Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1098216pxu; Wed, 2 Dec 2020 10:59:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJzbtZFzyvrRmwBTCd1Yk3z97wKVdfSlsNhEC77xo632DOzC+rZaS7F3+YFLSYK2x+fyoSXC X-Received: by 2002:aa7:d6c9:: with SMTP id x9mr1370620edr.96.1606935559800; Wed, 02 Dec 2020 10:59:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606935559; cv=none; d=google.com; s=arc-20160816; b=EGs/McrU1JrtrFmtweqkhdoJGOqD1n28n/z1FadSjKJECXLqAKcem3XLNoMvynXyhg GTQdJ+Jx+71618gUOp3G/4j/sJ9B73atn4S/nlLgSJmR8/SPT4hoegmPDepOe1F91YKu fIr1ClT6AMln7gyoPpxhtLzjeGY0ABZruRgCgidFg1VAUVnYykQ6h4y0gzZZLi31totI uNjyWtYWdejQL7lTcGzub3UIU0mNvUEQFm6SKRFASD7b+ViiQ73sLbGBV50dig77Opr0 ySq6GJDpV2FDYHM9nXHtwhks6etORQh7UMSCrGxqBvNhJ7VDLFKIIUU65yUCMtiMhGJo qvmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=b0+bgE4T7KwQd0o1rvb3kJK3SimQlgs22CmXZhVLCKg=; b=C1LPSlezC6n07SAqXxhOQy4A+uu4lMuKn7tu/7q/maa4A7J1fPX/n4QK+PIAIyfqFL s2ikecExsKuT5rgl58K4mHNenRnJeFzLYwWSFnY/lV9f/yiNZwgCaPb80xZg2djSXn4t L4Te0mgbo4VnQmplEFm8HZ2vHZF4Wcz4jig8vIweihBPiSgFEzMQXKDJjcdx+mgaT+qd CP73+DTMOqRIOaqjqmoD66TGl9yqTCImB4W5wPBVgsw5SNiG3a2VhjiaxsApxVA35gkJ 3onK8cLIpVEDOXYJM1mfwTjZeHzOQ4TQsBid9P4f9CW9z5EitjjkeigFG/OYeifLTbN4 Zs4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QROM0g6h; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u26si475652ejx.267.2020.12.02.10.58.56; Wed, 02 Dec 2020 10:59:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QROM0g6h; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388020AbgLBSyw (ORCPT + 99 others); Wed, 2 Dec 2020 13:54:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387903AbgLBSyw (ORCPT ); Wed, 2 Dec 2020 13:54:52 -0500 Received: from mail-pj1-x1041.google.com (mail-pj1-x1041.google.com [IPv6:2607:f8b0:4864:20::1041]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 327FEC0613CF for ; Wed, 2 Dec 2020 10:54:12 -0800 (PST) Received: by mail-pj1-x1041.google.com with SMTP id j13so1471856pjz.3 for ; Wed, 02 Dec 2020 10:54:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=b0+bgE4T7KwQd0o1rvb3kJK3SimQlgs22CmXZhVLCKg=; b=QROM0g6hLow6GZ7V4UDEra8QnuXAyNQydFYd8tPdysSPgI/afRnHzMYcjQDJs2MPB5 4FHG2f99kdxwjDywXRoVakgANSW9WNU9vfancQ5ol/JYM0ZhkZcqC6lujqrqP2v+MmPf J2cFUpIzUbXWhObQk0kvkRk5lgSkJmlLPa0ho= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=b0+bgE4T7KwQd0o1rvb3kJK3SimQlgs22CmXZhVLCKg=; b=kNbczXUSscM6Y1IhhG/AQMBgZIbw7GGkpQAGqNZfX0icxYfluqhch3lYPkbE5gEq8w JXW4Kqz6o8ct4KpJR7aRMM5UUWzMiLrsVocdYRXW3ts/2F8j13HRc4Donb4/hoL2rdOu H/O+eRIhlUxPMd1mcyRjjhEoXe9iAklZgsKFbhklVwBfQqiTyWYyB1ap6Fz6d6aJ/A5g X6YMP624bXqh/wEidD1oI0exLQLScnPs/jfs7IPse6CTaoIbmikWPRRsB5LQs5ibPnLT SgvxnyaL7sWMSgjvp9yyV8PSHs1YNbhin9CfEowjXJs3s4QwgauTVBevVkmb/mFh51yR Nk0Q== X-Gm-Message-State: AOAM531MByKp0DCsj3cMp8doxX+2c17YV4vj0NaC5/yS8wxQYDq6t4jG 1O9U5tSf/y6MF1jFgl1CpVI+Bg== X-Received: by 2002:a17:902:b207:b029:d8:fdf3:af30 with SMTP id t7-20020a170902b207b02900d8fdf3af30mr3838177plr.31.1606935251732; Wed, 02 Dec 2020 10:54:11 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z17sm346946pjn.46.2020.12.02.10.54.