Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp338885pxa; Fri, 31 Jul 2020 13:31:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyHldU1tsIsI8L5Pafh6JHWNC5BUDE9hKm8CsRQL9FMtoA25bledW+JjMg2R5FYSNlngm/v X-Received: by 2002:a50:fa94:: with SMTP id w20mr5699607edr.82.1596227487493; Fri, 31 Jul 2020 13:31:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596227487; cv=none; d=google.com; s=arc-20160816; b=tc+S9kENjqjev8snZ9fUMxnKzEsm9iLibrWLm01IX25x3Zr+UGpulGl3AFpMl6snEr 1RW+z+SbgvZST90aS63vm2O8ijXNHOImKld1TZErX+Li4dfvfbJ2lewmV6nHCbhRXsHp jOSYhTF2weWwpuwLWBjqovqXlKEvqNjly7ZB36HbOY/LjaD3nRlmCSMb4QWLv3FOXSIM zFbRZmB4y3P3EpHKYjxWcnA0cVZQ86kvzyDhqr78JpLbRZ9fRB0Zelb6LT+/hiEEmAkG HmTDrWgHG1daSDIAPO8YB1rXmxs+ttEilJe3YXKF0xdZl4ZHnOSkllisaJ9NRJhDB8nI MCQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=pj+axvzmD5SGaSD2w5nJiNJMAmRINNcqYBv2Vhrp140=; b=uoEZXo8vCN7tyJCms67hclbZmMU2JqjOUygR949PTOJZCV6H4rUCzaAbprqwpIOCXD GNAGzGkPlkYqjKVyLgdyTskoQ7uhUtSn0NoGlrbBMqEQOtC/E0vQYVOniUNIelCQpcFL F+ttMSskjK8oPHEhab5zDAD0CUjA06HnsdjJikyk4/FzYA8drpgT9ci9IwBeNI5G153x zt5YgylSLDFfYfd+HMrmp9XOTBAibuCqDAXqON5HgKcZK+lMIOwVLvAfv4B2mNm3mT9O lcNX4I7U4cvR9yi6/5OSOZ0itILL8VaYm/yX1BlH6lPnYlR+UqosQXAWcCYUsuJ0i0eU 70bw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s23si5638978eji.327.2020.07.31.13.31.05; Fri, 31 Jul 2020 13:31:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728870AbgGaU2D (ORCPT + 99 others); Fri, 31 Jul 2020 16:28:03 -0400 Received: from mail-qv1-f67.google.com ([209.85.219.67]:34687 "EHLO mail-qv1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729014AbgGaU1o (ORCPT ); Fri, 31 Jul 2020 16:27:44 -0400 Received: by mail-qv1-f67.google.com with SMTP id t6so9803416qvw.1 for ; Fri, 31 Jul 2020 13:27:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=pj+axvzmD5SGaSD2w5nJiNJMAmRINNcqYBv2Vhrp140=; b=la/zLJ2Gf9l8J0tk2tpfH9s6PLMLpszvVox+r+TgWmJOhXtbDescrZ7Eab/ogJNdzG Xmdjl2t8GaHRABbpjhX/K0WETdaWGHPZVsSKF5mwhSBVaL82FbilBP3sldutl9IQiCzu W7lngsjHzQOcJbBnfXzRo7TQcUfJEp2gcztp1uv6yF4FU1nSezhcCwOEnaxvkMv8mAOC dftNN/NhW7fwDf02fD/pNMuVEIsHZyV6lu2gdFjA1kRHIzx05giARkDY6hO+A7o9xmSO H1+q84iH5yW9KXLVA66OU9WdISKP82t0iOsThVlCt9Gmpicz8o4eQK9XEv2lTW6bLbNu rM3g== X-Gm-Message-State: AOAM532aUQ2dFYi+sV95rtEmJIYfvFnwz8C1o34f7jbisd8WCsOCcV1a o2k0v61CvHMMSoSOz2dQ1enUoOgt X-Received: by 2002:a0c:a224:: with SMTP id f33mr2619521qva.93.1596227262128; Fri, 31 Jul 2020 13:27:42 -0700 (PDT) Received: from rani.riverdale.lan ([2001:470:1f07:5f3::b55f]) by smtp.gmail.com with ESMTPSA id t35sm10607976qth.79.2020.07.31.13.27.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 Jul 2020 13:27:41 -0700 (PDT) From: Arvind Sankar To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , x86@kernel.org Cc: Nick Desaulniers , Fangrui Song , Dmitry Golovin , clang-built-linux@googlegroups.com, Ard Biesheuvel , Masahiro Yamada , Sedat Dilek , Kees Cook , Nathan Chancellor , Arnd Bergmann , "H . J . Lu" , linux-kernel@vger.kernel.org Subject: [PATCH v6 2/7] x86/boot/compressed: Force hidden visibility for all symbol references Date: Fri, 31 Jul 2020 16:27:33 -0400 Message-Id: <20200731202738.2577854-3-nivedita@alum.mit.edu> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731202738.2577854-1-nivedita@alum.mit.edu> References: <20200731202738.2577854-1-nivedita@alum.mit.