Hi Linus,
Please pull these Control Flow Integrity updates for v6.1-rc1. As this
touches treewide things, arm64, and x86, I carried this tree instead of
it living in -tip, etc. This replaces the more fragile Clang CFI with
the new Clang KCFI that has been designed specifically for the Linux
kernel. GCC support is expected[1] in the future.
3 expected conflicts are minimal:
- arm64: https://lore.kernel.org/linux-next/[email protected]/
- bpf-next: https://lore.kernel.org/linux-next/[email protected]/
Note that the above fix actually has a typo: the ")) ||" should be
") ||", which was later fixed in linux-next.
- arm64-fixes: https://lore.kernel.org/linux-next/[email protected]/
The conflicting commit in arm64-fixes is needed for a bug in the older
Clang CFI support. Merging arm64-fixes first may help resolve this
one in a way that is easier for -stable to consume (i.e. arm64-fixes
CFI fix lands, then the kcfi tree removes the block entirely), but
the CFI fix could also just be sent directly to -stable directly if
anything goes wrong.
Thanks!
-Kees
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048
The following changes since commit 7e18e42e4b280c85b76967a9106a13ca61c16179:
Linux 6.0-rc4 (2022-09-04 13:10:01 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/kcfi-v6.1-rc1
for you to fetch changes up to 3c516f89e17e56b4738f05588e51267e295b5e63:
x86: Add support for CONFIG_CFI_CLANG (2022-09-26 10:13:16 -0700)
----------------------------------------------------------------
kcfi updates for v6.1-rc1
This replaces the prior support for Clang's standard Control Flow
Integrity (CFI) instrumentation, which has required a lot of special
conditions (e.g. LTO) and work-arounds. The current implementation
("Kernel CFI") is specific to C, directly designed for the Linux kernel,
and takes advantage of architectural features like x86's IBT. This
series retains arm64 support and adds x86 support. Additional "generic"
architectural support is expected soon:
https://github.com/samitolvanen/llvm-project/commits/kcfi_generic
- treewide: Remove old CFI support details
- arm64: Replace Clang CFI support with Clang KCFI support
- x86: Introduce Clang KCFI support
----------------------------------------------------------------
Sami Tolvanen (22):
treewide: Filter out CC_FLAGS_CFI
scripts/kallsyms: Ignore __kcfi_typeid_
cfi: Remove CONFIG_CFI_CLANG_SHADOW
cfi: Drop __CFI_ADDRESSABLE
cfi: Switch to -fsanitize=kcfi
cfi: Add type helper macros
lkdtm: Emit an indirect call for CFI tests
psci: Fix the function type for psci_initcall_t
arm64: Add types to indirect called assembly functions
arm64: Add CFI error handling
arm64: Drop unneeded __nocfi attributes
init: Drop __nocfi from __init
treewide: Drop function_nocfi
treewide: Drop WARN_ON_FUNCTION_MISMATCH
treewide: Drop __cficanonical
objtool: Preserve special st_shndx indexes in elf_update_symbol
objtool: Disable CFI warnings
kallsyms: Drop CONFIG_CFI_CLANG workarounds
x86/tools/relocs: Ignore __kcfi_typeid_ relocations
x86: Add types to indirectly called assembly functions
x86/purgatory: Disable CFI
x86: Add support for CONFIG_CFI_CLANG
Makefile | 13 +-
arch/Kconfig | 18 +-
arch/arm64/crypto/ghash-ce-core.S | 5 +-
arch/arm64/crypto/sm3-ce-core.S | 3 +-
arch/arm64/include/asm/brk-imm.h | 6 +
arch/arm64/include/asm/ftrace.h | 2 +-
arch/arm64/include/asm/linkage.h | 4 +
arch/arm64/include/asm/mmu_context.h | 4 +-
arch/arm64/kernel/acpi_parking_protocol.c | 2 +-
arch/arm64/kernel/alternative.c | 2 +-
arch/arm64/kernel/cpu-reset.S | 5 +-
arch/arm64/kernel/cpufeature.c | 4 +-
arch/arm64/kernel/ftrace.c | 2 +-
arch/arm64/kernel/machine_kexec.c | 2 +-
arch/arm64/kernel/psci.c | 2 +-
arch/arm64/kernel/smp_spin_table.c | 2 +-
