Received: by 10.223.176.5 with SMTP id f5csp219035wra; Thu, 8 Feb 2018 20:15:49 -0800 (PST) X-Google-Smtp-Source: AH8x227KWO+3InXUnEUSDD4xqIx8qz8E1DCv1YmIVc6UsIB96BjHSX7ClN5o1PN/s01SY8SFw/Hq X-Received: by 10.99.6.19 with SMTP id 19mr1289161pgg.222.1518149749178; Thu, 08 Feb 2018 20:15:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518149749; cv=none; d=google.com; s=arc-20160816; b=YpwnjJN/Xp8LZdemsapSQDgdVtZUOaA2Y7+2c6RBxLGhhf+Toq3Jn5hELyes8XcqJb /675nunWP48qpDMxLlq6wNl/aonbtY36zv5MnBv9vMMTSNt2f9cDIBIfoPafdY+5k5Ym ofYgPsTF0rwtWNW8IQMMVefBQWKkQGykoCsiDjZKgHn750/ctInT6tzLnXN0iqEQ5QRN +sTg0RcDrflc5/eAq4fLezLjxVmTy6FpE2GT8RezE6KEs5WBDGWBXIEcoJbuaDojGVrH zTRfJCImP0xABClQk9oFrNEU2m84aFdei5llF8zpawLwEJwYDKLHW1UrwcMAjiCrdLWE +psw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-filter :arc-authentication-results; bh=1PVgDWnR5I8BL6Ir2Lpo0DDxQ1sHTG0hBDLuU+LaoP8=; b=Dn4JwChkiSlL9cAF8oPIiyJKomDrg4osG4OghhHkaeu3B28mp3pY+WRY8vlSXkqyI2 PS5OnLsF/Tm3exK8jhUKoGkfLZ6ZbJTXyqONtgrheaOiPG3F9i1lwgEyie8wNXDu1Nrt j+W872pNHoF5DACCeIHg8h40M1G9BhmKfHr3SvHpQmep04thO8RQSW4lfAWhgarp+WjL 40ZZAa6DOCCGgR3IFcYzZ8dbXYFa972AVjr9b4LwIhRZ0Q9S8GucO1oczrLN12OIVkXj oHtTULvL56xG2hcwi8lROzwufW+U6PBjFVR0Q/T6OK/adQG3Wlbml9IIC6BP1zcWR/Ic hQpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=b5t6XODZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f90-v6si970952plf.0.2018.02.08.20.15.34; Thu, 08 Feb 2018 20:15:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=b5t6XODZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752508AbeBIEOy (ORCPT + 99 others); Thu, 8 Feb 2018 23:14:54 -0500 Received: from conssluserg-02.nifty.com ([210.131.2.81]:20097 "EHLO conssluserg-02.nifty.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752192AbeBIEOv (ORCPT ); Thu, 8 Feb 2018 23:14:51 -0500 Received: from mail-ua0-f169.google.com (mail-ua0-f169.google.com [209.85.217.169]) (authenticated) by conssluserg-02.nifty.com with ESMTP id w194EOq9024583; Fri, 9 Feb 2018 13:14:25 +0900 DKIM-Filter: OpenDKIM Filter v2.10.3 conssluserg-02.nifty.com w194EOq9024583 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.com; s=dec2015msa; t=1518149665; bh=1PVgDWnR5I8BL6Ir2Lpo0DDxQ1sHTG0hBDLuU+LaoP8=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=b5t6XODZ5hxiLXOisNn3ovbu0q+rUOTZJmIVhFdPYXQSi6SGcnTJMTwnuj7TxQQl2 spMMYtmDNoTdeTSwfrlMqpkZLVQpPN7xNCq5r+3y9JnmquQUKdaOhdOYB4zQJeaeTJ or/STNQsgDzwkru0/58OXuAkgdjxrbeGxHnjx001DiGCCk+4E+i1h1XrNK9+Cx/jGl Xlsm/KXa4kU3OuJpgaugvNxA05+s/Mw29kZeiONY0hi/ExNHhMjAtQcaPp2IPysoJo IB1U/Sx1ApPBfnVJpOPAK7QRoHUFJZv8Ya8pwGubF/qS5o0ivcyIJUINucupHYEQW4 xjeBZdrUtz69A== X-Nifty-SrcIP: [209.85.217.169] Received: by mail-ua0-f169.google.com with SMTP id q8so4381380uae.4; Thu, 08 Feb 2018 20:14:25 -0800 (PST) X-Gm-Message-State: APf1xPBezmzOmFBGITZhz0Th6NyACf5ftzfARC8DpTvI/rdCMNj2soD/ yL+hHWQgSvwNxfk7wit08JyPoUgLj8rlLMTjis4= X-Received: by 10.176.22.157 with SMTP id e29mr1517392uaf.76.1518149663823; Thu, 08 Feb 2018 20:14:23 -0800 (PST) MIME-Version: 1.0 Received: by 10.176.83.212 with HTTP; Thu, 8 Feb 2018 20:13:43 -0800 (PST) In-Reply-To: References: <1518106752-29228-1-git-send-email-yamada.masahiro@socionext.com> <1518106752-29228-8-git-send-email-yamada.masahiro@socionext.com> From: Masahiro Yamada Date: Fri, 9 Feb 2018 13:13:43 +0900 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH 7/7] Test stackprotector options in Kconfig to kill CC_STACKPROTECTOR_AUTO To: Kees Cook Cc: linux-kbuild , Linus Torvalds , Greg Kroah-Hartman , Andrew Morton , Nicolas Pitre , "Luis R . Rodriguez" , Randy Dunlap , Ulf Magnusson , Sam Ravnborg , Michal Marek , Martin Schwidefsky , Pavel Machek , linux-s390 , Jiri Kosina , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2018-02-09 3:30 GMT+09:00 Kees Cook : > On Fri, Feb 9, 2018 at 3:19 AM, Masahiro Yamada > wrote: >> Add CC_HAS_STACKPROTECTOR(_STRONG) and proper dependency. >> >> I re-arranged the choice values, _STRONG, _REGULAR, _NONE in this order >> because the default of choice is the first visible symbol. >> [...] >> +# is this necessary? >> +#ifeq ($(CONFIG_CC_STACKPROTECTOR_NONE),y) >> +#KBUILD_CFLAGS += -fno-stack-protector >> +#endif > > Yes, and also in the case of a broken stack protector, because some > compilers enable stack protector by default, so if we've selected it > to be NONE or detected it as broken, we need to force it off in the > compiler. > >> +# TODO: run scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh from Kconfig > > FWIW, this is the part that I got stuck on. > gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh depends on the KBUILD > flags that got built up and detected up to this point in the Makefile, > so I couldn't find a way to run it out of Kconfig since it didn't know > what the KBUILD flags were yet. SRCARCH is fixed when loading Kconfig files. BITS is derived from CONFIG_64BIT. config 64BIT bool "64-bit kernel" if ARCH = "x86" default ARCH != "i386" ---help--- Say yes to build a 64-bit kernel - formerly known as x86_64 Say no to build a 32-bit kernel - formerly known as i386 This is a more difficult part because users can toggle this option from menuconfig, etc. If this option is changed, the compiler options must be re-computed, i.e. system() must be called again. This is missing in my first draft. I have not checked how slow it is. >> + >> ifeq ($(cc-name),clang) >> KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,) >> KBUILD_CFLAGS += $(call cc-disable-warning, unused-variable) >> diff --git a/arch/Kconfig b/arch/Kconfig >> index 76c0b54..50723d8 100644 >> --- a/arch/Kconfig >> +++ b/arch/Kconfig >> @@ -538,10 +538,20 @@ config HAVE_CC_STACKPROTECTOR >> - its compiler supports the -fstack-protector option >> - it has implemented a stack canary (e.g. __stack_chk_guard) >> >> +config CC_HAS_STACKPROTECTOR >> + bool >> + option shell="$CC -Werror -fstack-protector -c -x c /dev/null" >> + >> +config CC_HAS_STACKPROTECTOR_STRONG >> + bool >> + option shell="$CC -Werror -fstack-protector-strong -c -x c /dev/null" > > I'm nervous we'll get tripped up here, since $CC may not include the > right $(KBUILD_CPPFLAGS) and $(CC_OPTION_CFLAGS) as in cc-option, both > of which are calculated during the Makefile run. But maybe it won't be > a problem in actual use. Right, I had noticed this is a problem, but not implemented yet. At least, some basic compiler options must be imported