Received: by 10.223.185.116 with SMTP id b49csp2315283wrg;
        Mon, 12 Feb 2018 07:48:06 -0800 (PST)
X-Google-Smtp-Source: AH8x226I9oBHMqNs1rcUmnJLrTz11KBX6zeCbwIPErPE1ssfe1WnOYmcC7BxqjtJSzn2nH793skX
X-Received: by 10.99.103.129 with SMTP id b123mr9409964pgc.177.1518450486468;
        Mon, 12 Feb 2018 07:48:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518450486; cv=none;
        d=google.com; s=arc-20160816;
        b=QtCF247BAD+/H2j0VDydGGHjHuMq5o8zSeroj4vPMrQwBDV5mv708sIUgEKafxEBPt
         GJUa5vatWjRsr43XnDlvIYh1EwYF1idB6rykdY79XSS3tyZj4nVTzR4Z0Pm9UnStO7ft
         HVXbxkh0n1tmnFntvfZqAigu6/I5A4LjOeHSUHz14IwexLM/RsyGUudmrUTTm5+94q1n
         L93geM3cfGQLWDJM1ftFbNfss8M/+YrA0FWMKxHMIe68izt16Rf4vGoVCrnJWAexaJac
         WoZLQRT0uW8hXSzyToBkGfKpT9Jz+ylahPWeI4RcgLnK5KFAidcFTMAKBnSdKLZZVxJR
         AwUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=OCQwzJ9OEfKDAF4BJkzCS4FvpoBQRnug6TlWjgF4E1A=;
        b=bbvK3JFxGvh42Za2rgql9K8d7PoBh+KS5Uyti3czJfPnSThuT3/HC2qKiYSrAlePPv
         yuPSkRb+/t+u687hxCTFFujD4AvVDAMIaqtQh6i4Wd/yiWbl5yQp28SxvlczgZSTAPxD
         WTWTr3TkKp2zZCMtdCRDmeXQQifHbB4dElGzL0LI4lVMr1oMsezl80mB6iQyJY0SKWiw
         S+MxX8C5nSSbOz6gYvJAUUrVSO5CgD/zuyq3JkVXQKv828HYMAKeQ3ByiOgk5OdCG96a
         /oVfh7Dj+T+497bEUhbDevELppHpnDi4HLvjrkCyu63BbHeaegFth87NNyw+yik7Elrl
         ulgw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=ZI+/pis4;
       dkim=fail header.i=@chromium.org header.s=google header.b=kHT9anCk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c23-v6si5948238plk.567.2018.02.12.07.47.51;
        Mon, 12 Feb 2018 07:48:06 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=ZI+/pis4;
       dkim=fail header.i=@chromium.org header.s=google header.b=kHT9anCk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932390AbeBLPqg (ORCPT <rfc822;damien271828@gmail.com>
        + 99 others); Mon, 12 Feb 2018 10:46:36 -0500
Received: from mail-ua0-f195.google.com ([209.85.217.195]:40949 "EHLO
        mail-ua0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932145AbeBLPqe (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Feb 2018 10:46:34 -0500
Received: by mail-ua0-f195.google.com with SMTP id t6so9690325ual.7
        for <linux-kernel@vger.kernel.org>; Mon, 12 Feb 2018 07:46:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=OCQwzJ9OEfKDAF4BJkzCS4FvpoBQRnug6TlWjgF4E1A=;
        b=ZI+/pis4auRvqZQbW8Q5V9JL6XRWQvQElmmTjQE/SnCfYM4jRYCp8IgN6DpCiT2Whd
         +QRPouxiYNVlOs5SA/PUEV7Yaznr2XTXpSSFea+V0i+fYu7j7RWmrfzdtdTotAD81IG3
         vI8aAIc6A+WbpShmKDYuTnh17q045JRYT/wiIWA4jzNlB0hO7mAO49cYgkZLBURXepf+
         Re46I4xOwlTe4OXmjzghf7zCSZ8j1p/Z66Ub4gIDo9d4o47fv2XfkpHcBGLpwJHuZ+Ju
         e2k4xxWy8oSUurRsiP40VP8/F67bIDEJGDZpO2dkidu/XzhlmRp7mFzv8Db273qPyRiE
         OoeQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=OCQwzJ9OEfKDAF4BJkzCS4FvpoBQRnug6TlWjgF4E1A=;
        b=kHT9anCkWcBM63G8LkVVtwjPknTxGJWYmHbOQc3FSDIYWX6Jr/boa7v6nSBa/CEz7t
         gbaCJvRYhlPDuoiog3r5lNMkDokW2D2QMV2oO4VON6lGw8+UNUqsCYtxvWDUKZn3cmCd
         H0py9qMtIIEG0bkSFdyoFoH/faINB3PhMqw+A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=OCQwzJ9OEfKDAF4BJkzCS4FvpoBQRnug6TlWjgF4E1A=;
        b=apw5X/yxERRzzpSi4bRbRdYj5H2D0SDHRddgvS+PD+DYbY/YKG6ozj7loadU6M0px9
         Ahw1JpXduTFtmwoxU7IR4sqT67dtCfrRzyBh/0HWxbuFwt5MFtgyGq5edo3rwFnnqYHr
