Received: by 10.223.185.116 with SMTP id b49csp2349344wrg;
        Mon, 12 Feb 2018 08:14:29 -0800 (PST)
X-Google-Smtp-Source: AH8x227e2wf85wFfX4dJUAHgK5zfKYAtc7bvCVGB/TZGjjC5Gq8X77XKMTUZvUFvJqHYyYIdaqhK
X-Received: by 10.99.37.7 with SMTP id l7mr9702219pgl.311.1518452069713;
        Mon, 12 Feb 2018 08:14:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518452069; cv=none;
        d=google.com; s=arc-20160816;
        b=Q8BS2p4Ls55zwOHn9xmf+9uBngTHWnKuz8xdTBOgurH5kZGvDfMzT5X4Jfj5RQn2qO
         nucj/pyuU2NwK8qdRTR/IhW3O4J2dUMohhngtyBXaBNODNI+HE+mTG/Wvu92K5bBK2ie
         4D2i9IllC81vcaUdaNj6rfxZ3j9pXVuUCew4u6xpvl1TSCopPgARR+PLql9DrF8dqIQK
         pWwqeZw1AaRYTf0dt2UrI0chzTYmugwpajw9mbY7FTpXu+Uu3QYIsvuZQnQJGoQRsQ8T
         GOsjktFvxuAaU/+xYiex/PoQypyJj2/PgjUn8EaSjwMf7AGKC5bY3ib7b4R/4zJBui0B
         GWbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-filter
         :arc-authentication-results;
        bh=cRZcyXSEErbIba/7QUwRFMw/knOu/1rFblSISezcdws=;
        b=l924M67VwxFoRynC0i4B9yXTjdR346zsAtO/P43YxKaK8woCX+ryZjMPbi60DfCRho
         tEjOK4G39075y9tr9e+WhoBS0CXDJgVKM5+7Hi18MvOgGdW8dni9cFZ1x+cg/v3VWWzK
         doMQUcBqVldPqIb5alhuONXfR9hNmGgKDAP5ayjbSi7UCLMvGr7DOgFKel70ATWN7BPh
         Qa3mdYgGOJHxi1HjGGzDvr5D6wkVQFU74/yOJ1Ud4AOEwATUV7gHUFtFTirH9JNixiBV
         JgaLYqiZQnJgaR5BBWDg4zY0PGUwj3Wc1Dlh72bBV3zFmzrdr6lYFCGC1Y2pU1uieeqy
         bQrw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=QNXnglpL;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b129si1127153pgc.89.2018.02.12.08.14.13;
        Mon, 12 Feb 2018 08:14:29 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=QNXnglpL;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S935297AbeBLQL0 (ORCPT <rfc822;kkoh.linux@gmail.com> + 99 others);
        Mon, 12 Feb 2018 11:11:26 -0500
Received: from conssluserg-06.nifty.com ([210.131.2.91]:44125 "EHLO
        conssluserg-06.nifty.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933591AbeBLQLY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Feb 2018 11:11:24 -0500
Received: from mail-vk0-f46.google.com (mail-vk0-f46.google.com [209.85.213.46]) (authenticated)
        by conssluserg-06.nifty.com with ESMTP id w1CGBH7i013798;
        Tue, 13 Feb 2018 01:11:18 +0900
DKIM-Filter: OpenDKIM Filter v2.10.3 conssluserg-06.nifty.com w1CGBH7i013798
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.com;
        s=dec2015msa; t=1518451878;
        bh=cRZcyXSEErbIba/7QUwRFMw/knOu/1rFblSISezcdws=;
        h=In-Reply-To:References:From:Date:Subject:To:Cc:From;
        b=QNXnglpLMRvpzTeAsf5a0osyUi5zfICM7KsuErOMY1knOVQq2WnRYktETGbFSLUlw
         lRI19ILXjj1uDB78NctU21Zn3Vk+iTXirxAhz0eLiWKs8jo+UxCY9c7B30EqTn30mm
         HnCW1MbZXN07NuB9eN5+zeSfVP7V4RiDzAxPzc9pKYc45AmS5zdUMYREOAL7fzIljk
         +yWT23+7Y6MTzxAiXazRWiQ5rhOudN/Od+5QYauL9qCXsVEZjNhMXmPs71Ea658gwU
         4Fj4w4RFK+FmJlXb4f+2Zp1CZq5x2d6pEUBgJUR77Ge+Ts7K/oGFZEG2R+hEQf7O5B
         aDJHIQbvtv3EA==
X-Nifty-SrcIP: [209.85.213.46]
Received: by mail-vk0-f46.google.com with SMTP id m197so9089249vka.3;
        Mon, 12 Feb 2018 08:11:18 -0800 (PST)
X-Gm-Message-State: APf1xPC71Sh9m/YSq7GQIdS9DLwV1fZZBNhHt+86MzyS2WKRcHkcXuWk
        PPbvBg3yXsTMAPWsNhnMPrfSlHF0JWXEvGZFv6s=
X-Received: by 10.31.255.25 with SMTP id p25mr3895759vki.55.1518451874594;
 Mon, 12 Feb 2018 08:11:14 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.83.212 with HTTP; Mon, 12 Feb 2018 08:10:34 -0800 (PST)
In-Reply-To: <CAGXu5jJJEApa6qUS1-AZvt2RaSUDjUhV5Ysjs2mdy_KrwMkiUQ@mail.gmail.com>
References: <20180210054843.z3g7wvcmlccvww3h@huvuddator> <CAK7LNARHmAF2SxBcc1aUEH5MMzUo_furLevqy7QzGxqNRHYiyQ@mail.gmail.com>
 <20180210074924.3nhxsza5zdbaahxx@huvuddator> <20180210080556.mycqsjhxbaguwhay@huvuddator>
 <20180210085519.737ckf4bcl57h4g2@huvuddator> <CAGXu5jKQgxxC2RQL0dxLKFVED2v-LiWKjtXY3DDpfwAXbnxM4Q@mail.gmail.com>
 <CA+55aFz-SJ970iqDsR8-Ke4z6WvB4n9RXAeen8pG=+YJWubETw@mail.gmail.com>
 <CAGXu5jLo0iuMsH89vj3nr8sv+1YvXfXgoPeBdxHwZm5i=DWoOA@mail.gmail.com>
 <CA+55aFxdx3FYE6YGifRR=BSG9QzXwgThj5z7RmV5P5+RpNXSiQ@mail.gmail.com>
 <CA+55aFyPyYyG-riaBQU5cGp_sC=r8mf9Mg6L=DUEH6EyQfWYwA@mail.gmail.com>
 <20180211103432.pf2ot6nd7nbhdhsy@huvuddator> <CAK7LNARdm7UESEEh-2qEP9R8jWSwzZ4d2x=pZZPuj6EVAsXnAA@mail.gmail.com>
 <CAGXu5jJJEApa6qUS1-AZvt2RaSUDjUhV5Ysjs2mdy_KrwMkiUQ@mail.gmail.com>
From:   Masahiro Yamada <yamada.masahiro@socionext.com>
Date:   Tue, 13 Feb 2018 01:10:34 +0900
X-Gmail-Original-Message-ID: <CAK7LNASLW+XXqFphu+nYsqcBux-jBqyDW9T=-N5udbOcJ3=zmA@mail.gmail.com>
Message-ID: <CAK7LNASLW+XXqFphu+nYsqcBux-jBqyDW9T=-N5udbOcJ3=zmA@mail.gmail.com>
Subject: Re: [RFC PATCH 4/7] kconfig: support new special property shell=
To:     Kees Cook <keescook@chromium.org>
Cc:     Ulf Magnusson <ulfalizer@gmail.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Nicolas Pitre <nicolas.pitre@linaro.org>,
        "Luis R . Rodriguez" <mcgrof@suse.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Sam Ravnborg <sam@ravnborg.org>,
        Michal Marek <michal.lkml@markovi.net>,
        Martin Schwidefsky <schwidefsky@de.ibm.com>,
        Pavel Machek <pavel@ucw.cz>,
        linux-s390 <linux-s390@vger.kernel.org>,
        Jiri Kosina <jkosina@suse.cz>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Tejun Heo <tj@kernel.org>, Ingo Molnar <mingo@kernel.org>,
        "Van De Ven, Arjan" <arjan.van.de.ven@intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

