Received: by 10.213.65.68 with SMTP id h4csp319054imn;
        Wed, 28 Mar 2018 04:19:46 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/uXsQhNxYX6fs6NNWkMuXIFPRtaJtUIjaDiLP5snNTkngIz9HaX4jkaehZ6OjO/cW6q304
X-Received: by 2002:a17:902:2e43:: with SMTP id q61-v6mr3332706plb.404.1522235986873;
        Wed, 28 Mar 2018 04:19:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522235986; cv=none;
        d=google.com; s=arc-20160816;
        b=QoqbOTwU9miC5rG7WtVKq6EAJKYHTtA9XP1oSZZq3IuDBbeYCadVv1g68GAOcjdu6j
         Bq4TbFDUjS0McTNGC7kE1PQPJOT95WWk+D+o0YNeN7t1VUnNpMdfLq2Neb04TBtw7WiO
         2KGJhl+/3nrXZ34bJujYJh158Wmn5e6JdMDA+ClsTZDQ9QLJHgnCuD6gZTE+H0lGCDPQ
         pWOub/UNLtFi0bZX9qN14nJIotdYWAAjxbtZa9tz6z9WR2q2lR6UiSEeL/DMviovbyA1
         KUX1bQg5Oapcgv4/A56C3rD3WSZoE8y3Fs4E4edEJWtTku2rlcPZwnx3mALGFYI34yNc
         LGiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=3XVlEbcdadJdXphclfvvM7wwfTsLbcYrt9NDBigeLt0=;
        b=BTNfkoSPVz4rjCjv/nNqUQgXJkGYU0jNKXLtT2F41PYOqbGlGxo8VE/+DuioOwLqDv
         TMdJnUqhddzlkIvq9eBbZ0hwZ3T+rHciDSIkgVTtuj44eXnKZuatqqn8jV6tZQfeyPlP
         638wDZeZ3x8wwoV4Wyw9ozdYU0HQ4QM3bquo5IQRDoo5YZyRYOs5fo4bCaXb1998A7De
         FQiBGAFWGduIzxd0dXW4PTPVzqmlF7tB9sY5h0TVHOZMpPaeNUCQz3NbG+01Oy0rrtSc
         oRzt1B8/DDxjYz7VrAGHthBeniMw0EJoDR9hssPrxn8VgjgBSFNbjZRC/IOnd5lNCKpG
         5S7g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=Zrq9Ydo8;
       dkim=fail header.i=@chromium.org header.s=google header.b=KJp3wFo1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f11si2335797pgn.420.2018.03.28.04.19.31;
        Wed, 28 Mar 2018 04:19:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=Zrq9Ydo8;
       dkim=fail header.i=@chromium.org header.s=google header.b=KJp3wFo1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752663AbeC1LSi (ORCPT <rfc822;noahbdev@gmail.com> + 99 others);
        Wed, 28 Mar 2018 07:18:38 -0400
Received: from mail-ua0-f173.google.com ([209.85.217.173]:41408 "EHLO
        mail-ua0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750799AbeC1LSg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 28 Mar 2018 07:18:36 -0400
Received: by mail-ua0-f173.google.com with SMTP id i2so1266488uak.8
        for <linux-kernel@vger.kernel.org>; Wed, 28 Mar 2018 04:18:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=3XVlEbcdadJdXphclfvvM7wwfTsLbcYrt9NDBigeLt0=;
        b=Zrq9Ydo8bJFXBN6dOSc1ckg8YpGdyTIHW/Ib2AZBP5RDGSjXVSuaeK/uwYgz73SZVj
         95Ur9LqN29Jq8W4muFfIR6y0lEzFRjrAY6Xs4BRBl2B3b5S9f6Xmfv3xeOVTsAySpYq+
         Ox8j0MKmkELoHfSWUF1vlCROts51/EFxr/mJovO4UNuD5RBp9sL0EjVaEqu59TSpQR2O
         jrZfDBFMwPwTFKb36UCGugwJVB8GMhZonX3PLg8Jn7oFwshroF8/8DJzHde/dBmb/M/D
         QLlo1rqZ+G5/glRizhrC8lm+RsfCJrVViziwlctv2iMWKlJjtcVsUQ65ZJSOUSHQHnlY
         8beQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=3XVlEbcdadJdXphclfvvM7wwfTsLbcYrt9NDBigeLt0=;
        b=KJp3wFo1Je2skyYr6l/W8B1oxeAj+qUySxtXR97fdOLNtrTMoGI2nTRLFeDiPFH1Bh
         JChv3lPIyV3KH2NwhUy9cayfo2H8Am0BX2wX+8FZ+v9s4gZbCH5Ff8YF6QyxMF+MOgtA
