17:00 ` Peter Zijlstra
2018-02-11 18:34 ` Ulf Magnusson
2018-02-11 21:05 ` Kees Cook
2018-02-11 21:35 ` Ulf Magnusson
2018-02-11 20:29 ` Ulf Magnusson
2018-02-11 20:42 ` Ulf Magnusson
2018-02-12 12:54 ` Ulf Magnusson
2018-02-12 14:21 ` Masahiro Yamada
2018-02-12 14:23 ` Masahiro Yamada
2018-02-12 14:32 ` Ulf Magnusson
2018-02-12 14:29 ` Ulf Magnusson
2018-02-12 14:53 ` Ulf Magnusson
2018-02-12 15:22 ` Masahiro Yamada
2018-02-12 15:35 ` Ulf Magnusson
2018-02-11 21:22 ` Ulf Magnusson
2018-02-12 14:39 ` Masahiro Yamada
2018-02-12 15:24 ` Kees Cook
2018-02-12 23:48 ` Randy Dunlap
2018-02-13 1:41 ` Masahiro Yamada
2018-02-13 1:53 ` Randy Dunlap
2018-02-13 8:35 ` Arnd Bergmann
2018-02-13 8:59 ` Masahiro Yamada
2018-02-12 10:44 ` Masahiro Yamada
2018-02-12 11:44 ` Ulf Magnusson
2018-02-12 11:49 ` Ulf Magnusson
2018-02-12 13:53 ` Masahiro Yamada
2018-02-12 14:13 ` Ulf Magnusson
2018-02-12 15:46 ` Kees Cook
2018-02-12 16:10 ` Masahiro Yamada [this message]
2018-02-13 8:55 ` Ulf Magnusson
2018-02-11 16:54 ` Kees Cook
2018-02-08 16:19 ` [RFC PATCH 5/7] kconfig: invoke silentoldconfig when compiler is updated Masahiro Yamada
2018-02-08 17:19 ` Masahiro Yamada
2018-02-08 17:45 ` Linus Torvalds
2018-02-08 16:19 ` [RFC PATCH 6/7] kconfig: add basic environments to evaluate C flags in Kconfig Masahiro Yamada
2018-02-08 16:19 ` [RFC PATCH 7/7] Test stackprotector options in Kconfig to kill CC_STACKPROTECTOR_AUTO Masahiro Yamada
2018-02-08 18:30 ` Kees Cook
2018-02-09 4:13 ` Masahiro Yamada
2018-02-08 16:43 ` [RFC PATCH 0/7] Kconfig: add new special property shell= to test compiler options in Kconfig Greg Kroah-Hartman
2018-02-08 17:19 ` Linus Torvalds
2018-02-08 17:39 ` Masahiro Yamada
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAK7LNASLW+XXqFphu+nYsqcBux-jBqyDW9T=-N5udbOcJ3=zmA@mail.gmail.com' \
--to=yamada.masahiro@socionext.com \
--cc=akpm@linux-foundation.org \
--cc=arjan.van.de.ven@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=michal.lkml@markovi.net \
--cc=mingo@kernel.org \
--cc=nicolas.pitre@linaro.org \
--cc=pavel@ucw.cz \
--cc=rdunlap@infradead.org \
--cc=sam@ravnborg.org \
--cc=schwidefsky@de.ibm.com \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=ulfalizer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.