Received: by 10.223.185.116 with SMTP id b49csp2248429wrg; Mon, 12 Feb 2018 06:50:40 -0800 (PST) X-Google-Smtp-Source: AH8x224noW/O2sv3QQQCgQ9ZzjEyYYG3roF6bf0aEEpxNAWNbdkDWXXqz22ON8VE3YBeFhDzfjHQ X-Received: by 10.98.93.144 with SMTP id n16mr12095425pfj.195.1518447040188; Mon, 12 Feb 2018 06:50:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518447040; cv=none; d=google.com; s=arc-20160816; b=iuZOqCs77VbsGcbIihKj+z1K0JvLgZbx+irZqbgg08/Ka2ouyu6qwmTIB4UVdKkR5S u4ziO5Ji/bxTWz1eNkH9+Rb74I1KGWxjlSSlgujr6haRXo8xAk4r2+Geo8qA6ZjC9gUE tX/vCiY6gjATy2DQ06NnR8zu4RhaQiM7C3XJQCzc9HxGfSp1qxKgwaLl3RyZ5wZ+r4g0 hean9ELxMUc6ggHCunvwfofsTTP1NlS+SZGErcRTanGbyNMQ9AgqSlbdv4YYkTetF/jE 55lO1o3fm3VxTo5JCTPxQftQITPEaDWjFempdM77p6L7r1O+XjqFRYk+kt0tMBi1HSgo U13Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-filter :arc-authentication-results; bh=/cmGT7BAxe5y4A64+X8VUSv0GmUWjVCmhBFXmMPYRcA=; b=tJlRD1hhVF8wuQjSc0pQpeY7cZ/0Rbfpr/6T5FLVd9Hsw7+plKnsQMMv+YUL1LfeGP wB5YU8EQZKErNseMnpWBNa4aVvR2fgB2gjkRikZmHvOFq2QdVks0PPGtmDIevoNRSSTw EGtP4mt99J8e/JTvS7Zmexv/cjZV69Z2QOWDTl5LnQBPB3biiard4p6hTMHtPyn+XXZp uTOM5LRNoPvTqoDohrNSGUhkMIlrj8nSostbcTNFP/DH5J5TPN8f9nDTAGMr9grTnK/c g/BFsR8ME3ofnKs/b+UGrMH8OOPm443DEzjDyyx9/QqjyW3vtQIqERXWXsaNLqSfSLzk sviQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=TO5aN1ne; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a14-v6si1784690plm.119.2018.02.12.06.50.26; Mon, 12 Feb 2018 06:50:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=TO5aN1ne; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934644AbeBLNy3 (ORCPT + 99 others); Mon, 12 Feb 2018 08:54:29 -0500 Received: from conssluserg-02.nifty.com ([210.131.2.81]:18381 "EHLO conssluserg-02.nifty.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934522AbeBLNyY (ORCPT ); Mon, 12 Feb 2018 08:54:24 -0500 Received: from mail-vk0-f53.google.com (mail-vk0-f53.google.com [209.85.213.53]) (authenticated) by conssluserg-02.nifty.com with ESMTP id w1CDsBv5009273; Mon, 12 Feb 2018 22:54:11 +0900 DKIM-Filter: OpenDKIM Filter v2.10.3 conssluserg-02.nifty.com w1CDsBv5009273 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.com; s=dec2015msa; t=1518443652; bh=/cmGT7BAxe5y4A64+X8VUSv0GmUWjVCmhBFXmMPYRcA=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=TO5aN1nehj4Kwv8lf4B1r4zJkSCLxsVA8y6CvDWWiqBadJL0NkWplgo/FbBxE7cHf TTM2Bw0NJ1Jun1+7y114E1PbYksxi5QE+lT7RcL6l/YnGNAnRHLBX2dQ3IU3NNnnU2 ga9HuiIjMtZEw8s85v1oIjM72CnD0c6lUgqqWJkSAAD2kcefRj9NH5mUDiC7dLg26F nzfNnZipn1uvI/jEGZcB40EOpxGjpj6fLScjPkW2FBXS9Y0brfH50lBlbDo9HXGVP/ 8Ejxnmk5Wer3Q+vJP5kuctr0fubfaMQeaQjOiD4Xa5NGrTc0Pf7rq7YzxgAm1JpWiK kl+46pB1FQwiQ== X-Nifty-SrcIP: [209.85.213.53] Received: by mail-vk0-f53.google.com with SMTP id b132so1872508vke.9; Mon, 12 Feb 2018 05:54:11 -0800 (PST) X-Gm-Message-State: APf1xPAfe3x/ucvJwo5V89apgDNJPM252OvzY39mpqSJi00dOm7d4ody J9nvprIAE7rD1KHpYEwNlXs3GmSyy4WNC0Hnb0A= X-Received: by 10.31.255.25 with SMTP id p25mr3453790vki.55.1518443650592; Mon, 12 Feb 2018 05:54:10 -0800 (PST) MIME-Version: 1.0 Received: by 10.176.83.212 with HTTP; Mon, 12 Feb 2018 05:53:30 -0800 (PST) In-Reply-To: References: <20180210054843.z3g7wvcmlccvww3h@huvuddator> <20180210074924.3nhxsza5zdbaahxx@huvuddator> <20180210080556.mycqsjhxbaguwhay@huvuddator> <20180210085519.737ckf4bcl57h4g2@huvuddator> <20180211103432.pf2ot6nd7nbhdhsy@huvuddator> From: Masahiro Yamada Date: Mon, 12 Feb 2018 22:53:30 +0900 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH 4/7] kconfig: support new special property shell= To: Ulf Magnusson Cc: Linus Torvalds , Kees Cook , Linux Kbuild