Received: by 10.223.185.116 with SMTP id b49csp2389033wrg; Mon, 12 Feb 2018 08:48:13 -0800 (PST) X-Google-Smtp-Source: AH8x2269exBh78cva9mEpsdK8wU7LaJ/FIKGbMkF1jpWVzAxFj0jahbxNpYJKNJ1oBZeiqIyvKS3 X-Received: by 2002:a17:902:6bc3:: with SMTP id m3-v6mr11218666plt.442.1518454093309; Mon, 12 Feb 2018 08:48:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518454093; cv=none; d=google.com; s=arc-20160816; b=ZIgf4Q3bRDMLAfkJh1/ZZhaGfOdSwL1SDzRmOMn1JMVTmEkLO+zkHrsr+GOTUEAu9d pwR9AtkEFyKAkvcaKaruNyMITViIxPIDL44LvYVEQrOOaFWBUdj5/0VZKYMRwSp0vPqg Or/BYj5tzGcqICZLqmynWo2o2qJMAQcuoBpIJS5oGoKxH0aa5ynxGIy355iOLtgyJfNV fk4cAf1gLSxraL0QNGkFlgSPQtgI1KHc0teZ/mLqmttnG+feqKrBR/jCOUojzNfgdZQ6 ViyntdbepZxU+fHhEqrJ7CyQD7UiONh12ngbZ+XBBJObVI53jnZKZPJ8/ElJpce7TcSg XIdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=dupYp+b0w5G0T2Q5nf0UvzqHwnq+fp4ddHjFEX7bZ3o=; b=D1YLk4ptUCGqTKwtru9pHR7ZJkSBiwkHJgb+fEVoG1w+vLD8rYkmYRFyrdJCJagvXx qVJmrTw5LC7+5Ow7h3cCO8qY1U83/efIhGL4Bdp/X8f8zBOYLFL00Dxa0TIXHaACvIUg c1MjPvgvtdGve+jaF8bj7Q8cU4RnXEinycC4IA9CX/xyoSQbcT/R2BO29gQV8JbH8uWy dUu7JecZQPZhApZNVLe0UccLIEfNU5XNmDOeVTCAJxSx1nL4BQLYkCFSrGV9FdVya+Bx 06x8vhI0z27FXGXNeq3eT2/8NmLipNNydNpjYFkub5E03N0lUqDxAFT6Ci/O+bUzG0sL rEdQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=LZSUwpDt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v9-v6si2927859plz.266.2018.02.12.08.47.58; Mon, 12 Feb 2018 08:48:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=LZSUwpDt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934225AbeBLLtf (ORCPT + 99 others); Mon, 12 Feb 2018 06:49:35 -0500 Received: from mail-vk0-f49.google.com ([209.85.213.49]:34889 "EHLO mail-vk0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933898AbeBLLtd (ORCPT ); Mon, 12 Feb 2018 06:49:33 -0500 Received: by mail-vk0-f49.google.com with SMTP id n132so8603687vke.2; Mon, 12 Feb 2018 03:49:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dupYp+b0w5G0T2Q5nf0UvzqHwnq+fp4ddHjFEX7bZ3o=; b=LZSUwpDtNQhD5ylq9aT8dYm/GJcgrrbx6mh2YPvmnCcgMEAl26YRjIhZzBG8xAo++B mYnFo3HAJIBfrEAK4MwWFYNKEYjjN2Rt4XWDPhbxuI3LQ/o4hfSP8UBaHfJKPtXqIsAV BMzgr6/46dsxkTtwdJZ84uHQ8A4EVDIz85b6S+5L96PK+gQ1CIC0lJXVNFyslExiDxNB dGRxwWbj+SrbPaflb4t5ZzYTedY9tDaWNfzZQL41FjaKv/+SaQTjE6Cxe9xDvgESzdD/ kupB+NoYIQP3QWZ+eOzYDoQQkACbGFxvhqQvNfmdM53mYMekou3IQlqzeo+Xg7zfY0CF ePYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dupYp+b0w5G0T2Q5nf0UvzqHwnq+fp4ddHjFEX7bZ3o=; b=TFxxiMsLp9da52kMLiCHmLaaYLo4ls7WxA3iiQ6zJZDHFFLMM3b3Qzw7UxA9NwqL6y OZ6oG3qlqrPZrYQeAFcNmGDv7NBNot5T5zMkGn3k+3oVqOVVi0yJznRRYX5Hp+2dTDLE Agi86fYs+AnujIoTgA1kysQfqBl2Vg3IZ/zuADMMfe5M0qgg6PG8YurYYTLeTM/FGncD h5TXNDm4UhMyXGrpUmYwjlWgXa0b/c7guKZe9JKAX548ZO7S6pngnAlUxTiVnNSFth/+ /TGBr4JbC0CFhvx8L96egsy2HiLdWk4pWBK+6qjqrDywrwpt8WEgvvfgt15DSqhrtIR7 P/nA== X-Gm-Message-State: APf1xPC/ei7O2dI//DLrjMFzjRBl7DNgQ0SYFOPOad/wmn59QkBPsZQ7 Hf4RypYx3n833Vx+vJEMSy7Fi7MfPoLurr55IdE= X-Received: by 10.31.15.149 with SMTP id 143mr10185995vkp.126.1518436172038; Mon, 12 Feb 2018 03:49:32 -0800 (PST) MIME-Version: 1.0 Received: by 10.103.70.21 with HTTP; Mon, 12 Feb 2018 03:49:31 -0800 (PST) In-Reply-To: References: <20180210054843.z3g7wvcmlccvww3h@huvuddator> <20180210074924.3nhxsza5zdbaahxx@huvuddator> <20180210080556.mycqsjhxbaguwhay@huvuddator> <20180210085519.737ckf4bcl57h4g2@huvuddator> <20180211103432.pf2ot6nd7nbhdhsy@huvuddator> From: