All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
To: Daniel Axtens <dja@axtens.net>,
	Daniel Micay <danielmicay@gmail.com>,
	Kees Cook <keescook@chromium.org>,
	kernel-hardening@lists.openwall.com,
	linuxppc-dev@lists.ozlabs.org
Subject: Re: [kernel-hardening] [PATCH] add the option of fortified string.h functions
Date: Tue, 9 May 2017 16:24:05 +1000	[thread overview]
Message-ID: <fef51372-8c0c-0a9d-7e33-b4862f70885b@au1.ibm.com> (raw)
In-Reply-To: <20170508175723.448CCAC043@b01ledav006.gho.pok.ibm.com>

On 09/05/17 03:57, Daniel Axtens wrote:
> (ppc people: this does some compile and run time bounds checking on
> string functions. It's cool - currently it picks up a lot of random
> things so it will require some more work across the tree, but hopefully
> it will eventually hit mainline.)

Ooh, nice!

>
> I've tested this on ppc with pseries_le_defconfig.
>
> I needed a couple of the fixes from github
> (https://github.com/thestinger/linux-hardened/commits/4.11) in order to
> build, specifically
> https://github.com/thestinger/linux-hardened/commit/c65d6a6f309b06703584a23ac2b2bda4bb363143
> https://github.com/thestinger/linux-hardened/commit/adcec4756574a8c7f7cb5b6fa51ebeaeeae71aae
>
> Once those were added, I needed to disable fortification in prom_init.c,
> as we apparently can't have new symbols there. (I don't understand that
> file so I haven't dug into it.)
>
> We also have problems with the feature fixup tests leading to a panic on
> boot. It relates to getting what I think are asm labels(?) and how we
> address them. I have just disabled fortify here for now; I think the
> code could be rewritten to take the labels as unsigned char *, but I
> haven't dug into it.
>
> With the following fixups, I can boot a LE buildroot initrd (per
> https://github.com/linuxppc/linux/wiki/Booting-with-Qemu). Sadly I don't
> have access to real hardware any more, so I can't say anything more than
> that. (ajd - perhaps relevant to your interests?)

I'll test it baremetal when I get the chance, and I'll see if I can 
investigate the issues you've raised.

-- 
Andrew Donnellan              OzLabs, ADL Canberra
andrew.donnellan@au1.ibm.com  IBM Australia Limited

      parent reply	other threads:[~2017-05-09  6:25 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-04 14:24 [kernel-hardening] [PATCH] add the option of fortified string.h functions Daniel Micay
2017-05-04 14:51 ` [kernel-hardening] " Daniel Micay
2017-05-04 15:48 ` [kernel-hardening] " Mark Rutland
2017-05-04 17:49   ` Daniel Micay
2017-05-04 18:09     ` Mark Rutland
2017-05-04 19:03       ` Daniel Micay
2017-05-05 10:38       ` Mark Rutland
2017-05-05 10:52         ` Mark Rutland
2017-05-05 13:44           ` Kees Cook
2017-05-05 17:38         ` Daniel Micay
2017-05-08 11:41           ` Mark Rutland
2017-05-08 16:08             ` Daniel Micay
2017-05-09 20:39         ` Kees Cook
2017-05-09 23:02           ` Daniel Micay
2017-05-10 11:12           ` Mark Rutland
2017-05-05 16:42 ` Kees Cook
2017-05-05 16:42   ` [kernel-hardening] " Kees Cook
2017-05-06  2:12 ` Kees Cook
2017-05-08 17:57 ` [kernel-hardening] " Daniel Axtens
2017-05-08 17:57   ` Daniel Axtens
2017-05-08 20:50   ` Daniel Micay
2017-05-08 21:53     ` Kees Cook
2017-05-10 12:00   ` Michael Ellerman
2017-05-10 12:00     ` Michael Ellerman
     [not found] ` <20170508175723.448CCAC043@b01ledav006.gho.pok.ibm.com>
2017-05-09  6:24   ` Andrew Donnellan [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fef51372-8c0c-0a9d-7e33-b4862f70885b@au1.ibm.com \
    --to=andrew.donnellan@au1.ibm.com \
    --cc=danielmicay@gmail.com \
    --cc=dja@axtens.net \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linuxppc-dev@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.