From patchwork Tue May 3 20:54:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836271 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FF1EC433FE for ; Tue, 3 May 2022 20:55:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242056AbiECU6n (ORCPT ); Tue, 3 May 2022 16:58:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32952 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236358AbiECU6n (ORCPT ); Tue, 3 May 2022 16:58:43 -0400 Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E30F23DDC9 for ; Tue, 3 May 2022 13:55:09 -0700 (PDT) Received: by mail-pg1-x52f.google.com with SMTP id v10so14904007pgl.11 for ; Tue, 03 May 2022 13:55:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=BdPS+6ovNgbIR6W/BvJieSFy4bz2cMdTMxnCOUR1BJQ=; b=bHU4VjAzp8C1M1XvHG68mTOvyMkOTXD8Q8IxxwTh/pA96lQ08ploXyPVuewqneNz7I BTQ66bsHXECQh9Ps4JwaMRw3GdAoyRlyvhHlbP2L7nt77gqS2adyofBziaB45Vm2D4Ez x0zbBoaGMSU5UEzo8IM1GgUfpoiiajG6cYGco= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BdPS+6ovNgbIR6W/BvJieSFy4bz2cMdTMxnCOUR1BJQ=; b=guCbQYQtWNOsVm4QQLqEzRxz1sOc2Ylf3VbT0j0dIDecqlehwvBGW7L7i2Do7nwT9V oOW6oB4ayNgNSryu8UfQnl9WUyV4S4CVYx8RzdVoAIa6UPjHBwfIWlJL4ViYu7nsdPNY e4SApWPdM6BplEF5WwMo2tQVy+DTkxtrwKXxX6VpZXQGvpGChaK3nf35jXvY76e71fSY Qrki4l8MOCkkPqwX0Cvb/JEMpwiDbQ7FYjyYkdVUmTZiYMwA4k7k5NQpie184kdH7SFe P40XHJB57TKohwHEIocAATI7IJ6hQH05263URyOupXQSFkxh6dyGbxg7xMtXvNmE+W20 zDhw== X-Gm-Message-State: AOAM532u6FjL2xEEQVBZ2DfgnutTmZ0bl1b6Q4TlEf/+WK2eSzPf2ZB5 k+ObKPCqRYT6UD8ePPm3EUtRHA== X-Google-Smtp-Source: ABdhPJy3MRDXrmUhZUJX+fO+Iudo78mE4XAjOuV5u2/RFaENGy2ohzpd4UwzaRV08TDRJgxybO+Kig== X-Received: by 2002:a05:6a00:124f:b0:50d:efb8:6afa with SMTP id u15-20020a056a00124f00b0050defb86afamr10587579pfi.14.1651611309415; Tue, 03 May 2022 13:55:09 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z20-20020a630a54000000b003c219c0871asm3933040pgk.74.2022.05.03.13.55.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:08 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , David Howells , Jeff Layton , Masahiro Yamada , Nick Desaulniers , linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 1/6] netfs: Eliminate Clang randstruct warning Date: Tue, 3 May 2022 13:54:58 -0700 Message-Id: <20220503205503.3054173-2-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1970; h=from:subject; bh=bEl5c+oL0DHs9c0JKOjQVQhGUtntych2+mEKBNpt6+0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZaljMui7HM5C2nUhMVbY5QZL7cXs2WS/tnBqO2w QmtevbyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpQAKCRCJcvTf3G3AJj7nD/ 9EN/kMgbEYlp++FHvHW8ma1iM+kP7FMs+DalBiKQfkIeScig0IVM5Q3dbvmXF1a26tX7uVVdilImNn hZvggBQj2ca6FXKUR60ZWvagiS3PrqNy/RdFhO4F29yx6c6gWrFJmsx2c25jJ1sJXp5sx6onOD64Dc eLXJPFVDQrMssMfu9+SQCRfcf3SDsKHcV5PRjOp5aiWqKI9yR6dWUheY3Sa4bsBYn645OAdQI93Z5k kmYosamsbYqGm9Xa2wWXalmB3W9x5Licr6O86aeeCfhuL8q12lrebTGwLo2PwpigLCbIgHrxSqJXIn stPRkOoWqNufv4kkQbewUAitGsMC6vT/2o7MylXDzRnKJujUZQY5wRBekBslXliKHtkxBb6ZGF8RQU fmbUaDHA9aKUMgMVHjzacxPBbJPV7oycgCPiRwbOBOmJNg3sYJQ0Y306ki6v+dOHLcj7wedfcPM0OU uolaHrzpi63qdj96tcn1R6hMdI166zDodVrQQ+NERYFJkdvfL7eSA+a6nfJ1GhI8W7R6HKS7CcJ+Xg