Received: by 10.223.185.116 with SMTP id b49csp2389033wrg;
        Mon, 12 Feb 2018 08:48:13 -0800 (PST)
X-Google-Smtp-Source: AH8x2269exBh78cva9mEpsdK8wU7LaJ/FIKGbMkF1jpWVzAxFj0jahbxNpYJKNJ1oBZeiqIyvKS3
X-Received: by 2002:a17:902:6bc3:: with SMTP id m3-v6mr11218666plt.442.1518454093309;
        Mon, 12 Feb 2018 08:48:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518454093; cv=none;
        d=google.com; s=arc-20160816;
        b=ZIgf4Q3bRDMLAfkJh1/ZZhaGfOdSwL1SDzRmOMn1JMVTmEkLO+zkHrsr+GOTUEAu9d
         pwR9AtkEFyKAkvcaKaruNyMITViIxPIDL44LvYVEQrOOaFWBUdj5/0VZKYMRwSp0vPqg
         Or/BYj5tzGcqICZLqmynWo2o2qJMAQcuoBpIJS5oGoKxH0aa5ynxGIy355iOLtgyJfNV
         fk4cAf1gLSxraL0QNGkFlgSPQtgI1KHc0teZ/mLqmttnG+feqKrBR/jCOUojzNfgdZQ6
         ViyntdbepZxU+fHhEqrJ7CyQD7UiONh12ngbZ+XBBJObVI53jnZKZPJ8/ElJpce7TcSg
         XIdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=dupYp+b0w5G0T2Q5nf0UvzqHwnq+fp4ddHjFEX7bZ3o=;
        b=D1YLk4ptUCGqTKwtru9pHR7ZJkSBiwkHJgb+fEVoG1w+vLD8rYkmYRFyrdJCJagvXx
         qVJmrTw5LC7+5Ow7h3cCO8qY1U83/efIhGL4Bdp/X8f8zBOYLFL00Dxa0TIXHaACvIUg
         c1MjPvgvtdGve+jaF8bj7Q8cU4RnXEinycC4IA9CX/xyoSQbcT/R2BO29gQV8JbH8uWy
         dUu7JecZQPZhApZNVLe0UccLIEfNU5XNmDOeVTCAJxSx1nL4BQLYkCFSrGV9FdVya+Bx
         06x8vhI0z27FXGXNeq3eT2/8NmLipNNydNpjYFkub5E03N0lUqDxAFT6Ci/O+bUzG0sL
         rEdQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=LZSUwpDt;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v9-v6si2927859plz.266.2018.02.12.08.47.58;
        Mon, 12 Feb 2018 08:48:13 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=LZSUwpDt;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934225AbeBLLtf (ORCPT <rfc822;brice.berna@gmail.com>
        + 99 others); Mon, 12 Feb 2018 06:49:35 -0500
Received: from mail-vk0-f49.google.com ([209.85.213.49]:34889 "EHLO
        mail-vk0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933898AbeBLLtd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Feb 2018 06:49:33 -0500
Received: by mail-vk0-f49.google.com with SMTP id n132so8603687vke.2;
        Mon, 12 Feb 2018 03:49:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=dupYp+b0w5G0T2Q5nf0UvzqHwnq+fp4ddHjFEX7bZ3o=;
        b=LZSUwpDtNQhD5ylq9aT8dYm/GJcgrrbx6mh2YPvmnCcgMEAl26YRjIhZzBG8xAo++B
         mYnFo3HAJIBfrEAK4MwWFYNKEYjjN2Rt4XWDPhbxuI3LQ/o4hfSP8UBaHfJKPtXqIsAV
         BMzgr6/46dsxkTtwdJZ84uHQ8A4EVDIz85b6S+5L96PK+gQ1CIC0lJXVNFyslExiDxNB
         dGRxwWbj+SrbPaflb4t5ZzYTedY9tDaWNfzZQL41FjaKv/+SaQTjE6Cxe9xDvgESzdD/
         kupB+NoYIQP3QWZ+eOzYDoQQkACbGFxvhqQvNfmdM53mYMekou3IQlqzeo+Xg7zfY0CF
         ePYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=dupYp+b0w5G0T2Q5nf0UvzqHwnq+fp4ddHjFEX7bZ3o=;
