Received: by 10.223.176.5 with SMTP id f5csp1491639wra; Fri, 9 Feb 2018 21:50:33 -0800 (PST) X-Google-Smtp-Source: AH8x22573CRXvMMfSSPNn47K7XLB8UL1BMwe0IS0ecEo84ohjcOfbHcYAUQai7mXegZA9kjuJ/aV X-Received: by 2002:a17:902:3183:: with SMTP id x3-v6mr4713210plb.290.1518241833106; Fri, 09 Feb 2018 21:50:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518241833; cv=none; d=google.com; s=arc-20160816; b=rqBFKV3I9ETPB6SPGYBAr15zZ/mj4nqJm+PoWeSxo3vPJihXmhmTEzf28PqDU6E3m7 Etcwlzidv7H3ym6+V4fO+J5Nfm/oNx7Z639vXdx55p62jBBnR3jBM9CLTe0m7QGgOQRJ JFy+EATQc3uEcIwL0uB5w0nFI9mAN5rt6bt33wiFqjlK2/P5rMN//6VLvZYwsQ5p0VXV h0pWjrGyPxhYhZGjnwmZkq4oma1g318lNN+lsUGKfbCk+7eQTS/LHltWnXlpZIFGjvdn c3V/plB8UEAVbO+qgFUlkqCZBj2duUOqQXTfXP3sWyFdyMEBmiWmEFB1N4iLwCnW4qxk moeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=RCMND6tlLyBJDTdXR83cUWZHkko2J8pyL5YEmM9OzsY=; b=GbIZ4wP30PBDL4cDsc7BryphyHgqVBdeOROqxzYj3tFcld6A2Wh59RS+qU8dx6Q0dV sjJp1qcDCQTkI6KJgr2AibkPlvPJv6y/uRZglAJIgE9GBjFPPYEktK80Bj0dEMRQ6wRb LmqVtpq0WHn0QVA8D3EBIW0c8wssEx2jPIXRg29KoBmAzKnlr2MAYLyWf2SFPw61Gdd5 cfMJ3IfZMh+z7lng0qhXJ8FaygLFhQu+3z6/zEUoli2muHalJTHVElfXauaWJTqGjM3H I6Okh6+YDPGPsLzCsB7N02lXKnrp/HdJ3iiD5rNu0PEJYZswuW5Uq9FCiMtE1fX/c+JG VBYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=DcfcARy2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j61-v6si2629157plb.108.2018.02.09.21.50.06; Fri, 09 Feb 2018 21:50:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=DcfcARy2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750968AbeBJFtC (ORCPT + 99 others); Sat, 10 Feb 2018 00:49:02 -0500 Received: from mail-lf0-f67.google.com ([209.85.215.67]:40866 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750761AbeBJFtA (ORCPT ); Sat, 10 Feb 2018 00:49:00 -0500 Received: by mail-lf0-f67.google.com with SMTP id i24so10868484lfc.7; Fri, 09 Feb 2018 21:48:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=RCMND6tlLyBJDTdXR83cUWZHkko2J8pyL5YEmM9OzsY=; b=DcfcARy2YadGhe/hpzGmTLQRvdxR4SkVciw3LPJ/AWHT8AeK6sUxIC9NPED5KuQpTo TW+syoceKF2HgXSbrrfUAcDAveRH1EaZSJU48vHJfgkjv8jPh5PFVe/97OAH1JXElVg9 /Fh6Gl7qOTHgFiV0HcBhrQTZ9OkRopFYfGO8ORZIu/OeCPeT43fGbqRybIS69+Ebkris I7niSMHkmcsdPDt9dv4c++dI8p7uHmpXAKYufCxD4qKcka0NRaVm6pzkwR+nBimIozlL Inx1Hmx3lhaOCgPOOtKL9PQPfVzv6BIiGcBA7GnfgL6RfjrDMpgBU90S3zSEls4gaF+m JJEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=RCMND6tlLyBJDTdXR83cUWZHkko2J8pyL5YEmM9OzsY=; b=ECgOlXlQPz90GOBmGtp12qRKGeOif4xoVA5MUm4X9nxkHu4BFl4T5SZFKVmWqyVY/2 fFIKWD6qK024680eGKtD1O0wQTc7Legw3yFUS2hpjxxUM/Mbb0/FwZHiciyZpB5Z1IV0 9gvZBBBzfbuEJTBwnuSh13Ci9e+FJeBaqZuU7/dIBzmjcpv6iUGx8u84DUH2x3ZNt46O ciMoZK1bkUbaIUfB2EOWMIsZhekeDH+i3KpbnNGNhC4yaGrrfWBdeLUd5PbtBP2/09jL 5mbVXEVebUX0tSU8aegSAGIFIJ4Qu7uIRGbZEj5ipcqJ1Hh+eDLVkLD95CfvCD6XbXPb IdUQ== X-Gm-Message-State: APf1xPBBDX7c6Hv4/sM8OP3nCKBUweXs5kYm/vnakP6ZCahLV7y6N5ju BTzd2qSWM3y4p601XEWsp50= X-Received: by 10.25.93.83 with SMTP id p19mr2900716lfj.113.1518241738570; Fri, 09 Feb 2018 21:48:58 -0800 (PST) Received: from huvuddator (ua-213-113-106-221.cust.bredbandsbolaget.se. [213.113.106.221]) by smtp.gmail.com with ESMTPSA id h78sm734596lfk.31.2018.02.09.21.48.56 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 09 Feb 2018 21:48:57 -0800 (PST) Date: Sat, 10 Feb 2018 06:48:43 +0100 From: Ulf Magnusson To: Kees Cook Cc: Masahiro Yamada , Linux Kbuild mailing list , Linus Torvalds , Greg Kroah-Hartman , Andrew Morton , Nicolas Pitre , "Luis R . Rodriguez" , Randy Dunlap , Sam Ravnborg , Michal Marek , Martin Schwidefsky , Pavel Machek , linux-s390 , Jiri Kosina , Linux Kernel Mailing List Subject: Re: [RFC PATCH 4/7] kconfig: support new special property shell= Message-ID: <20180210054843.z3g7wvcmlccvww3h@huvuddator> References: <1518106752-29228-1-git-send-email-yamada.masahiro@socionext.com> <1518106752-29228-5-git-send-email-yamada.masahiro@socionext.com> <20180209053038.pscoijvowmyudyzf@huvuddator> <20180209124607.akjhncb5sempjqcn@huvuddator> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 09, 2018 at 12:46:54PM -0800, Kees Cook wrote: > On Fri, Feb 9, 2018 at 4:46 AM, Ulf Magnusson wrote: > > One thing that makes Kconfig confusing (though it works well enough in > > practice) is that .config files both record user selections (the saved > > configuration) and serve as a configuration output format for make. > > > > It