Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4309830imm; Mon, 30 Jul 2018 12:12:01 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfuj8MsmtqrfgwMS9JtG9BVIgKy3axjP/SmfJfpzNfFVQDX5Zt+TX6+Wi+ZHUMjRs4rLj1b X-Received: by 2002:a62:87ce:: with SMTP id i197-v6mr19124827pfe.62.1532977920976; Mon, 30 Jul 2018 12:12:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532977920; cv=none; d=google.com; s=arc-20160816; b=dv/2ceV1DyMUG/AtPNtbcd9ssk6/mSdb7J9a1rAFIpXM7QcxdlYzJD6zCQnjavw/2V zP+/ItXS7xyveFzOfVTYLvf/XOoK4jrA42DbdbMHHIbCvf1x3/fpamAbsCxgz6RMj1zM Ny0YoL+hNr5k5iZybVGndbvxEdb6pn/BQvC3RmAEpvex3QhLxKHXBykYYj/MsDClCykF nnjTWiyYtOsEVq49nargdMBMHI6D36hzMmnNqxcuRypRilXDeEj9zv1DpE1kOu4ms+qE aVBd3LSi3BKe4L6HiamfkZweWEnK4Di9/LSHeAS1lQWS9z/gff8acxYdly5/rq5vqZnf qpCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=lZSgVZhDw2wx+9kimYDnh1Fll64NkObCs/TKpkm2f0c=; b=d57Z91suhkim3f7zm5ynDpXre14iQXjKLK4oG5OZqwLoj9icBU9qaJytaK2K4E8V9D Uevt5gIan76OEqr8InXGVLguJr5Anty3iEWi0jCfpS01k6kDZwpL5TOF3cFM8RX9tTPR 67HLb/IdJQx+3DOOsLo+OVa+LUrOtLXvLs3wh7LWZZO7B4NBgJ1qsnuvxnXyzvdXIzA/ G2h3PdFcsf0T4SNrtVQtRJI7bhWXr98QLZ7ANFqdvKFBN1Jcsay81yvQhVgP5r2h3uDB 8HC80NSiJnh20A98wIEjn2SUxarx5ZJYWmtK0WxAStV/u03UN07+A0LihOMtVMk3uliB 0JvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=r50aQGiu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r28-v6si11529772pfb.65.2018.07.30.12.11.46; Mon, 30 Jul 2018 12:12:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=r50aQGiu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732030AbeG3UqP (ORCPT + 99 others); Mon, 30 Jul 2018 16:46:15 -0400 Received: from mail-yb0-f195.google.com ([209.85.213.195]:34362 "EHLO mail-yb0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731355AbeG3UqO (ORCPT ); Mon, 30 Jul 2018 16:46:14 -0400 Received: by mail-yb0-f195.google.com with SMTP id e9-v6so5191835ybq.1 for ; Mon, 30 Jul 2018 12:09:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lZSgVZhDw2wx+9kimYDnh1Fll64NkObCs/TKpkm2f0c=; b=r50aQGiu0eI/I0wQmPZGocp/IqnfGyRMYJbSxfiWkcWSc0ClXygSBzSuzfdkcFuFrD hJxfH+JL0gg966CoI0iclKspCGAem/08KPCekaSpWWRr/5PeGcKM6WawUeyfKwnujB89 LL3dcazCVkR7Yb5Ogjdsn+u7YP3Rw1R3ga5VIUbe2wxDCE6yOuyD+CM81tW3pHtDVLiw haJ6QYlFqJ/T/uxUpMT2AbqVcCtXpVLXvNZr3B2tVGP9dZqip1851OQXLyK483/4G7Wv 5HT3/lx3CudxIm54k3e1xug2pKTy8YIfvw7mmmSAyINoysr12qkmuxrAK/mtbmZm6bnz zeSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lZSgVZhDw2wx+9kimYDnh1Fll64NkObCs/TKpkm2f0c=; b=JCQoxK05xM9cfjoq/D53Q/zHv0S/Ro0NJ26Mlep1IuAbHrUOCTSTNdB1UD5XTzZ6Vd /qKTly7YbBr2sheSUlGbUIQjY4E5NmJ+JPELWKkleSQsUrNsuMvDISed1jbP+Hs6JAKG