mailing list , Greg Kroah-Hartman , Andrew Morton , Nicolas Pitre , "Luis R . Rodriguez" , Randy Dunlap , Sam Ravnborg , Michal Marek , Martin Schwidefsky , Pavel Machek , linux-s390 , Jiri Kosina , Linux Kernel Mailing List , Tejun Heo , Ingo Molnar , "Van De Ven, Arjan" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2018-02-12 20:44 GMT+09:00 Ulf Magnusson : >> >> I think Linus's comment was dismissed here. >> >> >> Linus said: >> >>> But yes, I also reacted to your earlier " It can't silently rewrite it >>> to _REGULAR because the compiler support for _STRONG regressed." >>> Because it damn well can. If the compiler doesn't support >>> -fstack-protector-strong, we can just fall back on -fstack-protector. >>> Silently. No extra crazy complex logic for that either. >> >> >> If I understood his comment correctly, >> we do not need either WANT_* or _AUTO. >> >> >> >> >> Kees' comment: >> >>> In the stack-protector case, this becomes quite important, since the >>> goal is to record the user's selection regardless of compiler >>> capability. For example, if someone selects _REGULAR, it shouldn't >>> "upgrade" to _STRONG. (Similarly for _NONE.) >> >> No. Kconfig will not do this silently. > > (Playing devil's advocate...) > > If the user selected _STRONG and it becomes unavailable later, it > seems to silently fall back on other options, even for oldnoconfig > (which just checks if there are any new symbols in the choice). > > It would be possible to also check if the old user selection still > applies btw. I do that in Kconfiglib. It's arguable whether that > matches the intent of oldnoconfig. > >> >> >> "make oldconfig" (or "make silentoldconfig" as well) >> always ask users about new symbols. >> >> >> For example, let's say your compiler supports -fstack-protector >> but not -fstack-protector-strong. >> CC_STACKPROTECTOR_REGULAR is the best you can choose. >> >> Then, let's say you upgrade your compiler and the new compiler supports >> -fstack-protector-strong as well. >> >> In this case, CC_STACKPROTECTOR_STRONG is a newly visible symbol, >> so Kconfig will ask you >> "Hey, you were previously using _REGULAR, but your new compiler >> also supports _STRONG. Do you want to use it?" >> >> >> The "make oldconfig" will look like follows: >> >> >> masahiro@grover:~/workspace/linux-kbuild$ make oldconfig >> HOSTCC scripts/kconfig/conf.o >> HOSTLD scripts/kconfig/conf >> scripts/kconfig/conf --oldconfig Kconfig >> * >> * Restart config... >> * >> * >> * Linux Kernel Configuration >> * >> Stack Protector buffer overflow detection >> 1. Strong (CC_STACKPROTECTOR_STRONG) (NEW) >>> 2. Regular (CC_STACKPROTECTOR_REGULAR) >> 3. None (CC_STACKPROTECTOR_NONE) >> choice[1-3?]: >> >> >> >> Please notice the Strong is marked as "(NEW)". >> >> Kconfig handles this really nicely with Linus' suggestion. >> >> [1] Users can select only features supported by your compiler >> - this makes sense. >> >> [2] If you upgrade your compiler and it provides more capability, >> "make (silent)oldconfig" will ask you about new choices. >> - this also makes sense. > > If you switch to a compiler that provides less capability, it'll > silently forget the old user preference though. Yes, forget. So, "make oldconfig" will ask user preference again when you switch back to a compiler that provides more capability. This is not rude, right? To remember user preference (for both upgrade/downgrade capability), we need 3 symbols for each feature. [1] WANT_FOO A user can enable this option regardless of compiler capability. This