        b=TFxxiMsLp9da52kMLiCHmLaaYLo4ls7WxA3iiQ6zJZDHFFLMM3b3Qzw7UxA9NwqL6y
         OZ6oG3qlqrPZrYQeAFcNmGDv7NBNot5T5zMkGn3k+3oVqOVVi0yJznRRYX5Hp+2dTDLE
         Agi86fYs+AnujIoTgA1kysQfqBl2Vg3IZ/zuADMMfe5M0qgg6PG8YurYYTLeTM/FGncD
         h5TXNDm4UhMyXGrpUmYwjlWgXa0b/c7guKZe9JKAX548ZO7S6pngnAlUxTiVnNSFth/+
         /TGBr4JbC0CFhvx8L96egsy2HiLdWk4pWBK+6qjqrDywrwpt8WEgvvfgt15DSqhrtIR7
         P/nA==
X-Gm-Message-State: APf1xPC/ei7O2dI//DLrjMFzjRBl7DNgQ0SYFOPOad/wmn59QkBPsZQ7
        Hf4RypYx3n833Vx+vJEMSy7Fi7MfPoLurr55IdE=
X-Received: by 10.31.15.149 with SMTP id 143mr10185995vkp.126.1518436172038;
 Mon, 12 Feb 2018 03:49:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.103.70.21 with HTTP; Mon, 12 Feb 2018 03:49:31 -0800 (PST)
In-Reply-To: <CAFkk2KQ+ybTQF4U9eHqhi-Hg8ML1Z72DsXij2sM58S5HHg6C-Q@mail.gmail.com>
References: <20180210054843.z3g7wvcmlccvww3h@huvuddator> <CAK7LNARHmAF2SxBcc1aUEH5MMzUo_furLevqy7QzGxqNRHYiyQ@mail.gmail.com>
 <20180210074924.3nhxsza5zdbaahxx@huvuddator> <20180210080556.mycqsjhxbaguwhay@huvuddator>
 <20180210085519.737ckf4bcl57h4g2@huvuddator> <CAGXu5jKQgxxC2RQL0dxLKFVED2v-LiWKjtXY3DDpfwAXbnxM4Q@mail.gmail.com>
 <CA+55aFz-SJ970iqDsR8-Ke4z6WvB4n9RXAeen8pG=+YJWubETw@mail.gmail.com>
 <CAGXu5jLo0iuMsH89vj3nr8sv+1YvXfXgoPeBdxHwZm5i=DWoOA@mail.gmail.com>
 <CA+55aFxdx3FYE6YGifRR=BSG9QzXwgThj5z7RmV5P5+RpNXSiQ@mail.gmail.com>
 <CA+55aFyPyYyG-riaBQU5cGp_sC=r8mf9Mg6L=DUEH6EyQfWYwA@mail.gmail.com>
 <20180211103432.pf2ot6nd7nbhdhsy@huvuddator> <CAK7LNARdm7UESEEh-2qEP9R8jWSwzZ4d2x=pZZPuj6EVAsXnAA@mail.gmail.com>
 <CAFkk2KQ+ybTQF4U9eHqhi-Hg8ML1Z72DsXij2sM58S5HHg6C-Q@mail.gmail.com>
From:   Ulf Magnusson <ulfalizer@gmail.com>
Date:   Mon, 12 Feb 2018 12:49:31 +0100
Message-ID: <CAFkk2KRM44RXkr3tr36RmjvdWHqiRmgZQRP3r+E0iTJAg6T5SQ@mail.gmail.com>
Subject: Re: [RFC PATCH 4/7] kconfig: support new special property shell=
To:     Masahiro Yamada <yamada.masahiro@socionext.com>
Cc:     Linus Torvalds <torvalds@linux-foundation.org>,
        Kees Cook <keescook@chromium.org>,
        Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Nicolas Pitre <nicolas.pitre@linaro.org>,
        "Luis R . Rodriguez" <mcgrof@suse.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Sam Ravnborg <sam@ravnborg.org>,
        Michal Marek <michal.lkml@markovi.net>,
        Martin Schwidefsky <schwidefsky@de.ibm.com>,
        Pavel Machek <pavel@ucw.cz>,
        linux-s390 <linux-s390@vger.kernel.org>,
        Jiri Kosina <jkosina@suse.cz>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Tejun Heo <tj@kernel.org>, Ingo Molnar <mingo@kernel.org>,
        "Van De Ven, Arjan" <arjan.van.de.ven@intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Feb 12, 2018 at 12:44 PM, Ulf Magnusson <ulfalizer@gmail.com> wrote:
> On Mon, Feb 12, 2018 at 11:44 AM, Masahiro Yamada
> <yamada.masahiro@socionext.com> wrote:
>> 2018-02-11 19:34 GMT+09:00 Ulf Magnusson <ulfalizer@gmail.com>:
>>> Looks to me like there's a few unrelated issues here:
>>>
>>>
>>> 1. The stack protector support test scripts
>>>
>>> Worthwhile IMO if they (*in practice*) prevent hard-to-debug build errors or a
>>> subtly broken kernel from being built.
>>>
>>> A few questions:
>>>
>>>     - How do things fail with a broken stack protector implementation?
>>>
>>>     - How common are those broken compilers?
>>>
>>>     - Do you really need to pass $(KBUILD_CPPFLAGS) when testing for breakage,
>>>       or would a simpler static test work in practice?
>>>
>>>       I don't know how messy it would be to get $(KBUILD_CPPFLAGS) into
>>>       Kconfig, but should make sure it's actually needed in any case.
>>>
>>>       The scripts are already split up as
>>>
>>>           scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh
>>>
>>>       by the way, though only gcc-x86_32-has-stack-protector.sh and
>>>       gcc-x86_64-has-stack-protector.sh exist.
>>>
>>>     - How old do you need to go with GCC for -fno-stack-protector to give an
>>>       error (i.e., for not even the option to be recognized)? Is it still
>>>       warranted to test for it?
>>>
>>> Adding some CCs who worked on the stack protector test scripts.
>>>
>>> And yeah, I was assuming that needing support scripts would be rare, and that
>>> you'd usually just check whether gcc accepts the flag.
>>>
>>> When you Google "gcc broken stack protector", the top hits about are about the
>>> scripts/gcc-x86_64-has-stack-protector.sh script in the kernel throwing a false
>>> positive by the way (fixed in 82031ea29e45 ("scripts/has-stack-protector: add
>>> -fno-PIE")).
>>>
>>>
>>> 2. Whether to hide the Kconfig stack protector alternatives or always show them
>>>
>>> Or equivalently, whether to automatically fall back on other stack protector
>>> alternatives (including no stack protector) if the one specified in the .config
>>> isn't available.
>>>
>>> I'll let you battle this one out. In any case, as a user, I'd want a
>>> super-clear message telling me what to change if the build breaks because of
>>> missing stack protector support.
>>>
>>>
>>> 3. Whether to implement CC_STACKPROTECTOR_AUTO in Kconfig or the Makefiles
>>>
>>> I'd just go with whatever is simplest here. I don't find the Kconfig version
>>> too bad, but I'm already very familiar with Kconfig, so it's harder for me to
>>> tell how it looks to other people.
>>>
>>> I'd add some comments to explain the idea in the final version.