arch/arm64/kernel/traps.c | 47 +++-
arch/arm64/kernel/vdso/Makefile | 3 +-
arch/arm64/mm/proc.S | 5 +-
arch/x86/Kconfig | 2 +
arch/x86/crypto/blowfish-x86_64-asm_64.S | 5 +-
arch/x86/entry/vdso/Makefile | 3 +-
arch/x86/include/asm/cfi.h | 22 ++
arch/x86/include/asm/linkage.h | 12 +
arch/x86/kernel/Makefile | 2 +
arch/x86/kernel/cfi.c | 86 ++++++++
arch/x86/kernel/traps.c | 4 +-
arch/x86/lib/memcpy_64.S | 3 +-
arch/x86/purgatory/Makefile | 4 +
arch/x86/tools/relocs.c | 1 +
drivers/firmware/efi/libstub/Makefile | 2 +
drivers/firmware/psci/psci.c | 12 +-
drivers/misc/lkdtm/cfi.c | 15 +-
drivers/misc/lkdtm/usercopy.c | 2 +-
include/asm-generic/bug.h | 16 --
include/asm-generic/vmlinux.lds.h | 37 ++--
include/linux/cfi.h | 59 ++---
include/linux/cfi_types.h | 45 ++++
include/linux/compiler-clang.h | 14 +-
include/linux/compiler.h | 16 +-
include/linux/compiler_types.h | 4 -
include/linux/init.h | 6 +-
include/linux/module.h | 10 +-
include/linux/pci.h | 4 +-
kernel/cfi.c | 352 +++++-------------------------
kernel/kallsyms.c | 17 --
kernel/kthread.c | 3 +-
kernel/module/main.c | 50 +----
kernel/workqueue.c | 2 +-
scripts/kallsyms.c | 1 +
scripts/module.lds.S | 23 +-
tools/objtool/check.c | 7 +-
tools/objtool/elf.c | 7 +-
53 files changed, 425 insertions(+), 554 deletions(-)
create mode 100644 arch/x86/include/asm/cfi.h
create mode 100644 arch/x86/kernel/cfi.c
create mode 100644 include/linux/cfi_types.h
--
Kees Cook
On Sat, Oct 1, 2022 at 6:36 PM Kees Cook <[email protected]> wrote:
>
> Hi Linus,
>
> Please pull these Control Flow Integrity updates for v6.1-rc1. As this
> touches treewide things, arm64, and x86, I carried this tree instead of
> it living in -tip, etc. This replaces the more fragile Clang CFI with
> the new Clang KCFI that has been designed specifically for the Linux
> kernel. GCC support is expected[1] in the future.
>
> 3 expected conflicts are minimal:
>
> - arm64: https://lore.kernel.org/linux-next/[email protected]/
>
> - bpf-next: https://lore.kernel.org/linux-next/[email protected]/
> Note that the above fix actually has a typo: the ")) ||" should be
> ") ||", which was later fixed in linux-next.
>
> - arm64-fixes: https://lore.kernel.org/linux-next/[email protected]/
> The conflicting commit in arm64-fixes is needed for a bug in the older
> Clang CFI support. Merging arm64-fixes first may help resolve this
> one in a way that is easier for -stable to consume (i.e. arm64-fixes
> CFI fix lands, then the kcfi tree removes the block entirely), but
> the CFI fix could also just be sent directly to -stable directly if
> anything goes wrong.
>
I checked my long list of logs, journals and selfmade Linux (Debian)
packages in my Clang-CFI / KCFI testing.
My first email to Sami was (in private):
[Clang-ThinLTO][Clang-CFI] "[PATCH] x86/asm: Replace __force_order
with memory clobber"
Aug 25, 2020, 7:30 PM
My first tryouts was with Linux v5.9-rc1 and LLVM-11;
# grep cfi packages_*.txt | egrep 'llvm|clang' | sort | head -10
packages_0612.txt:ii linux-image-5.9.0-rc1-12-amd64-llvm11-cfi
5.9.0~rc1-12~bullseye+dileks1
...
packages_0625.txt:ii linux-image-5.9.0-rc2-4-amd64-llvm11-cfi
5.9.0~rc2-4~bullseye+dileks1
...
# LC_ALL=C ll packages_0612.txt packages_0625.txt
-rw-r--r-- 1 root root 95K Aug 23 2020 packages_0612.txt
-rw-r--r-- 1 root root 96K Aug 26 2020 packages_0625.txt
My first HOORAY was with a selfmade
linux-image-5.9.0-rc2-4-amd64-llvm11-cfi on 26-Aug-2020 - on bare
metal, of course.
Two years ago.
Today, we have Linux v6.0 FINAL and LLVM-15.0.2 coming ([1] has a KCFI
Git for LLVM-15)...
Time goes bye, so quickly...
Thanks to Sami and the LLVM/Clang maintainers and community!
-Sedat-
[1] https://github.com/samitolvanen/llvm-project/commits/15.x/kcfi
> Thanks!