2018-02-13 0:46 GMT+09:00 Kees Cook <keescook@chromium.org>:
> On Mon, Feb 12, 2018 at 2:44 AM, Masahiro Yamada
> <yamada.masahiro@socionext.com> wrote:
>> Linus said:
>>
>>> But yes, I also reacted to your earlier " It can't silently rewrite it
>>> to _REGULAR because the compiler support for _STRONG regressed."
>>> Because it damn well can. If the compiler doesn't support
>>> -fstack-protector-strong, we can just fall back on -fstack-protector.
>>> Silently. No extra crazy complex logic for that either.
>>
>>
>> If I understood his comment correctly,
>> we do not need either WANT_* or _AUTO.
>>
>>
>> Kees' comment:
>>
>>> In the stack-protector case, this becomes quite important, since the
>>> goal is to record the user's selection regardless of compiler
>>> capability. For example, if someone selects _REGULAR, it shouldn't
>>> "upgrade" to _STRONG. (Similarly for _NONE.)
>>
>> No.  Kconfig will not do this silently.
>>
>> "make oldconfig" (or "make silentoldconfig" as well)
>> always ask users about new symbols.
>
> The case I want to make sure can never happen is to have a config
> setting that ends up not actually being true. For example, if
> CONFIG_CC_STACKPROTECTOR appears in /proc/config.gz but the kernel
> wasn't actually built with a stack protector, that's bad. We end up in
> a place where the user can't trust the config to represent the actual
> results of the build.
>
> So, as long as the Kconfig options are strongly tied to the compiler
> capabilities, we're good on that front.
>
>> So, I can suggest to remove _REGULAR and _NONE.
>>
>> We have just two bool options, like follows.
>>
>> ------------------->8-----------------
>> config CC_STACKPROTECTOR
>>         bool "Use stack protector"
>>         depends on CC_HAS_STACKPROTECTOR
>>
>> config CC_STACKPROTECTOR_STRONG
>>         bool "Use strong strong stack protector"
>>         depends on CC_STACKPROTECTOR
>>         depends on CC_HAS_STACKPROTECTOR_STRONG
>> -------------------->8------------------
>>
>> This will work well for all{yes,mod,no}config.
>
> This two-option arrangement is fine (though it assumes there won't be
> another stack protector option in the future).
>
> The issue I have is this removes _AUTO, which I think can be solved in
> the two-option arrangement too. The purpose of _AUTO is to effectively
> enable stack-protector by default. As this option has been available
> for over 10 years, and all distros enable it, it's an obvious
> candidate to be enabled-by-default, especially since it kills a class
> of exploits (as mentioned in my commit log: BlueBorne was trivially
> defeated with stack-protector). So it should be possible to make these
> two options "default y", yes?


Yes.

Both should be "default y" to keep the equivalent behavior
since the current default is _AUTO.




>> We will not have a case where
>> -fstack-protector-strong is supported, but -fstack-protector is not.
>
> Correct.
>
> -Kees
>
> --
> Kees Cook
> Pixel Security
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Best Regards
Masahiro Yamada