         V7ySrhUi+eyWvGs5beKhUG1kvAC4fKDEtDqWGx1kOyCpxui+pn76VnHRd9aeUcJrU/aI
         9gkjXMcszl1CFJYUFfiq6ZkWj2F7RQ8T0DeqTywSxYbbNMlFcO24po2zfUUY9zn3L2bf
         wV4gAoChO2Uh8sgcjaI5WdperKsfSBZ0TOBwZ03El3LVL2Hl82FLc/CESGV2qkfcs3I8
         iQuw==
X-Gm-Message-State: APf1xPB0IJDoxDoYmvNnvYwrIuLMXQmQJRzB0Vxsp8n21rYDbwGSVxxb
        b2TTzTCu05Wnj802IblVBKjceHvA5DyggksciHndwA==
X-Received: by 10.159.35.71 with SMTP id 65mr44614uae.130.1518450393260; Mon,
 12 Feb 2018 07:46:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.67.196 with HTTP; Mon, 12 Feb 2018 07:46:32 -0800 (PST)
In-Reply-To: <CAK7LNARdm7UESEEh-2qEP9R8jWSwzZ4d2x=pZZPuj6EVAsXnAA@mail.gmail.com>
References: <20180210054843.z3g7wvcmlccvww3h@huvuddator> <CAK7LNARHmAF2SxBcc1aUEH5MMzUo_furLevqy7QzGxqNRHYiyQ@mail.gmail.com>
 <20180210074924.3nhxsza5zdbaahxx@huvuddator> <20180210080556.mycqsjhxbaguwhay@huvuddator>
 <20180210085519.737ckf4bcl57h4g2@huvuddator> <CAGXu5jKQgxxC2RQL0dxLKFVED2v-LiWKjtXY3DDpfwAXbnxM4Q@mail.gmail.com>
 <CA+55aFz-SJ970iqDsR8-Ke4z6WvB4n9RXAeen8pG=+YJWubETw@mail.gmail.com>
 <CAGXu5jLo0iuMsH89vj3nr8sv+1YvXfXgoPeBdxHwZm5i=DWoOA@mail.gmail.com>
 <CA+55aFxdx3FYE6YGifRR=BSG9QzXwgThj5z7RmV5P5+RpNXSiQ@mail.gmail.com>
 <CA+55aFyPyYyG-riaBQU5cGp_sC=r8mf9Mg6L=DUEH6EyQfWYwA@mail.gmail.com>
 <20180211103432.pf2ot6nd7nbhdhsy@huvuddator> <CAK7LNARdm7UESEEh-2qEP9R8jWSwzZ4d2x=pZZPuj6EVAsXnAA@mail.gmail.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Mon, 12 Feb 2018 07:46:32 -0800
X-Google-Sender-Auth: RUaZKSngnrfwJg0sLhfdcbCtf9M
Message-ID: <CAGXu5jJJEApa6qUS1-AZvt2RaSUDjUhV5Ysjs2mdy_KrwMkiUQ@mail.gmail.com>
Subject: Re: [RFC PATCH 4/7] kconfig: support new special property shell=
To:     Masahiro Yamada <yamada.masahiro@socionext.com>
Cc:     Ulf Magnusson <ulfalizer@gmail.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Nicolas Pitre <nicolas.pitre@linaro.org>,
        "Luis R . Rodriguez" <mcgrof@suse.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Sam Ravnborg <sam@ravnborg.org>,
        Michal Marek <michal.lkml@markovi.net>,
        Martin Schwidefsky <schwidefsky@de.ibm.com>,
        Pavel Machek <pavel@ucw.cz>,
        linux-s390 <linux-s390@vger.kernel.org>,
        Jiri Kosina <jkosina@suse.cz>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Tejun Heo <tj@kernel.org>, Ingo Molnar <mingo@kernel.org>,
        "Van De Ven, Arjan" <arjan.van.de.ven@intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Feb 12, 2018 at 2:44 AM, Masahiro Yamada
<yamada.masahiro@socionext.com> wrote:
> Linus said:
>
>> But yes, I also reacted to your earlier " It can't silently rewrite it
>> to _REGULAR because the compiler support for _STRONG regressed."
>> Because it damn well can. If the compiler doesn't support
>> -fstack-protector-strong, we can just fall back on -fstack-protector.
>> Silently. No extra crazy complex logic for that either.
>
>
> If I understood his comment correctly,
> we do not need either WANT_* or _AUTO.
>
>
> Kees' comment:
>
>> In the stack-protector case, this becomes quite important, since the
>> goal is to record the user's selection regardless of compiler
>> capability. For example, if someone selects _REGULAR, it shouldn't
>> "upgrade" to _STRONG. (Similarly for _NONE.)
>
> No.  Kconfig will not do this silently.
>
> "make oldconfig" (or "make silentoldconfig" as well)
> always ask users about new symbols.