Jj+pEWxNzyJ2Ee+WfxBM1qdcLOfVN64qrjDWaK0A6LKoH+NVZUbT5pYEv2eoow+Rll6b+uSLhDaqWX uVOm6X9q1dBcMoZx5a3JgZpzg9B8yHotQF8ovOWc5X15GHixJg4Er4sXOCkg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Clang's structure layout randomization feature gets upset when it sees struct inode (which is randomized) cast to struct netfs_i_context. This is due to seeing the inode pointer as being treated as an array of inodes, rather than "something else, following struct inode". Since netfs can't use container_of() (since it doesn't know what the true containing struct is), it uses this direct offset instead. Adjust the code to better reflect what is happening: an arbitrary pointer is being adjusted and cast to something else: use a "void *" for the math. The resulting binary output is the same, but Clang no longer sees an unexpected cross-structure cast: In file included from ../fs/nfs/inode.c:50: In file included from ../fs/nfs/fscache.h:15: In file included from ../include/linux/fscache.h:18: ../include/linux/netfs.h:298:9: error: casting from randomized structure pointer type 'struct inode *' to 'struct netfs_i_context *' return (struct netfs_i_context *)(inode + 1); ^ 1 error generated. Cc: David Howells Cc: Jeff Layton Signed-off-by: Kees Cook Reviewed-by: Jeff Layton --- include/linux/netfs.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/netfs.h b/include/linux/netfs.h index c7bf1eaf51d5..0c33b715cbfd 100644 --- a/include/linux/netfs.h +++ b/include/linux/netfs.h @@ -295,7 +295,7 @@ extern void netfs_stats_show(struct seq_file *); */ static inline struct netfs_i_context *netfs_i_context(struct inode *inode) { - return (struct netfs_i_context *)(inode + 1); + return (void *)inode + sizeof(*inode); } /** @@ -307,7 +307,7 @@ static inline struct netfs_i_context *netfs_i_context(struct inode *inode) */ static inline struct inode *netfs_inode(struct netfs_i_context *ctx) { - return ((struct inode *)ctx) - 1; + return (void *)ctx - sizeof(struct inode); } /** From patchwork Tue May 3 20:54:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836274 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9497C433F5 for ; Tue, 3 May 2022 20:55:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242109AbiECU6q (ORCPT ); Tue, 3 May 2022 16:58:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32988 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242211AbiECU6o (ORCPT ); Tue, 3 May 2022 16:58:44 -0400 Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9B893E5F3 for ; Tue, 3 May 2022 13:55:10 -0700 (PDT) Received: by mail-pg1-x534.google.com with SMTP id i62so14924980pgd.6 for ; Tue, 03 May 2022 13:55:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=D8001mr4LabgPK6vdQOkTgjpB8frOhBImqWC9OKD9m8=; b=a6XXUyblvoUHJJ2m8UB7SU0n251adAuXNR9X6v+Za2Hlmw1sNp0o/S7+TNefs8MDJU 1K/zSR1PUN+uRHggUvZwKd7XqE9esYkWif0Ca3ZgdL7z/u8LPOLEliBLqz4gDpXb8NxR lxoWF5b0hqYzYmX7E6RCC1SdQfGlIXXqkFpmw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=D8001mr4LabgPK6vdQOkTgjpB8frOhBImqWC9OKD9m8=; b=W1Ee8ikLJx8WI+E1U+yqz+4/7BwCvoNMc1bPXicd/XfRGyk3twxJbOgXZ3FGWSBzD7 YSnwjV9ddEorP14lzg3PdMjQ/ys9T/WrCLROZE6Gy7fGEVMVVe1quGjYrqYv1Fhejoav 