Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752619AbbFJMHL (ORCPT ); Wed, 10 Jun 2015 08:07:11 -0400 Received: from mx1.redhat.com ([209.132.183.28]:44653 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752109AbbFJMHE (ORCPT ); Wed, 10 Jun 2015 08:07:04 -0400 From: Josh Poimboeuf To: Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" Cc: Michal Marek , Peter Zijlstra , Andy Lutomirski , Borislav Petkov , Linus Torvalds , Andi Kleen , x86@kernel.org, live-patching@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v5 00/10] x86/asm: Compile-time asm code validation Date: Wed, 10 Jun 2015 07:06:08 -0500 Message-Id: Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5753 Lines: 137 The previous version of this patch set was named "Compile-time stack frame pointer validation". I changed the subject from "frame pointer validation" to "asm code validation" because the focus of the patch set has changed to be less frame pointer-focused and more asm-focused. I also renamed the tool to asmvalidate (it was previously called stackvalidate) and basically rewrote most of the code. The goal of asm validation is to enforce sane rules on asm code: all callable asm functions must be self-contained and properly annotated. Some of the benefits are: - Frame pointers are more reliable. - DWARF CFI metadata can be autogenerated (coming soon). - The asm code becomes less like spaghetti, more like C, and easier to comprehend. The asmvalidate tool runs on every compiled .S file, and enforces the following rules: 1. Each callable function must be annotated with the ELF STT_FUNC type. This is typically done using the existing ENTRY/ENDPROC macros. If asmvalidate finds a return instruction outside of a function, it flags an error, since that usually indicates callable code which should be annotated accordingly. 2. Each callable function must never leave its own bounds (i.e. with a jump to outside the function) except when returning. 3. Each callable non-leaf function must have frame pointer logic (if required by CONFIG_FRAME_POINTER or the architecture's back chain rules). This should by done by the FP_SAVE/FP_RESTORE macros. It currently only supports x86_64, but the code is generic and designed for it to be easy to plug in support for other architectures. There are still a lot of outstanding warnings (which I'll paste as a reply to this email). Once those are all cleaned up, we can change the warnings to build errors and change the default to CONFIG_ASM_VALIDATION=y so the asm code stays clean. The first patch adds some frame pointer macros. The second patch adds asmvalidate support. The rest of the patches have fixes for (some of) the reported warnings. These patches are based on tip/master. [1] http://lkml.kernel.org/r/cover.1423499826.git.jpoimboe@redhat.com v5: - stackvalidate -> asmvalidate - frame pointers only required for non-leaf functions - check for the use of the FP_SAVE/RESTORE macros instead of manually analyzing code to detect frame pointer usage - additional checks to ensure each function doesn't leave its boundaries - make the macros simpler and more flexible - support for analyzing ALTERNATIVE macros - simplified the arch interfaces in scripts/asmvalidate/arch.h - fixed some asmvalidate warnings - rebased onto latest tip asm cleanups - many more small changes v4: - Changed the default to CONFIG_STACK_VALIDATION=n, until all the asm code can get cleaned up. - Fixed a stackvalidate error path exit code issue found by Michal Marek. v3: - Added a patch to make the push/pop CFI macros arch-independent, as suggested by H. Peter Anvin v2: - Fixed memory leaks reported by Petr Mladek Josh Poimboeuf (10): x86/asm: Add FP_SAVE/RESTORE frame pointer macros x86: Compile-time asm code validation x86/asm/entry: Fix asmvalidate warnings for entry_64_compat.S x86/asm/crypto: Fix asmvalidate warnings for aesni-intel_asm.S x86/asm/crypto: Fix asmvalidate warnings for ghash-clmulni-intel_asm.S x86/asm/efi: Fix asmvalidate warnings for efi_stub_64.S x86/asm/acpi: Fix asmvalidate warnings for wakeup_64.S x86/asm/head: Fix asmvalidate warnings for head_64.S x86/asm/lib: Fix asmvalidate warnings for lib functions x86/asm/lib: Fix asmvalidate warnings for rwsem.S MAINTAINERS | 6 + arch/Kconfig | 3 + arch/x86/Kconfig | 1 + arch/x86/Makefile | 6 +- arch/x86/crypto/aesni-intel_asm.S | 19 ++ arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/entry/entry_64_compat.S | 35 +-- arch/x86/include/asm/func.h | 62 ++++++ arch/x86/kernel/acpi/wakeup_64.S | 13 +- arch/x86/kernel/head_64.S | 7 +- arch/x86/lib/clear_page_64.S | 9 +- arch/x86/lib/copy_page_64.S | 5 +- arch/x86/lib/memcpy_64.S | 10 +- arch/x86/lib/memset_64.S | 10 +- arch/x86/lib/rwsem.S | 11 +- arch/x86/platform/efi/efi_stub_64.S | 3 + lib/Kconfig.debug | 21 ++ scripts/Makefile | 1 + scripts/Makefile.build | 23 +- scripts/asmvalidate/Makefile | 17 ++ scripts/asmvalidate/arch-x86.c | 283 ++++++++++++++++++++++++ scripts/asmvalidate/arch.h | 40 ++++ scripts/asmvalidate/asmvalidate.c | 324 +++++++++++++++++++++++++++ scripts/asmvalidate/elf.c | 354 ++++++++++++++++++++++++++++++ scripts/asmvalidate/elf.h | 74 +++++++ scripts/asmvalidate/list.h | 217 ++++++++++++++++++ 26 files changed, 1509 insertions(+), 50 deletions(-) create mode 100644 arch/x86/include/asm/func.h create mode 100644 scripts/asmvalidate/Makefile create mode 100644 scripts/asmvalidate/arch-x86.c create mode 100644 scripts/asmvalidate/arch.h create mode 100644 scripts/asmvalidate/asmvalidate.c create mode 100644 scripts/asmvalidate/elf.c create mode 100644 scripts/asmvalidate/elf.h create mode 100644 scripts/asmvalidate/list.h -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/