The case I want to make sure can never happen is to have a config
setting that ends up not actually being true. For example, if
CONFIG_CC_STACKPROTECTOR appears in /proc/config.gz but the kernel
wasn't actually built with a stack protector, that's bad. We end up in
a place where the user can't trust the config to represent the actual
results of the build.

So, as long as the Kconfig options are strongly tied to the compiler
capabilities, we're good on that front.

> So, I can suggest to remove _REGULAR and _NONE.
>
> We have just two bool options, like follows.
>
> ------------------->8-----------------
> config CC_STACKPROTECTOR
>         bool "Use stack protector"
>         depends on CC_HAS_STACKPROTECTOR
>
> config CC_STACKPROTECTOR_STRONG
>         bool "Use strong strong stack protector"
>         depends on CC_STACKPROTECTOR
>         depends on CC_HAS_STACKPROTECTOR_STRONG
> -------------------->8------------------
>
> This will work well for all{yes,mod,no}config.

This two-option arrangement is fine (though it assumes there won't be
another stack protector option in the future).

The issue I have is this removes _AUTO, which I think can be solved in
the two-option arrangement too. The purpose of _AUTO is to effectively
enable stack-protector by default. As this option has been available
for over 10 years, and all distros enable it, it's an obvious
candidate to be enabled-by-default, especially since it kills a class
of exploits (as mentioned in my commit log: BlueBorne was trivially
defeated with stack-protector). So it should be possible to make these
two options "default y", yes?

> We will not have a case where
> -fstack-protector-strong is supported, but -fstack-protector is not.

Correct.

-Kees

-- 
Kees Cook
Pixel Security