prxDZ4k7MvCkC7/xwwjAHP9ijRVPUqps/9fFw0LJOF6grcILK+NaksEpJEdidPJBGlP0 a9AArmAjAwGr5MmRi1O3k/koAu3xQbihFZsc1CH5V8OUQ/wSx7tmtLUZVUAWscNlHpei +l3EqRX8KGkbKRsGY550V36kHM+eC/lP18YohOEngDKxUHgkbiTaLGz+R1OEcmVP/icu xpvQ== X-Gm-Message-State: AOUpUlGiVx5AH640JKqHILLPklyMMZVjXmf7wdk3KZ9XF9OS7Hi/G78J SRGUSfUcqQiRBacEKUHYcQmB2wvNYDfGzbtwqEBqRw== X-Received: by 2002:a25:b219:: with SMTP id i25-v6mr10447882ybj.112.1532977790451; Mon, 30 Jul 2018 12:09:50 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:6602:0:0:0:0:0 with HTTP; Mon, 30 Jul 2018 12:09:49 -0700 (PDT) In-Reply-To: <20180730183118.25869-1-labbott@redhat.com> References: <20180730163722.GD4276@arm.com> <20180730183118.25869-1-labbott@redhat.com> From: Kees Cook Date: Mon, 30 Jul 2018 12:09:49 -0700 Message-ID: Subject: Re: [PATCH] efi/libstub: Only disable stackleak plugin for arm64 To: Laura Abbott Cc: Will Deacon , Stephen Rothwell , Linux-Next Mailing List , Linux Kernel Mailing List , Alexander Popov , Catalin Marinas Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 30, 2018 at 11:31 AM, Laura Abbott wrote: > arm64 uses the full KBUILD_CFLAGS for building libstub as opposed > to x86 which doesn't. This means that x86 doesn't pick up > the gcc-plugins. We need to disable the stackleak plugin but > doing this unconditionally breaks x86 build since it doesn't > have any plugins. Switch to disabling the stackleak plugin for > arm64 only. > > Signed-off-by: Laura Abbott Reviewed-by: Kees Cook Thanks! -Kees > --- > drivers/firmware/efi/libstub/Makefile | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile > index 25dd2a14560d..88c322d7c71e 100644 > --- a/drivers/firmware/efi/libstub/Makefile > +++ b/drivers/firmware/efi/libstub/Makefile > @@ -11,7 +11,10 @@ cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ -O2 \ > -fPIC -fno-strict-aliasing -mno-red-zone \ > -mno-mmx -mno-sse -fshort-wchar > > -cflags-$(CONFIG_ARM64) := $(subst -pg,,$(KBUILD_CFLAGS)) -fpie > +# arm64 uses the full KBUILD_CFLAGS so it's necessary to explicitly > +# disable the stackleak plugin > +cflags-$(CONFIG_ARM64) := $(subst -pg,,$(KBUILD_CFLAGS)) -fpie \ > + $(DISABLE_STACKLEAK_PLUGIN) > cflags-$(CONFIG_ARM) := $(subst -pg,,$(KBUILD_CFLAGS)) \ > -fno-builtin -fpic -mno-single-pic-base > > @@ -21,7 +24,6 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ > -D__NO_FORTIFY \ > $(call cc-option,-ffreestanding) \ > $(call cc-option,-fno-stack-protector) \ > - $(DISABLE_STACKLEAK_PLUGIN) > > GCOV_PROFILE := n > KASAN_SANITIZE := n > -- > 2.17.1 > -- Kees Cook Pixel Security