1dwX/sLeLuQcAZjFyx+f4zUomYjq5JQoaiOIp5Fwz+vo74ziLalyQsQEf8CrHJax1XyT wycPkfSpKMPs1s0Eha/gIaSwMlfdPT5fc+0+hlqen/1zE4LhKMvvA6zdz+H9tUlKK1wc UKZfDY3uka8yd0XanbV2BD1fWweOJKEE+BGaZG84TXdSkGqRJCI2yRGSpkr8y29uLEa3 /y6g== X-Gm-Message-State: AOAM532v83h6PF39pKAWwALrVAe2uwSfwtg8o7s479LvThaqJl79Ozd0 QM8Zk2w5adO7g84Ks7Tc66IemA== X-Google-Smtp-Source: ABdhPJy0r6jfI214JohcyFyrwVL84vsHM25sexru4n4aT6ATYpL01QZWrLNASKhCm8I23UcXpHmx/w== X-Received: by 2002:a63:191e:0:b0:3c1:6920:c4a4 with SMTP id z30-20020a63191e000000b003c16920c4a4mr15613857pgl.365.1651611310150; Tue, 03 May 2022 13:55:10 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id w13-20020aa7858d000000b0050dc762814bsm6716806pfn.37.2022.05.03.13.55.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:08 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , Masahiro Yamada , linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org, Nick Desaulniers , David Howells , Jeff Layton , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 2/6] sancov: Split plugin build from plugin CFLAGS Date: Tue, 3 May 2022 13:54:59 -0700 Message-Id: <20220503205503.3054173-3-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2293; h=from:subject; bh=Z+W1/VzUmR9ZJufPDIl2IGsNAVokPGco3yw6gcXBPsw=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZalfdpPHCtbFo/0LtbdJECo+DuY6+Cvl0iSgGt8 qmJAIyWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpQAKCRCJcvTf3G3AJpGVD/ 45paKBOSJMGdYykZni1+b9PFueY4o7xyFCrnukAmYC807VctcCbZeTj9kOFVbB6FUqRl299CyE5lOS 0Vv2x1ORa5MDkdnewBrkAhinq3hf6VYQjQa1WhwghwMcR7O8dkjldlYFQFfWNd+vkHqWGplWx9AtoM 9LqQiDjUBDblzBywzgTI1U9wsStkT5D8OfCxeRCIBpDmrFCimfXKY7nBxWd6NYhX3Gp+zGqP72w18c 9KchJnxEW7GgG5kUUyEgTtJkzHjmvqvMs9TjDk3NIjdHXeqbbgUzqzRpTf57BvDoGnR/NIzSCeQRr6 pBQwd/e0X/JfhMFlCms1vzSrsNpH2mti4MoexFcY8LbRMERFPNbDjGJe7cX+bVbl96QIxPonay3PIF gIcRUVZV5fHy2ufAT1QpQfEaBbAiiW6i4IqgymV9h7oTO+xntdnPrUMdnj8lqYNJJzQHVyncHaNwuv BoB4DQe3wA83QmlAAKISXfQHkxRrfvE2Krf15KnElZEJ96K5TtMPr3wzOUYHFvi7xXmkIyJEsGTcra NWUP2AAiRfv5tLmmjyF8VI8Plz9H0wMy4puNT+CrlVsO0+1sttwAcxXdNjfT16kEfS/1qUStk/AHCE 1JxYtah2EwLWng98hEZwZ9f0aqO+Bc7VIK05wgHnm4eYG7ztr4gF3u8poq9g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org When the sancov_plugin is enabled, it gets added to gcc-plugin-y which is used to populate both GCC_PLUGIN (for building the plugin) and GCC_PLUGINS_CFLAGS (for enabling and options). Instead of adding sancov to both and then removing it from GCC_PLUGINS_CFLAGS, create a separate list, gcc-plugin-external-y, which is only added to GCC_PLUGIN. This will also be used by the coming randstruct build changes. Cc: Masahiro Yamada Cc: linux-kbuild@vger.kernel.org Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- scripts/Makefile.gcc-plugins | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins index f67153b260c0..927c3dd57f84 100644 --- a/scripts/Makefile.gcc-plugins +++ b/scripts/Makefile.gcc-plugins @@ -8,8 +8,6 @@ ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY endif export DISABLE_LATENT_ENTROPY_PLUGIN -gcc-plugin-$(CONFIG_GCC_PLUGIN_SANCOV) += sancov_plugin.so - gcc-plugin-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) += structleak_plugin.so gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE) \ += -fplugin-arg-structleak_plugin-verbose @@ -53,13 +51,17 @@ export DISABLE_ARM_SSP_PER_TASK_PLUGIN # All the plugin CFLAGS are collected here in case a build target needs to # filter them out of the KBUILD_CFLAGS. GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y)) -# The sancov_plugin.so is included via CFLAGS_KCOV, so it is removed here. -GCC_PLUGINS_CFLAGS := $(filter-out %/sancov_plugin.so, $(GCC_PLUGINS_CFLAGS)) export GCC_PLUGINS_CFLAGS # Add the flags to the build! KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) -# All enabled GCC plugins are collected here for building below. -GCC_PLUGIN := $(gcc-plugin-y) +# Some plugins are enabled outside of this Makefile, but they still need to +# be included in GCC_PLUGIN so they can get built. +gcc-plugin-external-$(CONFIG_GCC_PLUGIN_SANCOV) \ + += sancov_plugin.so + +# All enabled GCC plugins are collected here for building in +# scripts/gcc-scripts/Makefile. +GCC_PLUGIN := $(gcc-plugin-y) $(gcc-plugin-external-y) export GCC_PLUGIN From patchwork Tue May 3 20:55:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836272 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6AC4BC433EF for ; Tue, 3 May 2022 20:55:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242132AbiECU6o (ORCPT ); Tue, 3 May 2022 16:58:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32964 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230520AbiECU6n (ORCPT ); Tue, 3 May 2022 16:58:43 -0400 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A67C35DE2 for ; Tue, 3 May 2022 13:55:09 -0700 (PDT) Received: by mail-pl1-x62d.google.com with SMTP id c11so5765608plg.13 for ; Tue, 03 May 2022 13:55:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ANvvfoJsMHIU8J1whkw86mXyIuy11/zkPRCmweDyDUY=; b=LfYvXfo5UrFi7QqSgYjmkU+NuXhIug3URPDe+TZJDsdTgB/ty6XtCDF+ZAeiM0QhNl W3kUGOV6FakPN3IdBaAgQoVEVuGtoGX0MD7mTZkxZYTMDkI0eC4wnd1h9CiS/i+D0FBE bVFcX/KTUlMNfkdEKGM9l9LqNZSrwHGI9qI9I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ANvvfoJsMHIU8J1whkw86mXyIuy11/zkPRCmweDyDUY=; b=ZWEVZQOO88Iy/1gD02sCG3L0F4RX0+L8PP3aAyYzeGJDCRVPWfBU/k/1djXVck/hZc zn/FdUsoAH3xw/n3vEMPx9GzcPndLIqYGFwVDFLhN25G93NPtauFg7wn9yWIzGJ+U134 GJOAMyk3SQozMzjod4bBE7QqDz4LT1WTMqj1MWw+nDgXzZWXC2mC9Q55uQGQ8x85cZwe 50Qc6WPShZj+P3mMU4y0kGgUrJJbXFoz/U8MJHy+is7Y8HAtvFfYaTYnsyBvUtX1fy9u IY+H5prazE96A/BYjhrtOGCiZhvAnVi8rjG583216SNWCtm3YkN7gmhGwD9KnNx1QZNY yjQg== X-Gm-Message-State: AOAM532ZeLTnZTEAeHhhwkYZQRmyJoXbFpo9FVfe8IijQgcML18uoJKK nIPipvD5DbAePK36Oq5RP6w15w== X-Google-Smtp-Source: ABdhPJzQUhU7EJ/fEAemFTQQf6TTJP8RdhEmqho4i+ZCEnAstDVV2hZW+oFWSzMdgmiO/WObDWQDsw== X-Received: by 2002:a17:902:9a49:b0:15d:1da8:81fa with SMTP id x9-20020a1709029a4900b0015d1da881famr18374107plv.114.1651611308698; Tue, 03 May 2022 13:55:08 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d16-20020aa78690000000b0050dc7628148sm6716986pfo.34.2022.05.03.13.55.