will remember your preference forever. [2] CC_HAS_FOO Compiler capability. [3] FOO logical 'and' of WANT_FOO and CC_HAS_FOO. If we do this way, what's the point of moving compiler capability tests to Kconfig? [1] is the same as what we do now. Then, it will be disabled later if it turns out unsupported by your compiler. The only difference is, whether we calculate [2], [3] in Makefile or Kconfig. Kconfig is, in the end, inter-symbol dependency/visibility solver. The WANT_ is not using the benefit of Kconfig. We can calculate the logical 'and' by other means. The problem I see in this approach is 'savedefconfig'. 'make defconfig && make savedefconfig' will produce the subset of user preference and compiler capability. To make arbitrary set of CONFIG options, we need a full-featured compiler in order to enable all CC_HAS_... options. Maybe, we can add a new environment to ease this. KCONFIG_SHELL_ALWAYS_TRUE If this environment is specified, all 'option shell=...' will be evaluated as true. So, all symbols that depend on CC_HAS_ will be visible. This is useful to make arbitrary set of CONFIG options regardless of your compiler capability. $ KCONFIG_SHELL_ALWAYS_TRUE=1 make menuconfig -> build up your favorite config setting $ KCONFIG_SHELL_ALWAYS_TRUE=1 make savedefconfig -> write out the minimum set of config Thought? >> >> >> >> So, the following simple implementation works well enough, >> doesn't it? >> >> ---------------->8--------------- >> choice >> prompt "Stack Protector buffer overflow detection" >> >> config CC_STACKPROTECTOR_STRONG >> bool "Strong" >> depends on CC_HAS_STACKPROTECTOR_STRONG >> select CC_STACKPROTECTOR >> >> config CC_STACKPROTECTOR_REGULAR >> bool "Regular" >> depends on CC_HAS_STACKPROTECTOR >> select CC_STACKPROTECTOR >> >> config CC_STACKPROTECTOR_NONE >> bool "None" >> >> endchoice >> ---------------->8------------------------- > > Obviously much neater at least. :) > >> >> >> >> BTW, do we need to use 'choice' ? >> >> >> The problem of using 'choice' is, >> it does not work well with allnoconfig. >> >> >> For all{yes,mod}config, we want to enable as many features as possible. >> For allnoconfig, we want to disable as many as possible. > > Oh... right. For allnoconfig, it would always pick the default, so if > the default is "on", it's bad there. > >> >> However, the default of 'choice' is always the first visible value. >> >> >> So, I can suggest to remove _REGULAR and _NONE. >> >> We have just two bool options, like follows. >> >> ------------------->8----------------- >> config CC_STACKPROTECTOR >> bool "Use stack protector" >> depends on CC_HAS_STACKPROTECTOR >> >> config CC_STACKPROTECTOR_STRONG >> bool "Use strong strong stack protector" >> depends on CC_STACKPROTECTOR >> depends on CC_HAS_STACKPROTECTOR_STRONG >> -------------------->8------------------ > > Even neater. Much easier to understand. > >> >> This will work well for all{yes,mod,no}config. >> >> We will not have a case where >> -fstack-protector-strong is supported, but -fstack-protector is not. >> >> >> -- >> Best Regards >> Masahiro Yamada > > So there's just the caveat about possibly "forgetting" the user > preferences and automatically falling back on > CC_STACKPROTECTOR_REGULAR or CC_STACKPROTECTOR_NONE when the > environment changes, instead of erroring out. > > When you have to think hard about cases where something might break, > it might be a sign that it's not a huge problem in practice, but I > can't really speak for the priorities here. > -- Best Regards Masahiro Yamada