>>>
>>> @Kees:
>>> I was assuming that the Makefiles would error out with a message if none of the
>>> CC_STACKPROTECTOR_* variables are set, in addition to the Kconfig warning.
>>>
>>> You could offload part of that check to Kconfig with something like
>>>
>>>         config CHOSEN_CC_STACKPROTECTOR_AVAILABLE
>>>                 def_bool CC_STACKPROTECTOR_STRONG || \
>>>                          CC_STACKPROTECTOR_REGULAR || \
>>>                          CC_STACKPROTECTOR_NONE
>>>
>>> CHOSEN_STACKPROTECTOR_AVAILABLE could then be checked in the Makefile.
>>> It has the advantage of making the constraint clear in the Kconfig file
>>> at least.
>>>
>>> You could add some kind of assert feature to Kconfig too, but IMO it's not
>>> warranted purely for one-offs like this at least.
>>>
>>> That's details though. I'd want to explain it with a comment in any case if we
>>> go with something like this, since it's slightly kludgy and subtle
>>> (CC_STACKPROTECTOR_{STRONG,REGULAR,NONE} form a kind of choice, only you can't
>>> express it like that directly, since it's derived from other symbols).
>>>
>>>
>>> Here's an overview of the current Kconfig layout by the way, assuming
>>> the old no-fallback behavior and CC_STACKPROTECTOR_AUTO being
>>> implemented in Kconfig:
>>>
>>>         # Feature tests
>>>         CC_HAS_STACKPROTECTOR_STRONG
>>>         CC_HAS_STACKPROTECTOR_REGULAR
>>>         CC_HAS_STACKPROTECTOR_NONE
>>>
>>>         # User request
>>>         WANT_CC_STACKPROTECTOR_AUTO
>>>         WANT_CC_STACKPROTECTOR_STRONG
>>>         WANT_CC_STACKPROTECTOR_REGULAR
>>>         WANT_CC_STACKPROTECTOR_NONE
>>>
>>>         # The actual "output" to the Makefiles
>>>         CC_STACKPROTECTOR_STRONG
>>>         CC_STACKPROTECTOR_REGULAR
>>>         CC_STACKPROTECTOR_NONE
>>>
>>>         # Some possible output "nicities"
>>>         CHOSEN_CC_STACKPROTECTOR_AVAILABLE
>>>         CC_OPT_STACKPROTECTOR
>>>
>>> Does anyone have objections to the naming or other things? I saw some
>>> references to "Santa's wish list" in messages of commits that dealt with other
>>> variables named WANT_*, though I didn't look into those cases. ;)
>>>
>>
>>
>>
>> I think Linus's comment was dismissed here.
>>
>>
>> Linus said:
>>
>>> But yes, I also reacted to your earlier " It can't silently rewrite it
>>> to _REGULAR because the compiler support for _STRONG regressed."
>>> Because it damn well can. If the compiler doesn't support
>>> -fstack-protector-strong, we can just fall back on -fstack-protector.
>>> Silently. No extra crazy complex logic for that either.
>>
>>
>> If I understood his comment correctly,
>> we do not need either WANT_* or _AUTO.
>>
>>
>>
>>
>> Kees' comment:
>>
>>> In the stack-protector case, this becomes quite important, since the
>>> goal is to record the user's selection regardless of compiler
>>> capability. For example, if someone selects _REGULAR, it shouldn't
>>> "upgrade" to _STRONG. (Similarly for _NONE.)
>>
>> No.  Kconfig will not do this silently.
>
> (Playing devil's advocate...)
>
> If the user selected _STRONG and it becomes unavailable later, it
> seems to silently fall back on other options, even for oldnoconfig
> (which just checks if there are any new symbols in the choice).
>
> It would be possible to also check if the old user selection still
> applies btw. I do that in Kconfiglib. It's arguable whether that
> matches the intent of oldnoconfig.

*oldconfig

These things are so closely named. :P

Cheers,
Ulf