into Kconfig. Especially this is a problem for clang. One clang executable is built with lots of architecture back-ends. So, CLANG_TARGET := --target=$(notdir $(CROSS_COMPILE:%-=%)) etc. is mandatory. If I remember correctly, there existed some options that depend on others. I am not sure about the stackprotector case. >> + >> +config CC_STACKPROTECTOR >> + bool >> + >> choice >> prompt "Stack Protector buffer overflow detection" >> depends on HAVE_CC_STACKPROTECTOR >> - default CC_STACKPROTECTOR_AUTO >> help >> This option turns on the "stack-protector" GCC feature. This >> feature puts, at the beginning of functions, a canary value on >> @@ -551,26 +561,10 @@ choice >> overwrite the canary, which gets detected and the attack is then >> neutralized via a kernel panic. >> >> -config CC_STACKPROTECTOR_NONE >> - bool "None" >> - help >> - Disable "stack-protector" GCC feature. >> - >> -config CC_STACKPROTECTOR_REGULAR >> - bool "Regular" >> - help >> - Functions will have the stack-protector canary logic added if they >> - have an 8-byte or larger character array on the stack. >> - >> - This feature requires gcc version 4.2 or above, or a distribution >> - gcc with the feature backported ("-fstack-protector"). >> - >> - On an x86 "defconfig" build, this feature adds canary checks to >> - about 3% of all kernel functions, which increases kernel code size >> - by about 0.3%. >> - >> config CC_STACKPROTECTOR_STRONG >> bool "Strong" >> + depends on CC_HAS_STACKPROTECTOR_STRONG >> + select CC_STACKPROTECTOR >> help >> Functions will have the stack-protector canary logic added in any >> of the following conditions: >> @@ -588,11 +582,25 @@ config CC_STACKPROTECTOR_STRONG >> about 20% of all kernel functions, which increases the kernel code >> size by about 2%. >> >> -config CC_STACKPROTECTOR_AUTO >> - bool "Automatic" >> +config CC_STACKPROTECTOR_REGULAR >> + bool "Regular" >> + depends on CC_HAS_STACKPROTECTOR >> + select CC_STACKPROTECTOR >> + help >> + Functions will have the stack-protector canary logic added if they >> + have an 8-byte or larger character array on the stack. >> + >> + This feature requires gcc version 4.2 or above, or a distribution >> + gcc with the feature backported ("-fstack-protector"). >> + >> + On an x86 "defconfig" build, this feature adds canary checks to >> + about 3% of all kernel functions, which increases kernel code size >> + by about 0.3%. >> + >> +config CC_STACKPROTECTOR_NONE >> + bool "None" >> help >> - If the compiler supports it, the best available stack-protector >> - option will be chosen. >> + Disable "stack-protector" GCC feature. >> >> endchoice > > I continue to love the idea, but we can't know a given ssp option is > _working_ until we run the test script, which may depend on compiler > flags. Regardless, I'll give this series a try and see if I can fix > anything I trip over. I've got a lot of notes on testing after getting > ..._AUTO working. Whatever happens, I hugely prefer having the > automatic selection possible in the Kconfig! Thanks for working on > this! :) Yes, your help is appreciated. We will find more TODO items during trial and error. :) -- Best Regards Masahiro Yamada