Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp856571pxb; Fri, 22 Apr 2022 12:44:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw6z4yk/BZum+aYbZRbhln0DCyWhPhi8GfPKxOC6c0iUiVUHfhCoWhs++aGUA/eh4MKfvUn X-Received: by 2002:a65:5b4b:0:b0:3a3:d8fb:6926 with SMTP id y11-20020a655b4b000000b003a3d8fb6926mr5192765pgr.76.1650656695231; Fri, 22 Apr 2022 12:44:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650656695; cv=none; d=google.com; s=arc-20160816; b=qXxc+XRIaRw2Mc8NmpMLlKuSNzklgzqW6mGOvDQQShUkeKOrpkmMjUsSieE6YwY8HO v8Kuiyk9LuXXJURbfLxnpz6cxgM5pJGfK4ZmjUwxc95XMcVOhrsiaS4/KfCk+ldauFtq iSinQgXOpUnvrJFbRMp2aJA6jaSMbur2/ZDksQRbote2U7WIFYbEVrIDvWUNE8RP8bOQ vz7OZPSfLKrxgeDSZh0N75kCzDnJT3lNysbYT9ey8b35Z1QIGGHzv0hcpHx1eJ2HDd8V 3TB1vgBcT4ZGfQ54vxt+vG4k4kQz1CGmevtv2xmDE2IvpZlayavtuWvDIAHwOCJGyn7e 8SqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=sH5ftMhDk6XQd4/NWFHJx13CJQpomjfU7n1j7K9Cnts=; b=vhVueqX0SpLxJIEuXtD2OiSjYPr++FE0IUEb6JPg+QFWvA6tVVkxYxRR5MNqcT3o0i BGjH61ED9SxWrhSJAT7bO32/GcrbL7f5EK1qADe8xIODTS0FjNnomHhsBkaxCaHMg6XZ 7F8TB3YInLSIq94V/ZG3g2KmTdrBh2qPTNfsi15a1vJIQoS3KVyVp0LP6GE4TJfBID8V Gl8RUpD0g3Dn1zDk4m0VexHiTQRXzMYpUI3fWl80kJWu2kwMcc0jU8sCKRMcex7hFMYa SOJVEYqHpFkcO1SxqEYtj273VG5kySiq3xMzioIKbX+NBqdnCbaCkbdT8Rwj1KooWhxM 3Bsw== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id w7-20020a17090a8a0700b001c976ed0feesi8325854pjn.102.2022.04.22.12.44.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Apr 2022 12:44:55 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 319B921BAF3; Fri, 22 Apr 2022 11:52:50 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358595AbiDTApv (ORCPT + 99 others); Tue, 19 Apr 2022 20:45:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1358585AbiDTApr (ORCPT ); Tue, 19 Apr 2022 20:45:47 -0400 Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 385042F3BE; Tue, 19 Apr 2022 17:43:03 -0700 (PDT) Received: (Authenticated sender: joao@overdrivepizza.com) by mail.gandi.net (Postfix) with ESMTPSA id 799551BF208; Wed, 20 Apr 2022 00:42:56 +0000 (UTC) From: joao@overdrivepizza.com To: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Cc: joao@overdrivepizza.com, peterz@infradead.org, jpoimboe@redhat.com, andrew.cooper3@citrix.com, keescook@chromium.org, samitolvanen@google.com, mark.rutland@arm.com, hjl.tools@gmail.com, alyssa.milburn@linux.intel.com, ndesaulniers@google.com, gabriel.gomes@linux.intel.com, rick.p.edgecombe@intel.com Subject: [RFC PATCH 02/11] kbuild: Support FineIBT build Date: Tue, 19 Apr 2022 17:42:32 -0700 Message-Id: <20220420004241.2093-3-joao@overdrivepizza.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220420004241.2093-1-joao@overdrivepizza.com> References: <20220420004241.2093-1-joao@overdrivepizza.