Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1816354pxb; Wed, 20 Oct 2021 12:18:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJza++niaxHoegB601gPfTAcj+svwXvPUuVt9AS+Bn+Imtnf0I8q9n529uiV8X8D8MJaoVHZ X-Received: by 2002:a17:907:20ec:: with SMTP id rh12mr1480814ejb.15.1634757515861; Wed, 20 Oct 2021 12:18:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634757515; cv=none; d=google.com; s=arc-20160816; b=tNEzA2ZXHa36DY/+/j8TzFt5sVgAvOku7NFoQSbI3kfMV0cb+P+ioR82ukskbtycZF KqIVHfIUMkCLDWEt/KQV/r48fmmCaBn4PSS0prQUv7YYDW7aRnOeqjzltIPZbo+5/+51 02PVa1aCkBQh9q9ivfTg/9xrq+BTE+3IU58SXf6dg3JJc8wLkgoITLH4FQ4ds+p2gryI reHoa4UiCPn4IfjapZ5IYEMhecaiCXvhhOZ6ERmWB92T5MYmEsoCDVJwb2QFAKvhVu0X nia8KaAzb/kJ6dbAWAyI4yC+UtXCJhYVq2Z7OXeBxXEOVpnaosc4X7Y4L2lB5iEVTgcL COag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=i22CGOfMdCgEzNofkN2ujFXF/VRH37ibkrOAmDeTGJk=; b=Qed6JO6VcRGn2/T2RU+CqBWU59mUXmeDx/WYn0S789teKFhYYiQBkQHMoDCHkKT1w1 b3lD6TCXAHI+IZd6AIRzZxep68gjXHcX0rRi6ybqpi+df0DkNIrr2F8goyPF6PK5p0nc 3ohKEQoPV3vQLxTOgVm4/u55LlDGWm0CBq28oVUvnNcYGND0bwBqIPy+2UI4TyQsM78w RKIA2yO96ydwEMmVE9NMJQc6XtWTuIhB5I4wdwRK5FhLC6PyMLlPpT1/NFCwroXR8Wn1 g2hbuWpAJqP8/Wb0ZmOmWBb2NW4zkRPlD+A4WFHLJTMOvJx4OMuK3fiQUHohL14YuD6K SRRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JpcmTmu4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n10si5308454edx.401.2021.10.20.12.18.10; Wed, 20 Oct 2021 12:18:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JpcmTmu4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231522AbhJTTRZ (ORCPT + 99 others); Wed, 20 Oct 2021 15:17:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33462 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231406AbhJTTRY (ORCPT ); Wed, 20 Oct 2021 15:17:24 -0400 Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF976C06161C for ; Wed, 20 Oct 2021 12:15:09 -0700 (PDT) Received: by mail-pg1-x536.google.com with SMTP id q5so23385090pgr.7 for ; Wed, 20 Oct 2021 12:15:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=i22CGOfMdCgEzNofkN2ujFXF/VRH37ibkrOAmDeTGJk=; b=JpcmTmu47LLgTalrcwHRfbvnurUdEUIPsEFm+gDXyWzHYc7ndXQEKbhgm4vo91rqt1 TMNIN7Qa9dCpB6e3ViS2EZ+qPxoTjr6dHBkYXKic25otGOFt5rTop+eIp8mnFDNRwpGt aje3upgjKjBAz6T1loijjMNJQqfNOXXET2wlA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=i22CGOfMdCgEzNofkN2ujFXF/VRH37ibkrOAmDeTGJk=; b=2ROanzmdo44e5/uQCBl36GU1povjA9uie39lgZytH9Du98tbhtVRvIdAEfft5adKLk /FLR3Kcvx+XyH0gjZ4e8FF6PVnkNJUEzc7IldgOx3jiSYcIzot7F3RU/rnMHuDrHd1sD mPLoUqQZzVUpEBlJA6h4WiNZ0Ljl1fMdFAAkRKvEqt9BIFrVyU8zIXKC+XrQciWLtOip Dm/XJcJB2WDy19T9KYBw1e46MUy7CRACkN+cmn30LTgr4t0JMpr+4xGK80WnY64+kzyC d1wPG54q7WyGNVoRtx8eDjbEdwMU46D8VPaQ/LxaCXF3MWEdFKvdym2byS4WZ98NLGWS IvFQ== X-Gm-Message-State: AOAM530Ke9iavGWSxVhlOOpKIKTmH4u2M9+h8UotHgpcjxRL3zgumbo0 wWNZUw/Lyp2P1d05LoW1LduNYg== X-Received: by 2002:aa7:94a8:0:b0:44c:f3e0:81fb with SMTP id a8-20020aa794a8000000b0044cf3e081fbmr797733pfl.6.1634757309155; Wed, 20 Oct 2021 12:15:09 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id p12sm3981100pfh.52.2021.10.20.12.15.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Oct 2021 12:15:08 -0700 (PDT) Date: Wed, 20 Oct 2021 12:15:08 -0700 From: Kees Cook To: Nathan Chancellor Cc: Masahiro Yamada , Michal Marek , Nick Desaulniers , Jonathan Corbet , James Morris , "Serge E. Hallyn" , linux-hardening@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, llvm@lists.linux.dev, Dan Li , ardb@kernel.org, ojeda@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/2] gcc-plugins: Explicitly document purpose and deprecation schedule Message-ID: <202110201212.43DC4A24@keescook> References: <20211020173554.38122-1-keescook@chromium.org> <20211020173554.38122-2-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 20, 2021 at 10:45:43AM -0700, Nathan Chancellor wrote: > On Wed, Oct 20, 2021 at 10:35:53AM -0700, Kees Cook wrote: > > GCC plugins should only exist when some compiler feature needs to be > > proven but does not exist in either GCC nor Clang. For example, if a > > desired feature is already in Clang, it should be added to GCC upstream. > > Document this explicitly. > > > > Additionally, mark the plugins with matching upstream GCC features as > > removable past their respective GCC versions. > > > > Cc: Masahiro Yamada > > Cc: Michal Marek > > Cc: Nick Desaulniers > > Cc: Jonathan Corbet > > Cc: James Morris > > Cc: "Serge E. Hallyn" > > Cc: Nathan Chancellor > > Cc: linux-hardening@vger.kernel.org > > Cc: linux-kbuild@vger.kernel.org > > Cc: linux-doc@vger.kernel.org > > Cc: linux-security-module@vger.kernel.org > > Cc: llvm@lists.linux.dev > > Signed-off-by: Kees Cook > > Seems reasonable to me. > > Reviewed-by: Nathan Chancellor Thanks! > > One comment below. > > > --- > > Documentation/kbuild/gcc-plugins.rst | 26 ++++++++++++++++++++++++++ > > scripts/gcc-plugins/Kconfig | 4 ++-- > > security/Kconfig.hardening | 9 ++++++--- > > 3 files changed, 34 insertions(+), 5 deletions(-) > > > > diff --git a/Documentation/kbuild/gcc-plugins.rst b/Documentation/kbuild/gcc-plugins.rst > > index 3349966f213d..4b28c7a4032f 100644 > > --- a/Documentation/kbuild/gcc-plugins.rst > > +++ b/Documentation/kbuild/gcc-plugins.rst > > @@ -32,6 +32,32 @@ This infrastructure was ported from grsecurity [6]_ and PaX [7]_. > > .. [7] https://pax.grsecurity.net/ > > > > > > +Purpose > > +======= > > + > > +GCC plugins are designed to provide a place to experiment with potential > > +compiler features that are neither in GCC nor Clang upstream. Once > > +their utility is proven, the goal is to upstream the feature into GCC > > +(and Clang), and then to finally remove them from the kernel once the > > +feature is available in all supported versions of GCC. > > + > > +Specifically, new plugins should implement only features that have no > > +upstream compiler support (in either GCC or Clang). > > + > > +When a feature exists in Clang but not GCC, effort should be made to > > +bring the feature to upstream GCC (rather than just as a kernel-specific > > +GCC plugin), so the entire ecosystem can benefit from it. > > + > > +Similarly, even if a feature provided by a GCC plugin does *not* exist > > +in Clang, but the feature is proven to be useful, effort should be spent > > +to upstream the feature to GCC (and Clang). > > + > > +After a feature is available in upstream GCC, the plugin will be made > > +unbuildable for the corresponding GCC version (and later). Once all > > +kernel-supported versions of GCC provide the feature, the plugin will > > +be removed from the kernel. > > + > > + > > Files > > ===== > > > > diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig > > index ab9eb4cbe33a..3f5d3580ec06 100644 > > --- a/scripts/gcc-plugins/Kconfig > > +++ b/scripts/gcc-plugins/Kconfig > > @@ -37,6 +37,8 @@ config GCC_PLUGIN_CYC_COMPLEXITY > > > > config GCC_PLUGIN_SANCOV > > bool > > + # Plugin can be removed once the kernel only supports GCC 6.1.0+ > > + depends on !CC_HAS_SANCOV_TRACE_PC > > This symbol is not user selectable and the one place that does select it > only does so when !CC_HAS_SANCOV_TRACE_PC so this seems pointless to me. > > Keep the comment, ditch the depends? I had a similar thought, and in the end, I decided I wanted to always enforce the GCC feature check through a depends, with a comment about the expected version. I want to make sure we don't use plugins if an upstream feature is already available. It happens that SANCOV was effectively the first to do this, but it did so on the other side and I wanted it repeated here so it was "self contained". -Kees -- Kees Cook