Ulf Magnusson Date: Mon, 12 Feb 2018 12:49:31 +0100 Message-ID: Subject: Re: [RFC PATCH 4/7] kconfig: support new special property shell= To: Masahiro Yamada Cc: Linus Torvalds , Kees Cook , Linux Kbuild mailing list , Greg Kroah-Hartman , Andrew Morton , Nicolas Pitre , "Luis R . Rodriguez" , Randy Dunlap , Sam Ravnborg , Michal Marek , Martin Schwidefsky , Pavel Machek , linux-s390 , Jiri Kosina , Linux Kernel Mailing List , Tejun Heo , Ingo Molnar , "Van De Ven, Arjan" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 12, 2018 at 12:44 PM, Ulf Magnusson wrote: > On Mon, Feb 12, 2018 at 11:44 AM, Masahiro Yamada > wrote: >> 2018-02-11 19:34 GMT+09:00 Ulf Magnusson : >>> Looks to me like there's a few unrelated issues here: >>> >>> >>> 1. The stack protector support test scripts >>> >>> Worthwhile IMO if they (*in practice*) prevent hard-to-debug build errors or a >>> subtly broken kernel from being built. >>> >>> A few questions: >>> >>> - How do things fail with a broken stack protector implementation? >>> >>> - How common are those broken compilers? >>> >>> - Do you really need to pass $(KBUILD_CPPFLAGS) when testing for breakage, >>> or would a simpler static test work in practice? >>> >>> I don't know how messy it would be to get $(KBUILD_CPPFLAGS) into >>> Kconfig, but should make sure it's actually needed in any case. >>> >>> The scripts are already split up as >>> >>> scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh >>> >>> by the way, though only gcc-x86_32-has-stack-protector.sh and >>> gcc-x86_64-has-stack-protector.sh exist. >>> >>> - How old do you need to go with GCC for -fno-stack-protector to give an >>> error (i.e., for not even the option to be recognized)? Is it still >>> warranted to test for it? >>> >>> Adding some CCs who worked on the stack protector test scripts. >>> >>> And yeah, I was assuming that needing support scripts would be rare, and that >>> you'd usually just check whether gcc accepts the flag. >>> >>> When you Google "gcc broken stack protector", the top hits about are about the >>> scripts/gcc-x86_64-has-stack-protector.sh script in the kernel throwing a false >>> positive by the way (fixed in 82031ea29e45 ("scripts/has-stack-protector: add >>> -fno-PIE")). >>> >>> >>> 2. Whether to hide the Kconfig stack protector alternatives or always show them >>> >>> Or equivalently, whether to automatically fall back on other stack protector >>> alternatives (including no stack protector) if the one specified in the .config >>> isn't available. >>> >>> I'll let you battle this one out. In any case, as a user, I'd want a >>> super-clear message telling me what to change if the build breaks because of >>> missing stack protector support. >>> >>> >>> 3. Whether to implement CC_STACKPROTECTOR_AUTO in Kconfig or the Makefiles >>> >>> I'd just go with whatever is simplest here. I don't find the Kconfig version >>> too bad, but I'm already very familiar with Kconfig, so it's harder for me to >>> tell how it looks to other people. >>> >>> I'd add some comments to explain the idea in the final version. >>> >>> @Kees: >>> I was assuming that the Makefiles