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Joao Moreira Add FineIBT compilation flags to Makefiles, preserving translation units which should not get it. Signed-off-by: Joao Moreira --- arch/x86/Kconfig | 10 ++++++++++ arch/x86/Makefile | 3 +++ arch/x86/entry/vdso/Makefile | 5 +++++ arch/x86/kernel/Makefile | 1 + arch/x86/purgatory/Makefile | 4 ++++ 5 files changed, 23 insertions(+) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index b0142e01002e..37e49e9187a0 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1872,6 +1872,16 @@ config X86_KERNEL_IBT does significantly reduce the number of ENDBR instructions in the kernel image. +config CC_HAS_FINEIBT + def_bool $(cc-option, -fcf-protection=branch -mfine-ibt) && $(as-instr,endbr64) + +config X86_KERNEL_FINEIBT + prompt "Fine-grain Indirect Branch Tracking" + bool + depends on X86_KERNEL_IBT && CC_HAS_FINEIBT + help + Build the kernel with Fine-grained IBT. + config X86_INTEL_MEMORY_PROTECTION_KEYS prompt "Memory Protection Keys" def_bool y diff --git a/arch/x86/Makefile b/arch/x86/Makefile index 63d50f65b828..768e318eb78f 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -73,6 +73,9 @@ ifeq ($(CONFIG_X86_KERNEL_IBT),y) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104816 # KBUILD_CFLAGS += $(call cc-option,-fcf-protection=branch -fno-jump-tables) +ifeq ($(CONFIG_X86_KERNEL_FINEIBT),y) +KBUILD_CFLAGS += $(call cc-option, -mfine-ibt) +endif else KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none) endif diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile index 693f8b9031fb..3dce5571460e 100644 --- a/arch/x86/entry/vdso/Makefile +++ b/arch/x86/entry/vdso/Makefile @@ -91,7 +91,11 @@ ifneq ($(RETPOLINE_VDSO_CFLAGS),) endif endif +ifdef CONFIG_X86_KERNEL_FINEIBT +$(vobjs): KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_LTO) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS) -mfine-ibt,$(KBUILD_CFLAGS)) $(CFL) +else $(vobjs): KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_LTO) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) +endif # # vDSO code runs in userspace and -pg doesn't help with profiling anyway. @@ -151,6 +155,7 @@ KBUILD_CFLAGS_32 := $(filter-out -mfentry,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out $(CC_FLAGS_LTO),$(KBUILD_CFLAGS_32)) +KBUILD_CFLAGS_32 := $(filter-out -mfine-ibt,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 += -m32 -msoft-float -mregparm=0 -fpic KBUILD_CFLAGS_32 += -fno-stack-protector KBUILD_CFLAGS_32 += $(call cc-option, -foptimize-sibling-calls) diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index c41ef42adbe8..cb947569e9d8 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile @@ -148,6 +148,7 @@ obj-$(CONFIG_UNWINDER_FRAME_POINTER) += unwind_frame.o obj-$(CONFIG_UNWINDER_GUESS) += unwind_guess.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += sev.o +obj-$(CONFIG_X86_KERNEL_FINEIBT) += fineibt.o ### # 64 bit specific files diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile index ae53d54d7959..e16b25a598ba 100644 --- a/arch/x86/purgatory/Makefile +++ b/arch/x86/purgatory/Makefile @@ -55,6 +55,10 @@ ifdef CONFIG_RETPOLINE PURGATORY_CFLAGS_REMOVE += $(RETPOLINE_CFLAGS) endif +ifdef CONFIG_X86_KERNEL_FINEIBT +PURGATORY_CFLAGS_REMOVE += -mfine-ibt +endif + CFLAGS_REMOVE_purgatory.o += $(PURGATORY_CFLAGS_REMOVE) CFLAGS_purgatory.o += $(PURGATORY_CFLAGS) -- 2.35.1