         72VxVyxOaKyawUHDMAEljaIsRerPre4S5rQZ4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=3XVlEbcdadJdXphclfvvM7wwfTsLbcYrt9NDBigeLt0=;
        b=XpTV0VLW2n0QZj5YRqP8fyl2uBY38IPfNRSzc7L4BYulSz/4wipi9YNF2JFHXaIO/W
         WKytQj9UxuUJCJ3EtUQSD9lCWyWVdvBYF616PVeT+PCJa1xPPSNAAaF8mZlZWLI2GXx9
         LcK12RAwCei0BhSD6ULSQttplRblpNUwksM+3xOapjtFtSqOK50pbF4jcv1iLvzuUjcE
         lCuWYYRoVWvrhwGrqLXSJeEyvT7QzfxySwXAxMtrDq+uAJtVZFzJ9U7Bxkg63rBtyYng
         APQCorHr0hZbiHaKZNqioBqCrK+1qFQ1ffc9lI356qA27KY90H50YE+fQ3JJzBXgQ2UN
         GtRw==
X-Gm-Message-State: AElRT7GsP+UcLznZtFjYPOM1cDlNBZj0m22W5eQO2Sj6UqomAHFBmnw8
        gZOSihGxxxRPC7Hk+YHPn5lXGlWXPRa96+ZRNLBCzA==
X-Received: by 10.159.41.198 with SMTP id s64mr2113692uas.176.1522235913558;
 Wed, 28 Mar 2018 04:18:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.129.9 with HTTP; Wed, 28 Mar 2018 04:18:32 -0700 (PDT)
In-Reply-To: <1522128575-5326-12-git-send-email-yamada.masahiro@socionext.com>
References: <1522128575-5326-1-git-send-email-yamada.masahiro@socionext.com> <1522128575-5326-12-git-send-email-yamada.masahiro@socionext.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Wed, 28 Mar 2018 04:18:32 -0700
X-Google-Sender-Auth: 3uc7t3yfaifZONqLvlETP7Wpq3M
Message-ID: <CAGXu5j+F1GXNE9T3vOo+Sq+GfX2Cy5a8tFU--qVBJwaJkt=s6Q@mail.gmail.com>
Subject: Re: [PATCH v2 11/21] stack-protector: test compiler capability in
 Kconfig and drop AUTO mode
To:     Masahiro Yamada <yamada.masahiro@socionext.com>
Cc:     linux-kbuild <linux-kbuild@vger.kernel.org>,
        Sam Ravnborg <sam@ravnborg.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Arnd Bergmann <arnd@arndb.de>,
        Ulf Magnusson <ulfalizer@gmail.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Randy Dunlap <rdunlap@infradead.org>,
        "Luis R . Rodriguez" <mcgrof@kernel.org>,
        Nicolas Pitre <nico@linaro.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Ingo Molnar <mingo@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 26, 2018 at 10:29 PM, Masahiro Yamada
<yamada.masahiro@socionext.com> wrote:
> Move the test for -fstack-protector(-strong) option to Kconfig.
>
> If the compiler does not support the option, the corresponding menu
> is automatically hidden.  If _STRONG is not supported, it will fall
> back to _REGULAR.  If _REGULAR is not supported, it will be disabled.
> This means, _AUTO is implicitly handled by the dependency solver of
> Kconfig, hence removed.
>
> I also turned the 'choice' into only two boolean symbols.  The use of
> 'choice' is not a good idea here, because all of all{yes,mod,no}config
> would choose the first visible value, while we want allnoconfig to
> disable as many features as possible.
>
> X86 has additional shell scripts in case the compiler supports the
> option, but generates broken code.  I added CC_HAS_SANE_STACKPROTECTOR
> to test this.  I had to add -m32 to gcc-x86_32-has-stack-protector.sh
> to make it work correctly.
>
> Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