would error out with a message if none of the >>> CC_STACKPROTECTOR_* variables are set, in addition to the Kconfig warning. >>> >>> You could offload part of that check to Kconfig with something like >>> >>> config CHOSEN_CC_STACKPROTECTOR_AVAILABLE >>> def_bool CC_STACKPROTECTOR_STRONG || \ >>> CC_STACKPROTECTOR_REGULAR || \ >>> CC_STACKPROTECTOR_NONE >>> >>> CHOSEN_STACKPROTECTOR_AVAILABLE could then be checked in the Makefile. >>> It has the advantage of making the constraint clear in the Kconfig file >>> at least. >>> >>> You could add some kind of assert feature to Kconfig too, but IMO it's not >>> warranted purely for one-offs like this at least. >>> >>> That's details though. I'd want to explain it with a comment in any case if we >>> go with something like this, since it's slightly kludgy and subtle >>> (CC_STACKPROTECTOR_{STRONG,REGULAR,NONE} form a kind of choice, only you can't >>> express it like that directly, since it's derived from other symbols). >>> >>> >>> Here's an overview of the current Kconfig layout by the way, assuming >>> the old no-fallback behavior and CC_STACKPROTECTOR_AUTO being >>> implemented in Kconfig: >>> >>> # Feature tests >>> CC_HAS_STACKPROTECTOR_STRONG >>> CC_HAS_STACKPROTECTOR_REGULAR >>> CC_HAS_STACKPROTECTOR_NONE >>> >>> # User request >>> WANT_CC_STACKPROTECTOR_AUTO >>> WANT_CC_STACKPROTECTOR_STRONG >>> WANT_CC_STACKPROTECTOR_REGULAR >>> WANT_CC_STACKPROTECTOR_NONE >>> >>> # The actual "output" to the Makefiles >>> CC_STACKPROTECTOR_STRONG >>> CC_STACKPROTECTOR_REGULAR >>> CC_STACKPROTECTOR_NONE >>> >>> # Some possible output "nicities" >>> CHOSEN_CC_STACKPROTECTOR_AVAILABLE >>> CC_OPT_STACKPROTECTOR >>> >>> Does anyone have objections to the naming or other things? I saw some >>> references to "Santa's wish list" in messages of commits that dealt with other >>> variables named WANT_*, though I didn't look into those cases. ;) >>> >> >> >> >> I think Linus's comment was dismissed here. >> >> >> Linus said: >> >>> But yes, I also reacted to your earlier " It can't silently rewrite it >>> to _REGULAR because the compiler support for _STRONG regressed." >>> Because it damn well can. If the compiler doesn't support >>> -fstack-protector-strong, we can just fall back on -fstack-protector. >>> Silently. No extra crazy complex logic for that either. >> >> >> If I understood his comment correctly, >> we do not need either WANT_* or _AUTO. >> >> >> >> >> Kees' comment: >> >>> In the stack-protector case, this becomes quite important, since the >>> goal is to record the user's selection regardless of compiler >>> capability. For example, if someone selects _REGULAR, it shouldn't >>> "upgrade" to _STRONG. (Similarly for _NONE.) >> >> No. Kconfig will not do this silently. > > (Playing devil's advocate...) > > If the user selected _STRONG and it becomes unavailable later, it > seems to silently fall back on other options, even for oldnoconfig > (which just checks if there are any new symbols in the choice). > > It would be possible to also check if the old user selection still > applies btw. I do that in Kconfiglib. It's arguable whether that > matches the intent of oldnoconfig. *oldconfig These things are so closely named. :P Cheers, Ulf