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ard Biesheuvel Eliminate all GOT entries in the decompressor binary, by forcing hidden visibility for all symbol references, which informs the compiler that such references will be resolved at link time without the need for allocating GOT entries. To ensure that no GOT entries will creep back in, add an assertion to the decompressor linker script that will fire if the .got section has a non-zero size. [Arvind: move hidden.h to include/linux instead of making a copy] Tested-by: Nick Desaulniers Tested-by: Sedat Dilek Reviewed-by: Kees Cook Signed-off-by: Ard Biesheuvel Acked-by: Arvind Sankar Signed-off-by: Arvind Sankar From: Ard Biesheuvel Link: https://lore.kernel.org/r/20200523120021.34996-3-ardb@kernel.org --- arch/x86/boot/compressed/Makefile | 1 + arch/x86/boot/compressed/vmlinux.lds.S | 1 + drivers/firmware/efi/libstub/Makefile | 2 +- drivers/firmware/efi/libstub/hidden.h | 6 ------ include/linux/hidden.h | 19 +++++++++++++++++++ 5 files changed, 22 insertions(+), 7 deletions(-) delete mode 100644 drivers/firmware/efi/libstub/hidden.h create mode 100644 include/linux/hidden.h diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile index 5a828fde7a42..489fea16bcfb 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile @@ -42,6 +42,7 @@ KBUILD_CFLAGS += $(call cc-disable-warning, gnu) KBUILD_CFLAGS += -Wno-pointer-sign KBUILD_CFLAGS += $(call cc-option,-fmacro-prefix-map=$(srctree)/=) KBUILD_CFLAGS += -fno-asynchronous-unwind-tables +KBUILD_CFLAGS += -include $(srctree)/include/linux/hidden.h KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__ GCOV_PROFILE := n diff --git a/arch/x86/boot/compressed/vmlinux.lds.S b/arch/x86/boot/compressed/vmlinux.lds.S index b17d218ccdf9..4bcc943842ab 100644 --- a/arch/x86/boot/compressed/vmlinux.lds.S +++ b/arch/x86/boot/compressed/vmlinux.lds.S @@ -81,6 +81,7 @@ SECTIONS DISCARDS } +ASSERT(SIZEOF(.got) == 0, "Unexpected GOT entries detected!") #ifdef CONFIG_X86_64 ASSERT(SIZEOF(.got.plt) == 0 || SIZEOF(.got.plt) == 0x18, "Unexpected GOT/PLT entries detected!") #else diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile index 75daaf20374e..b4f8c80cc591 100644 --- a/drivers/firmware/efi/libstub/Makefile +++ b/drivers/firmware/efi/libstub/Makefile @@ -26,7 +26,7 @@ cflags-$(CONFIG_ARM) := $(subst $(CC_FLAGS_FTRACE),,$(KBUILD_CFLAGS)) \ cflags-$(CONFIG_EFI_GENERIC_STUB) += -I$(srctree)/scripts/dtc/libfdt KBUILD_CFLAGS := $(cflags-y) -Os -DDISABLE_BRANCH_PROFILING \ - -include $(srctree)/drivers/firmware/efi/libstub/hidden.h \ + -include $(srctree)/include/linux/hidden.h \ -D__NO_FORTIFY \ $(call cc-option,-ffreestanding) \ $(call cc-option,-fno-stack-protector) \ diff --git a/drivers/firmware/efi/libstub/hidden.h b/drivers/firmware/efi/libstub/hidden.h deleted file mode 100644 index 3493b041f419..000000000000 --- a/drivers/firmware/efi/libstub/hidden.h +++ /dev/null @@ -1,6 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0 */ -/* - * To prevent the compiler from emitting GOT-indirected (and thus absolute) - * references to any global symbols, override their visibility as 'hidden' - */ -#pragma GCC visibility push(hidden) diff --git a/include/linux/hidden.h b/include/linux/hidden.h new file mode 100644 index 000000000000..49a17b6b5962 --- /dev/null +++ b/include/linux/hidden.h @@ -0,0 +1,19 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * When building position independent code with GCC using the -fPIC option, + * (or even the -fPIE one on older versions), it will assume that we are + * building a dynamic object (either a shared library or an executable) that + * may have symbol references that can only be resolved at load time. For a + * variety of reasons (ELF symbol preemption, the CoW footprint of the section + * that is modified by the loader), this results in all references to symbols + * with external linkage to go via entries in the Global Offset Table (GOT), + * which carries absolute addresses which need to be fixed up when the + * executable image is loaded at an offset which is different from its link + * time offset. + * + * Fortunately, there is a way to inform the compiler that such symbol + * references will be satisfied at link time rather than at load time, by + * giving them 'hidden' visibility. + */ + +#pragma GCC visibility push(hidden) -- 2.26.2