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:08 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , linux-hardening@vger.kernel.org, Masahiro Yamada , Nick Desaulniers , David Howells , Jeff Layton , linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 3/6] randstruct: Reorganize Kconfigs and attribute macros Date: Tue, 3 May 2022 13:55:00 -0700 Message-Id: <20220503205503.3054173-4-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=11221; h=from:subject; bh=LM/CNktcq953xhv+5bXRTSGy0dLJ5YoNbozOnQpL+r4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZamxn+qjom7FQIM9lrMVjKtUwJLzsxPHLLRZpDw gcUBks6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpgAKCRCJcvTf3G3AJh/RD/ 9AmXstTaGlTMOYjKI5q9Zxwb7mYJ8FkDOJdljwOi9CFAVl66HjC7OAazNegIagS/f91871rMMqyTZq NcxPrjqqexcrJvElnbSHSHBrUVDKvXDfkFRsylNpf79NRDaqLMhrxHINtle1DBVlm6Ee8dYj7AnBtB MZcy10JlrewqFNywN/iXpkSe+KDtiy8q3nLqsk6x9lOE/1qli/UJSsgnqSpYDJysXldr7eDBnpIlMk gHGX/8uCwWli3IrSYSki2arevQoH/7nH06MKuLRSZVbbBI/uLCVJc9UtM+DUuLMWUdlZRFHGU6giyD B3FcQ3Jdg6Zp3Hj4/eF+rx2Ain/4C4g7daNKa66XDbSX/pHAg0wmbCgOUetBO4tCl9pgZEr6ahIoI5 ljn4IOl7irfc1+pzHdj9Qk9fgzY6J0SFdp978dvbWGw2B1ppJs+lPBhFoZIpgx8kvwLtPhVWoLwobM kBB5+IszvAclP7vL/Mit5B7sPzeDmj/zCS4ZWo6i+KHUA/XiL1VOaf6q2iNn/2uOmmhIPJTiQFc94P mSXgRJp8UZRgWqCUWp2CG+ej9QwQufTDobK8FFYueyshAe0M10V+bpTasJHccfzpf6P+/Uldal4sqO uPId+UbGIlPdohiJg/vRy6N35kyEgim+026mJAz/mvxLx+3zWBfZ0Gkuj43Q== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org In preparation for Clang supporting randstruct, reorganize the Kconfigs, move the attribute macros, and generalize the feature to be named CONFIG_RANDSTRUCT for on/off, CONFIG_RANDSTRUCT_FULL for the full randomization mode, and CONFIG_RANDSTRUCT_PERFORMANCE for the cache-line sized mode. Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- Documentation/kbuild/reproducible-builds.rst | 7 +-- arch/riscv/Kconfig | 2 +- arch/x86/mm/pti.c | 2 +- include/linux/compiler-gcc.h | 8 --- include/linux/compiler_types.h | 14 ++--- include/linux/vermagic.h | 8 +-- kernel/panic.c | 2 +- scripts/Makefile.gcc-plugins | 4 +- scripts/gcc-plugins/Kconfig | 38 ------------ security/Kconfig.hardening | 62 ++++++++++++++++++++ 10 files changed, 81 insertions(+), 66 deletions(-) diff --git a/Documentation/kbuild/reproducible-builds.rst b/Documentation/kbuild/reproducible-builds.rst index 3b25655e441b..81ff30505d35 100644 --- a/Documentation/kbuild/reproducible-builds.rst +++ b/Documentation/kbuild/reproducible-builds.rst @@ -99,10 +99,9 @@ unreproducible parts can be treated as sources: Structure randomisation ----------------------- -If you enable ``CONFIG_GCC_PLUGIN_RANDSTRUCT``, you will need to -pre-generate the random seed in -``scripts/gcc-plugins/randomize_layout_seed.h`` so the same value -is used in rebuilds. +If you enable ``CONFIG_RANDSTRUCT``, you will need to pre-generate +the random seed in ``scripts/gcc-plugins/randomize_layout_seed.h`` +so the same value is used in rebuilds. Debug info conflicts -------------------- diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index 00fd9c548f26..3ac2a81a55eb 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -468,7 +468,7 @@ config CC_HAVE_STACKPROTECTOR_TLS config