Received: by 10.223.185.116 with SMTP id b49csp1349421wrg; Sun, 11 Feb 2018 09:57:54 -0800 (PST) X-Google-Smtp-Source: AH8x224woOYRPE1tUMg9Wx4vpGk6HmX+2/39KIQVyCVNEyF5Bf41dAz/fEXIVTdsQcmT/KWsLNn4 X-Received: by 10.99.126.19 with SMTP id z19mr1773002pgc.108.1518371873995; Sun, 11 Feb 2018 09:57:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518371873; cv=none; d=google.com; s=arc-20160816; b=qgP0sdnk9e7PJcj2TH8a61GJdaOhSgw6YVUTZXWsRfiI3qkrCSfi5bt6l+ZpF2rS31 Pcrm8YlTq2Hsfj53JOeCUm3oBEYPNUVK6LVq4TDdPXZdhVN9MjUX1BeQgLWXAaCxiBqE yvIuWETU2uUZVILa9OdMVb4UlO7C0UBp4baWWN8Y8+haY32c9juv65rHzu9CKBlVYcvD InuRlI7cXF0DaOKeFi0FgDdGn/vcaqGb5pzLvw3XEuZKus0ZLAVDd43lzmgH0UOpQQiJ DvNX6QOSnO7hCq7g/G3b19OfWFnWCN/eOmsMQ4kdpecITVxtW3ycRQvXjE3zu+C++aLo yHQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=y5pMDqZgMZjyMQA3J+fetJcItU1vX8UuMM5pbR6FMMg=; b=YGGt4E4/G7zJi7IJ14wgFwlS+OJCbON7dgOuQjNEV5vYhEhF+uFK2b9pkFanlZevzM UEjTESC7rZ5sEFKGYgshFMe6+gp9pfFn8PrdpdkSpCDWpQpvvR1hDPpS/nrA0HkYaJg9 mCqRYkCGNsx6fv1vZG2uEWiubve3aJGfCsSz2dWzZK8aL4fWWarwDae+xs94VK1I8RKc 10aLwQ4SStWdaYBJs4xvbBmvkCkf3N0ovoDzeDKBFrZep5PoJuIbrq3EQ55RQgNNyCls xjBImKj55/bjapvuZrbyNKCg76HzCOsW0PtbzT+wXFr1J/iznhgBnJH88/A0HMpZtaLq 09Pg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=Q9Rsv60q; dkim=fail header.i=@chromium.org header.s=google header.b=QrneLLJZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f63si5103237pfb.194.2018.02.11.09.57.40; Sun, 11 Feb 2018 09:57:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=Q9Rsv60q; dkim=fail header.i=@chromium.org header.s=google header.b=QrneLLJZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932080AbeBKR4w (ORCPT + 99 others); Sun, 11 Feb 2018 12:56:52 -0500 Received: from mail-ua0-f182.google.com ([209.85.217.182]:37925 "EHLO mail-ua0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753610AbeBKR4t (ORCPT ); Sun, 11 Feb 2018 12:56:49 -0500 Received: by mail-ua0-f182.google.com with SMTP id e25so8158027uan.5 for ; Sun, 11 Feb 2018 09:56:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=y5pMDqZgMZjyMQA3J+fetJcItU1vX8UuMM5pbR6FMMg=; b=Q9Rsv60qZbn53GQ/ti2WjQfzI2CPrH3IxnZOLqwxu2vDyJv7C/FaOPAvWIgpL3/jEC jAE3ngPt09ft+sYk9kjQ2/mN4ASbf48YHmmHA+NxnmbJBMJf31S3ryooCPGbOG0ikqG9 hnA2r1SglQBX/AZmBU0U76FL7EdwvgGQt1UnhFBKOBHXE+GwmEz/gpZw1dYZXcCUG6u8 rvknzAr198Z5OXtZFZ0zw01uXwrfgXEauS8n/jyUX6oAglyOrQMNm7KFOTFkRaI5ifg3 JHYR8a5AB4gyDQfLQIcQBB8CHLB0F40EPGCLe4Uvf/Ujk6iLzZHuJ2KWkJtXSOqsRN7r VYfQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=y5pMDqZgMZjyMQA3J+fetJcItU1vX8UuMM5pbR6FMMg=; b=QrneLLJZeIFswzwtbdr+095bnu6g22ukiOaej/6ZbmV8IGnCHydnpycyLhYovahy51 WlUsyGWe+cEKPr90KfzmLdv+iasEKPIf4bfAZEZRi+fSXpiCCb0X1Q2OxQZx/kITkREB lkwzZOz8qe26X414Dn7mbzBqVooz5TSdB8Jew= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=y5pMDqZgMZjyMQA3J+fetJcItU1vX8UuMM5pbR6FMMg=; b=cAj4i3JFb2TIEidRzG9vzOvEzF1lq/AhwyqzcPbxnTGf5rhykKxm2ksOwa/xB2QuoU vMBPjjRnwXtmjHRKHIjbM/tKuNiz433ZiwlKoqJW6SZvkwQIpSKys8x3gRHMJ7uv9uAO LTuuRkrRxWBaYVAO8wrAYTyPqV8gsh5JUm+IlI3NPtrjQagZU/gqoTcLqnfP9PJYXnxu aPJsxYpLDQJqsA+mC/X/xqfKsTuRPr1eCwcpo4J3gPdSzUtDxF5JIV+JOTM9aMvSmYjy BgTrZDYhqauFDaOW9X33Kuafb5SovcM36qWREjvvCrlEU4HY7k6vUs/R5V2YQ50PPFqE Gnag== X-Gm-Message-State: APf1xPDOHG4CItI3E3tZ2GZVOIrAzkw+B7huvCEoQ912FkFFhP9N7SVA 8RhC/uGVRwSB++pga+LwkLsVZHwV7q6rlh1qGqiwuw== X-Received: by 10.159.35.15 with SMTP id 15mr9511349uae.130.1518371808638; Sun, 11 Feb 2018 09:56:48 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.67.196 with HTTP; Sun, 11 Feb 2018 09:56:46 -0800 (PST) In-Reply-To: <20180211103432.pf2ot6nd7nbhdhsy@huvuddator> References: <20180210054843.z3g7wvcmlccvww3h@huvuddator> <20180210074924.3nhxsza5zdbaahxx@huvuddator> <20180210080556.mycqsjhxbaguwhay@huvuddator> <20180210085519.737ckf4bcl57h4g2@huvuddator> <20180211103432.pf2ot6nd7nbhdhsy@huvuddator> From: Kees Cook Date: Sun, 11 Feb 2018 09:56:46 -0800 X-Google-Sender-Auth: s1QGXcSXqg-AizxcikGG4kxsdds Message-ID: Subject: Re: [RFC PATCH 4/7] kconfig: support new special property shell= To: Ulf Magnusson Cc: Linus Torvalds , Masahiro Yamada , Linux Kbuild mailing list , Greg Kroah-Hartman , Andrew Morton , Nicolas Pitre , "Luis R . Rodriguez" , Randy Dunlap , Sam Ravnborg , Michal Marek , Martin Schwidefsky , Pavel Machek , linux-s390 , Jiri Kosina , Linux Kernel Mailing List , Tejun Heo , Ingo Molnar , "Van De Ven, Arjan" , Arnd Bergmann Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Feb 11, 2018 at 2:34 AM, Ulf Magnusson wrote: > Looks to me like there's a few unrelated issues here: > > > 1. The stack protector support test scripts > > Worthwhile IMO if they (*in practice*) prevent hard-to-debug build errors or a > subtly broken kernel from being built. > > A few questions: > > - How do things fail with a broken stack protector implementation? There have been several ways I've seen: - resulting kernel silently doesn't provide the stack protection at all - resulting build fails at the end trying to link against a missing global stack canary - resulting kernel doesn't boot at all due to insane function preamble on first use of canary > - How common are those broken compilers? I *thought* it was rare (i.e. gcc 4.2) but while working on ..._AUTO I found breakage in akpm's 4.4 gcc, and all of Arnd's gccs due to some very strange misconfiguration between the gcc build environment and other options. So, it turns out this is unfortunately common. The good news is that it does NOT appear to happen with most distro compilers, though I've seen Android's compiler regress the global vs %gs at least once about a year ago. > - Do you really need to pass $(KBUILD_CPPFLAGS) when testing for breakage, > or would a simpler static test work in practice? > > I don't know how messy it would be to get $(KBUILD_CPPFLAGS) into > Kconfig, but should make sure it's actually needed in any case. > > The scripts are already split up as > > scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh > > by the way, though only gcc-x86_32-has-stack-protector.sh and > gcc-x86_64-has-stack-protector.sh exist. I think it would work to skip KBUILD_CPPFLAGS right up until it didn't. Since we have the arch split, we can already add -m32 to the 32-bit case, etc. However, I worry about interaction with other selected build options. For example, while retpoline doesn't interact stack-protector, it's easy to imagine things that might. (And in thinking about this, does Kconfig know the true $CC in use? i.e. the configured cross compiler, etc?) > - How old do you need to go with GCC for -fno-stack-protector to give an > error (i.e., for not even the option to be recognized)? Is it still > warranted to test for it? Old? That's not the case. The check for -fno-stack-protector will likely be needed forever, as some distro compilers enable stack-protector by default. So when someone wants to explicitly build without stack-protector (or if the compiler's stack-protector is detected as broken), we must force it off for the kernel build. > Adding some CCs who worked on the stack protector test scripts. > > And yeah, I was assuming that needing support scripts would be rare, and that > you'd usually just check whether gcc accepts the flag. That would have been nice, yes. :( > When you Google "gcc broken stack protector", the top hits about are about the > scripts/gcc-x86_64-has-stack-protector.sh script in the kernel throwing a false > positive by the way (fixed in 82031ea29e45 ("scripts/has-stack-protector: add > -fno-PIE")). That's just the most recent case (from the case where some distro compilers enabled PIE by default). And was why I was hoping to drop the scripts entirely. > 2. Whether to hide the Kconfig stack protector alternatives or always show them > > Or equivalently, whether to automatically fall back on other stack protector > alternatives (including no stack protector) if the one specified in the .config > isn't available. > > I'll let you battle this one out. In any case, as a user, I'd want a > super-clear message telling me what to change if the build breaks because of > missing stack protector support. Yes, exactly. The