becomes easier to think about .config files once you realize that > > assignments to promptless symbols never have an effect on Kconfig > > itself: They're just configuration output, intermixed with the saved > > user selections. > > > > Assume 'option env' symbols got written out for example: > > > > - For a non-user-assignable symbol, the entry in the .config > > file is just configuration output and ignored by Kconfig, > > which will fetch the value from the environment instead. > > > > - For an assignable 'option env' symbol, the entry in the > > .config file is a saved user selection (as well as > > configuration output), and will be respected by Kconfig. > > In the stack-protector case, this becomes quite important, since the > goal is to record the user's selection regardless of compiler > capability. For example, if someone selects _REGULAR, it shouldn't > "upgrade" to _STRONG. (Similarly for _NONE.) Having _AUTO provides a > way to pick "best possible for this compiler", though. If a user had > previously selected _STRONG but they're doing builds with an older > compiler (or a misconfigured newer compiler) without support, the goal > is to _fail_ to build, not silently select _REGULAR. > > So, in this case, what's gained is the logic for _AUTO, and the logic > to not show, say, _STRONG when it's not available in the compiler. But > we must still fail to build if _STRONG was in the .config. It can't > silently rewrite it to _REGULAR because the compiler support for > _STRONG regressed. > > -Kees > > -- > Kees Cook > Pixel Security Provided that would be the desired behavior: What about changing the meaning of the choice symbols from e.g. "select -fstack-protector-strong" to "want -fstack-protector-strong"? Then the user preference would always be remembered, regardless of what's available. Here's a proof-of-concept. I realized that the fancy new 'imply' keyword fits pretty well here, since it works like a dependency-respecting select. config CC_HAS_STACKPROTECTOR_STRONG bool option shell="$CC -Werror -fstack-protector-strong -c -x c /dev/null" config CC_HAS_STACKPROTECTOR bool option shell="$CC -Werror -fstack-protector -c -x c /dev/null" choice prompt "Stack Protector buffer overflow detection" default WANT_CC_STACKPROTECTOR_STRONG config WANT_CC_STACKPROTECTOR_STRONG bool "Strong" imply CC_STACKPROTECTOR_STRONG config WANT_CC_STACKPROTECTOR_REGULAR bool "Regular" imply CC_STACKPROTECTOR_REGULAR config WANT_CC_STACKPROTECTOR_NONE bool "None" imply CC_STACKPROTECTOR_NONE endchoice config CC_STACKPROTECTOR_STRONG bool depends on CC_HAS_STACKPROTECTOR_STRONG config CC_STACKPROTECTOR_REGULAR bool depends on CC_HAS_STACKPROTECTOR_REGULAR config CC_STACKPROTECTOR_NONE bool This version has the drawback of always showing all the options, even if some they wouldn't be available. Kconfig comments could be added to warn if an option isn't available at least: comment "Warning: Your compiler does not support -fstack-protector-strong" depends on !CC_HAS_STACKPROTECTOR_STRONG config WANT_CC_STACKPROTECTOR_STRONG ... comment "Warning: Your compiler does not support -fstack-protector" depends on !CC_HAS_STACKPROTECTOR_REGULAR config WANT_CC_STACKPROTECTOR_REGULAR ... This final comment might be nice to have too: comment "Warning: Selected stack protector not available" depends on !(CC_STACKPROTECTOR_STRONG || CC_STACKPROTECTOR_REGULAR || CC_STACKPROTECTOR_NONE) Should probably introduce a clear warning that tells the user what they need to change in Kconfig if they build with a broken selection too. CC_STACKPROTECTOR_AUTO could be added to the choice in a slightly kludgy way too. Maybe there's something neater. config CC_STACKPROTECTOR_AUTO bool "Automatic" imply CC_STACKPROTECTOR_STRONG imply CC_STACKPROTECTOR_REGULAR if !CC_HAS_STACKPROTECTOR_STRONG imply CC_STACKPROTECTOR_NONE if !CC_HAS_STACKPROTECTOR_STRONG && \ !CC_HAS_STACKPROTECTOR_REGULAR Another drawback of this approach is that it breaks existing .config files (the CC_STACKPROTECTOR_* settings are ignored, since they just look like "configuration output" to Kconfig now). If that'd be a problem, the old names could be used instead of WANT_CC_STACKPROTECTOR_STRONG, etc., and new names introduced instead, though it'd look a bit cryptic. Ideas? Cheers, Ulf