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 02 Dec 2020 10:54:10 -0800 (PST) Date: Wed, 2 Dec 2020 10:54:09 -0800 From: Kees Cook To: Masahiro Yamada Cc: Will Deacon , Sami Tolvanen , Steven Rostedt , Josh Poimboeuf , Peter Zijlstra , Greg Kroah-Hartman , "Paul E. McKenney" , Nick Desaulniers , clang-built-linux , Kernel Hardening , linux-arch , linux-arm-kernel , Linux Kbuild mailing list , Linux Kernel Mailing List , linux-pci@vger.kernel.org Subject: Re: [PATCH v7 00/17] Add support for Clang LTO Message-ID: <202012021042.A76E8F06@keescook> References: <20201118220731.925424-1-samitolvanen@google.com> <20201130120130.GF24563@willie-the-truck> <202012010929.3788AF5@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Dec 02, 2020 at 11:42:21AM +0900, Masahiro Yamada wrote: > On Wed, Dec 2, 2020 at 2:31 AM Kees Cook wrote: > > > > On Mon, Nov 30, 2020 at 12:01:31PM +0000, Will Deacon wrote: > > > Hi Sami, > > > > > > On Wed, Nov 18, 2020 at 02:07:14PM -0800, Sami Tolvanen wrote: > > > > This patch series adds support for building the kernel with Clang's > > > > Link Time Optimization (LTO). In addition to performance, the primary > > > > motivation for LTO is to allow Clang's Control-Flow Integrity (CFI) to > > > > be used in the kernel. Google has shipped millions of Pixel devices > > > > running three major kernel versions with LTO+CFI since 2018. > > > > > > > > Most of the patches are build system changes for handling LLVM bitcode, > > > > which Clang produces with LTO instead of ELF object files, postponing > > > > ELF processing until a later stage, and ensuring initcall ordering. > > > > > > > > Note that v7 brings back arm64 support as Will has now staged the > > > > prerequisite memory ordering patches [1], and drops x86_64 while we work > > > > on fixing the remaining objtool warnings [2]. > > > > > > Sounds like you're going to post a v8, but that's the plan for merging > > > that? The arm64 parts look pretty good to me now. > > > > I haven't seen Masahiro comment on this in a while, so given the review > > history and its use (for years now) in Android, I will carry v8 (assuming > > all is fine with it) it in -next unless there are objections. > > > What I dislike about this implementation is > it cannot drop any unreachable function/data. > (and it is completely different from GCC LTO) This seems to be an orthogonal concern: the kernel doesn't have GCC LTO support either (though much of Sami's work is required for GCC LTO too). > This is not real LTO. I don't know what you're defining as "real LTO", but this is, very much, Link Time Optimization: the compiler has access to the entire code at once, and it is therefore in a position to perform many manipulations to the code. As Sami mentioned, perhaps you're thinking specifically of dead code elimination? That's a specific optimization. > [thread[1] merging] > This help document is misleading. > People who read the document would misunderstand how great this feature would. > > This should be added in the commit log and Kconfig help: > > In contrast to the example in the documentation, Clang LTO > for the kernel cannot remove any unreachable function or data. > In fact, this results in even bigger vmlinux and modules. Which LTO passes are happening, how optimization are being performed, etc, are endlessly tunable, but we can't work on that tuning without the infrastructure to perform an LTO build in the first place. We need to land the support, and go from there. As written, it works very well for arm64 (which is what v8 targets specifically) and the results have been running on millions of Android phones for years now. If further tuning needs to happen for other architectures, config combinations, etc, those can and will be developed. (For example, x86 is around the corner, once some false positive warnings from objtool get hammered out, etc.) I still want this in -next so we can build on it and improve it -- it has been stuck in limbo for too long. -Kees [1] https://lore.kernel.org/kernel-hardening/CAK7LNASMh1KysAB4+gU7_iuTW+5GT2_yMDevwpLwx0iqjxwmWw@mail.gmail.com/ -- Kees Cook