>
> -Kees
>
> [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107048
>
> The following changes since commit 7e18e42e4b280c85b76967a9106a13ca61c16179:
>
> Linux 6.0-rc4 (2022-09-04 13:10:01 -0700)
>
> are available in the Git repository at:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/kcfi-v6.1-rc1
>
> for you to fetch changes up to 3c516f89e17e56b4738f05588e51267e295b5e63:
>
> x86: Add support for CONFIG_CFI_CLANG (2022-09-26 10:13:16 -0700)
>
> ----------------------------------------------------------------
> kcfi updates for v6.1-rc1
>
> This replaces the prior support for Clang's standard Control Flow
> Integrity (CFI) instrumentation, which has required a lot of special
> conditions (e.g. LTO) and work-arounds. The current implementation
> ("Kernel CFI") is specific to C, directly designed for the Linux kernel,
> and takes advantage of architectural features like x86's IBT. This
> series retains arm64 support and adds x86 support. Additional "generic"
> architectural support is expected soon:
> https://github.com/samitolvanen/llvm-project/commits/kcfi_generic
>
> - treewide: Remove old CFI support details
>
> - arm64: Replace Clang CFI support with Clang KCFI support
>
> - x86: Introduce Clang KCFI support
>
> ----------------------------------------------------------------
> Sami Tolvanen (22):
> treewide: Filter out CC_FLAGS_CFI
> scripts/kallsyms: Ignore __kcfi_typeid_
> cfi: Remove CONFIG_CFI_CLANG_SHADOW
> cfi: Drop __CFI_ADDRESSABLE
> cfi: Switch to -fsanitize=kcfi
> cfi: Add type helper macros
> lkdtm: Emit an indirect call for CFI tests
> psci: Fix the function type for psci_initcall_t
> arm64: Add types to indirect called assembly functions
> arm64: Add CFI error handling
> arm64: Drop unneeded __nocfi attributes
> init: Drop __nocfi from __init
> treewide: Drop function_nocfi
> treewide: Drop WARN_ON_FUNCTION_MISMATCH
> treewide: Drop __cficanonical
> objtool: Preserve special st_shndx indexes in elf_update_symbol
> objtool: Disable CFI warnings
> kallsyms: Drop CONFIG_CFI_CLANG workarounds
> x86/tools/relocs: Ignore __kcfi_typeid_ relocations
> x86: Add types to indirectly called assembly functions
> x86/purgatory: Disable CFI
> x86: Add support for CONFIG_CFI_CLANG
>
> Makefile | 13 +-
> arch/Kconfig | 18 +-
> arch/arm64/crypto/ghash-ce-core.S | 5 +-
> arch/arm64/crypto/sm3-ce-core.S | 3 +-
> arch/arm64/include/asm/brk-imm.h | 6 +
> arch/arm64/include/asm/ftrace.h | 2 +-
> arch/arm64/include/asm/linkage.h | 4 +
> arch/arm64/include/asm/mmu_context.h | 4 +-
> arch/arm64/kernel/acpi_parking_protocol.c | 2 +-
> arch/arm64/kernel/alternative.c | 2 +-
> arch/arm64/kernel/cpu-reset.S | 5 +-
> arch/arm64/kernel/cpufeature.c | 4 +-
> arch/arm64/kernel/ftrace.c | 2 +-
> arch/arm64/kernel/machine_kexec.c | 2 +-
> arch/arm64/kernel/psci.c | 2 +-
> arch/arm64/kernel/smp_spin_table.c | 2 +-
> arch/arm64/kernel/traps.c | 47 +++-
> arch/arm64/kernel/vdso/Makefile | 3 +-
> arch/arm64/mm/proc.S | 5 +-
> arch/x86/Kconfig | 2 +
> arch/x86/crypto/blowfish-x86_64-asm_64.S | 5 +-
> arch/x86/entry/vdso/Makefile | 3 +-
> arch/x86/include/asm/cfi.h | 22 ++
> arch/x86/include/asm/linkage.h | 12 +
> arch/x86/kernel/Makefile | 2 +
> arch/x86/kernel/cfi.c | 86 ++++++++
> arch/x86/kernel/traps.c | 4 +-
> arch/x86/lib/memcpy_64.S | 3 +-
> arch/x86/purgatory/Makefile | 4 +
> arch/x86/tools/relocs.c | 1 +
> drivers/firmware/efi/libstub/Makefile | 2 +
> drivers/firmware/psci/psci.c | 12 +-
> drivers/misc/lkdtm/cfi.c | 15 +-
> drivers/misc/lkdtm/usercopy.c | 2 +-
> include/asm-generic/bug.h | 16 --
> include/asm-generic/vmlinux.lds.h | 37 ++--
> include/linux/cfi.h | 59 ++---
> include/linux/cfi_types.h | 45 ++++
> include/linux/compiler-clang.h | 14 +-
> include/linux/compiler.h | 16 +-
> include/linux/compiler_types.h | 4 -
> include/linux/init.h | 6 +-
> include/linux/module.h | 10 +-
> include/linux/pci.h | 4 +-
> kernel/cfi.c | 352 +++++-------------------------
> kernel/kallsyms.c | 17 --
> kernel/kthread.c | 3 +-
> kernel/module/main.c | 50 +----
> kernel/workqueue.c | 2 +-
> scripts/kallsyms.c | 1 +
> scripts/module.lds.S | 23 +-
> tools/objtool/check.c | 7 +-
> tools/objtool/elf.c | 7 +-
> 53 files changed, 425 insertions(+), 554 deletions(-)
> create mode 100644 arch/x86/include/asm/cfi.h
> create mode 100644 arch/x86/kernel/cfi.c
> create mode 100644 include/linux/cfi_types.h
>
> --
> Kees Cook
The pull request you sent on Sat, 1 Oct 2022 09:36:06 -0700:
> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/kcfi-v6.1-rc1
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/865dad2022c52ac6c5c9a87c5cec78a69f633fb6
Thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html