Received: by 10.223.185.116 with SMTP id b49csp2349344wrg; Mon, 12 Feb 2018 08:14:29 -0800 (PST) X-Google-Smtp-Source: AH8x227e2wf85wFfX4dJUAHgK5zfKYAtc7bvCVGB/TZGjjC5Gq8X77XKMTUZvUFvJqHYyYIdaqhK X-Received: by 10.99.37.7 with SMTP id l7mr9702219pgl.311.1518452069713; Mon, 12 Feb 2018 08:14:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518452069; cv=none; d=google.com; s=arc-20160816; b=Q8BS2p4Ls55zwOHn9xmf+9uBngTHWnKuz8xdTBOgurH5kZGvDfMzT5X4Jfj5RQn2qO nucj/pyuU2NwK8qdRTR/IhW3O4J2dUMohhngtyBXaBNODNI+HE+mTG/Wvu92K5bBK2ie 4D2i9IllC81vcaUdaNj6rfxZ3j9pXVuUCew4u6xpvl1TSCopPgARR+PLql9DrF8dqIQK pWwqeZw1AaRYTf0dt2UrI0chzTYmugwpajw9mbY7FTpXu+Uu3QYIsvuZQnQJGoQRsQ8T GOsjktFvxuAaU/+xYiex/PoQypyJj2/PgjUn8EaSjwMf7AGKC5bY3ib7b4R/4zJBui0B GWbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-filter :arc-authentication-results; bh=cRZcyXSEErbIba/7QUwRFMw/knOu/1rFblSISezcdws=; b=l924M67VwxFoRynC0i4B9yXTjdR346zsAtO/P43YxKaK8woCX+ryZjMPbi60DfCRho tEjOK4G39075y9tr9e+WhoBS0CXDJgVKM5+7Hi18MvOgGdW8dni9cFZ1x+cg/v3VWWzK doMQUcBqVldPqIb5alhuONXfR9hNmGgKDAP5ayjbSi7UCLMvGr7DOgFKel70ATWN7BPh Qa3mdYgGOJHxi1HjGGzDvr5D6wkVQFU74/yOJ1Ud4AOEwATUV7gHUFtFTirH9JNixiBV JgaLYqiZQnJgaR5BBWDg4zY0PGUwj3Wc1Dlh72bBV3zFmzrdr6lYFCGC1Y2pU1uieeqy bQrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=QNXnglpL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b129si1127153pgc.89.2018.02.12.08.14.13; Mon, 12 Feb 2018 08:14:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=QNXnglpL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935297AbeBLQL0 (ORCPT + 99 others); Mon, 12 Feb 2018 11:11:26 -0500 Received: from conssluserg-06.nifty.com ([210.131.2.91]:44125 "EHLO conssluserg-06.nifty.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933591AbeBLQLY (ORCPT ); Mon, 12 Feb 2018 11:11:24 -0500 Received: from mail-vk0-f46.google.com (mail-vk0-f46.google.com [209.85.213.46]) (authenticated) by conssluserg-06.nifty.com with ESMTP id w1CGBH7i013798; Tue, 13 Feb 2018 01:11:18 +0900 DKIM-Filter: OpenDKIM Filter v2.10.3 conssluserg-06.nifty.com w1CGBH7i013798 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.com; s=dec2015msa; t=1518451878; bh=cRZcyXSEErbIba/7QUwRFMw/knOu/1rFblSISezcdws=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=QNXnglpLMRvpzTeAsf5a0osyUi5zfICM7KsuErOMY1knOVQq2WnRYktETGbFSLUlw lRI19ILXjj1uDB78NctU21Zn3Vk+iTXirxAhz0eLiWKs8jo+UxCY9c7B30EqTn30mm HnCW1MbZXN07NuB9eN5+zeSfVP7V4RiDzAxPzc9pKYc45AmS5zdUMYREOAL7fzIljk +yWT23+7Y6MTzxAiXazRWiQ5rhOudN/Od+5QYauL9qCXsVEZjNhMXmPs71Ea658gwU 4Fj4w4RFK+FmJlXb4f+2Zp1CZq5x2d6pEUBgJUR77Ge+Ts7K/oGFZEG2R+hEQf7O5B aDJHIQbvtv3EA== X-Nifty-SrcIP: [209.85.213.46] Received: by mail-vk0-f46.google.com with SMTP id m197so9089249vka.3; Mon, 12 Feb 2018 08:11:18 -0800 (PST) X-Gm-Message-State: APf1xPC71Sh9m/YSq7GQIdS9DLwV1fZZBNhHt+86MzyS2WKRcHkcXuWk PPbvBg3yXsTMAPWsNhnMPrfSlHF0JWXEvGZFv6s= X-Received: by 10.31.255.25 with SMTP id p25mr3895759vki.55.1518451874594; Mon, 12 Feb 2018 08:11:14 -0800 (PST) MIME-Version: 1.0 Received: by 10.176.83.212 with HTTP; Mon, 12 Feb 2018 08:10:34 -0800 (PST) In-Reply-To: References: <20180210054843.z3g7wvcmlccvww3h@huvuddator> <20180210074924.3nhxsza5zdbaahxx@huvuddator> <20180210080556.mycqsjhxbaguwhay@huvuddator> <20180210085519.737ckf4bcl57h4g2@huvuddator> <20180211103432.pf2ot6nd7nbhdhsy@huvuddator> From: Masahiro Yamada Date: Tue, 13 Feb 2018 01:10:34 +0900 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH 4/7] kconfig: support new special property shell= To: Kees Cook Cc: Ulf Magnusson , Linus Torvalds , Linux Kbuild mailing list , Greg Kroah-Hartman , Andrew Morton , Nicolas Pitre , "Luis R . Rodriguez" , Randy Dunlap , Sam Ravnborg , Michal Marek , Martin Schwidefsky , Pavel Machek , linux-s390 , Jiri Kosina , Linux Kernel Mailing List , Tejun Heo , Ingo Molnar , "Van De Ven, Arjan" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2018-02-13 0:46 GMT+09:00 Kees Cook : > On Mon, Feb 12, 2018 at 2:44 AM, Masahiro Yamada > wrote: >> Linus said: >> >>> But yes, I also reacted to your earlier " It can't silently rewrite it >>> to _REGULAR because the compiler support for _STRONG regressed." >>> Because it damn well can. If the compiler doesn't support >>> -fstack-protector-strong, we can just fall back on -fstack-protector. >>> Silently. No extra crazy complex logic for that either. >> >> >> If I understood his comment correctly, >> we do not need either WANT_* or _AUTO. >> >> >> Kees' comment: >> >>> In the stack-protector case, this becomes quite important, since the >>> goal is to record the user's selection regardless of compiler >>> capability. For example, if someone selects _REGULAR, it shouldn't >>> "upgrade" to _STRONG. (Similarly for _NONE.) >> >> No. Kconfig will not do this silently. >> >> "make oldconfig" (or "make silentoldconfig" as well) >> always ask users about new symbols. > > The case I want to make sure can never happen is to have a config > setting that ends up not actually being true. For example, if > CONFIG_CC_STACKPROTECTOR appears in /proc/config.gz but the kernel > wasn't actually built with a stack protector, that's bad. We end up in > a place where the user can't trust the config to represent the actual > results of the build. > > So, as long as the Kconfig options are strongly tied to the compiler > capabilities, we're good on that front. > >> So, I can suggest to remove _REGULAR and _NONE. >> >> We have just two bool options, like follows. >> >> ------------------->8----------------- >> config CC_STACKPROTECTOR >> bool "Use stack protector" >> depends on CC_HAS_STACKPROTECTOR >> >> config CC_STACKPROTECTOR_STRONG >> bool "Use strong strong stack protector" >> depends on CC_STACKPROTECTOR >> depends on CC_HAS_STACKPROTECTOR_STRONG >> -------------------->8------------------ >> >> This will work well for all{yes,mod,no}config. > > This two-option arrangement is fine (though it assumes there won't be > another stack protector option in the future). > > The issue I have is this removes _AUTO, which I think can be solved in > the two-option arrangement too. The purpose of _AUTO is to effectively > enable stack-protector by default. As this option has been available > for over 10 years, and all distros enable it, it's an obvious > candidate to be enabled-by-default, especially since it kills a class > of exploits (as mentioned in my commit log: BlueBorne was trivially > defeated with stack-protector). So it should be possible to make these > two options "default y", yes? Yes. Both should be "default y" to keep the equivalent behavior since the current default is _AUTO. >> We will not have a case where >> -fstack-protector-strong is supported, but -fstack-protector is not. > > Correct. > > -Kees > > -- > Kees Cook > Pixel Security > -- > To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Best Regards Masahiro Yamada