This looks really good. Notes below...

> ---
>
> Changes in v2:
>   - Describe $(cc-option ...) directly in depends on context
>
>  Makefile                                  | 93 ++-----------------------------
>  arch/Kconfig                              | 29 +++-------
>  arch/x86/Kconfig                          |  8 ++-
>  scripts/gcc-x86_32-has-stack-protector.sh |  7 +--
>  scripts/gcc-x86_64-has-stack-protector.sh |  5 --
>  5 files changed, 22 insertions(+), 120 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 5c395ed..5cadffa 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -675,55 +675,11 @@ ifneq ($(CONFIG_FRAME_WARN),0)
>  KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
>  endif
>
> -# This selects the stack protector compiler flag. Testing it is delayed
> -# until after .config has been reprocessed, in the prepare-compiler-check
> -# target.
> -ifdef CONFIG_CC_STACKPROTECTOR_AUTO
> -  stackp-flag := $(call cc-option,-fstack-protector-strong,$(call cc-option,-fstack-protector))
> -  stackp-name := AUTO
> -else
> -ifdef CONFIG_CC_STACKPROTECTOR_REGULAR
> -  stackp-flag := -fstack-protector
> -  stackp-name := REGULAR
> -else
> -ifdef CONFIG_CC_STACKPROTECTOR_STRONG
> -  stackp-flag := -fstack-protector-strong
> -  stackp-name := STRONG
> -else
> -  # If either there is no stack protector for this architecture or
> -  # CONFIG_CC_STACKPROTECTOR_NONE is selected, we're done, and $(stackp-name)
> -  # is empty, skipping all remaining stack protector tests.
> -  #
> -  # Force off for distro compilers that enable stack protector by default.
> -  KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
> -endif
> -endif
> -endif
> -# Find arch-specific stack protector compiler sanity-checking script.
> -ifdef stackp-name
> -ifneq ($(stackp-flag),)
> -  stackp-path := $(srctree)/scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh
> -  stackp-check := $(wildcard $(stackp-path))
> -  # If the wildcard test matches a test script, run it to check functionality.
> -  ifdef stackp-check
> -    ifneq ($(shell $(CONFIG_SHELL) $(stackp-check) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
> -      stackp-broken := y
> -    endif
> -  endif
> -  ifndef stackp-broken
> -    # If the stack protector is functional, enable code that depends on it.
> -    KBUILD_CPPFLAGS += -DCONFIG_CC_STACKPROTECTOR
> -    # Either we've already detected the flag (for AUTO) or we'll fail the
> -    # build in the prepare-compiler-check rule (for specific flag).
> -    KBUILD_CFLAGS += $(stackp-flag)
> -  else
> -    # We have to make sure stack protector is unconditionally disabled if
> -    # the compiler is broken (in case we're going to continue the build in
> -    # AUTO mode).

Let's keep this comment (slightly rewritten) since the reason for
setting this flag isn't obvious.

> -    KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
> -  endif
> -endif
> -endif
> +stackp-flags-y                                 := -fno-stack-protector

This is a (minor?) regression in my testing. Making this unconditional
may break for a compiler built without stack-protector. It should be
rare, but it's technically possible. Perhaps:

stackp-flags-y := ($call cc-option, -fno-stack-protector)

> +stackp-flags-$(CONFIG_CC_STACKPROTECTOR)       := -fstack-protector
> +stackp-flags-$(CONFIG_CC_STACKPROTECTOR_STRONG)        := -fstack-protector-strong
> +
> +KBUILD_CFLAGS += $(stackp-flags-y)
> [...]
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 8e0d665..b42378d 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -535,13 +535,13 @@ config HAVE_CC_STACKPROTECTOR
>         bool
>         help
>           An arch should select this symbol if:
> -         - its compiler supports the -fstack-protector option

Please leave this note: it's still valid. An arch must still have
compiler support for this to be sensible.

>           - it has implemented a stack canary (e.g. __stack_chk_guard)
> [...]

Otherwise, this tests well for me. Nicely done!

-Kees

-- 
Kees Cook
Pixel Security