reason I built the _AUTO support was to make this easier for people to not have to think about. I wanted to get rid of explicit support (i.e. _REGULAR or _STRONG) but some people didn't want _STRONG (since it has greater code-size impact than _REGULAR), so we've had to keep that too. > 3. Whether to implement CC_STACKPROTECTOR_AUTO in Kconfig or the Makefiles > > I'd just go with whatever is simplest here. I don't find the Kconfig version > too bad, but I'm already very familiar with Kconfig, so it's harder for me to > tell how it looks to other people. > > I'd add some comments to explain the idea in the final version. > > @Kees: > I was assuming that the Makefiles would error out with a message if none of the > CC_STACKPROTECTOR_* variables are set, in addition to the Kconfig warning. That doesn't happy either before nor after _AUTO. The default value before was _NONE, and the default value after is _AUTO, which will use whatever is available. > You could offload part of that check to Kconfig with something like > > config CHOSEN_CC_STACKPROTECTOR_AVAILABLE > def_bool CC_STACKPROTECTOR_STRONG || \ > CC_STACKPROTECTOR_REGULAR || \ > CC_STACKPROTECTOR_NONE > > CHOSEN_STACKPROTECTOR_AVAILABLE could then be checked in the Makefile. > It has the advantage of making the constraint clear in the Kconfig file > at least. > > You could add some kind of assert feature to Kconfig too, but IMO it's not > warranted purely for one-offs like this at least. Agreed; I want to do whatever we can to simplify things. :) > That's details though. I'd want to explain it with a comment in any case if we > go with something like this, since it's slightly kludgy and subtle > (CC_STACKPROTECTOR_{STRONG,REGULAR,NONE} form a kind of choice, only you can't > express it like that directly, since it's derived from other symbols). > > > Here's an overview of the current Kconfig layout by the way, assuming > the old no-fallback behavior and CC_STACKPROTECTOR_AUTO being > implemented in Kconfig: > > # Feature tests > CC_HAS_STACKPROTECTOR_STRONG > CC_HAS_STACKPROTECTOR_REGULAR > CC_HAS_STACKPROTECTOR_NONE As long as the feature tests include actual compiler output tests, yeah, this seems fine. > # User request > WANT_CC_STACKPROTECTOR_AUTO > WANT_CC_STACKPROTECTOR_STRONG > WANT_CC_STACKPROTECTOR_REGULAR > WANT_CC_STACKPROTECTOR_NONE > > # The actual "output" to the Makefiles > CC_STACKPROTECTOR_STRONG > CC_STACKPROTECTOR_REGULAR > CC_STACKPROTECTOR_NONE This should be fine too (though by this point, I think Kconfig would already know the specific option, so it could just pass it with a single output (CC_OPT_STACKPROTECTOR below?) > # Some possible output "nicities" > CHOSEN_CC_STACKPROTECTOR_AVAILABLE > CC_OPT_STACKPROTECTOR > > Does anyone have objections to the naming or other things? I saw some > references to "Santa's wish list" in messages of commits that dealt with other > variables named WANT_*, though I didn't look into those cases. ;) Another case I mentioned before that I just want to make sure we don't reintroduce the problem of getting "stuck" with a bad .config file. While adding _STRONG support, I discovered the two-phase Kconfig resolution that happens during the build. If you selected _STRONG with a strong-capable compiler, everything was fine. If you then tried to build with an older compiler, you'd get stuck since _STRONG wasn't support (as detected during the first Kconfig phase) so the generated/autoconf.h would never get updated with the newly selected _REGULAR). I moved the Makefile analysis of available stack-protector options into the second phase (i.e. after all the Kconfig runs), and that worked to both unstick such configs and provide a clear message early in the build about what wasn't available. If all this detection is getting moved up into Kconfig, I'm worried we'll end up in this state again. If the answer is "you have to delete autoconf.h if you change compilers", then that's fine, but it sure seems unfriendly. :) -Kees -- Kees Cook Pixel Security