STACKPROTECTOR_PER_TASK def_bool y - depends on !GCC_PLUGIN_RANDSTRUCT + depends on !RANDSTRUCT depends on STACKPROTECTOR && CC_HAVE_STACKPROTECTOR_TLS config PHYS_RAM_BASE_FIXED diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c index 5d5c7bb50ce9..ffe3b3a087fe 100644 --- a/arch/x86/mm/pti.c +++ b/arch/x86/mm/pti.c @@ -540,7 +540,7 @@ static inline bool pti_kernel_image_global_ok(void) * cases where RANDSTRUCT is in use to help keep the layout a * secret. */ - if (IS_ENABLED(CONFIG_GCC_PLUGIN_RANDSTRUCT)) + if (IS_ENABLED(CONFIG_RANDSTRUCT)) return false; return true; diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h index 52299c957c98..a0c55eeaeaf1 100644 --- a/include/linux/compiler-gcc.h +++ b/include/linux/compiler-gcc.h @@ -66,14 +66,6 @@ __builtin_unreachable(); \ } while (0) -#if defined(RANDSTRUCT_PLUGIN) && !defined(__CHECKER__) -#define __randomize_layout __attribute__((randomize_layout)) -#define __no_randomize_layout __attribute__((no_randomize_layout)) -/* This anon struct can add padding, so only enable it under randstruct. */ -#define randomized_struct_fields_start struct { -#define randomized_struct_fields_end } __randomize_layout; -#endif - /* * GCC 'asm goto' miscompiles certain code sequences: * diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index 1c2c33ae1b37..d08dfcb0ac68 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -242,15 +242,15 @@ struct ftrace_likely_data { # define __latent_entropy #endif -#ifndef __randomize_layout +#if defined(RANDSTRUCT) && !defined(__CHECKER__) +# define __randomize_layout __designated_init __attribute__((randomize_layout)) +# define __no_randomize_layout __attribute__((no_randomize_layout)) +/* This anon struct can add padding, so only enable it under randstruct. */ +# define randomized_struct_fields_start struct { +# define randomized_struct_fields_end } __randomize_layout; +#else # define __randomize_layout __designated_init -#endif - -#ifndef __no_randomize_layout # define __no_randomize_layout -#endif - -#ifndef randomized_struct_fields_start # define randomized_struct_fields_start # define randomized_struct_fields_end #endif diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h index 329d63babaeb..efb51a2da599 100644 --- a/include/linux/vermagic.h +++ b/include/linux/vermagic.h @@ -32,11 +32,11 @@ #else #define MODULE_VERMAGIC_MODVERSIONS "" #endif -#ifdef RANDSTRUCT_PLUGIN +#ifdef RANDSTRUCT #include -#define MODULE_RANDSTRUCT_PLUGIN "RANDSTRUCT_PLUGIN_" RANDSTRUCT_HASHED_SEED +#define MODULE_RANDSTRUCT "RANDSTRUCT_" RANDSTRUCT_HASHED_SEED #else -#define MODULE_RANDSTRUCT_PLUGIN +#define MODULE_RANDSTRUCT #endif #define VERMAGIC_STRING \ @@ -44,6 +44,6 @@ MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \ MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \ MODULE_ARCH_VERMAGIC \ - MODULE_RANDSTRUCT_PLUGIN + MODULE_RANDSTRUCT #endif /* _LINUX_VERMAGIC_H */ diff --git a/kernel/panic.c b/kernel/panic.c index eb4dfb932c85..8355b19676f8 100644 --- a/kernel/panic.c +++ b/kernel/panic.c @@ -48,7 +48,7 @@ unsigned int __read_mostly sysctl_oops_all_cpu_backtrace; int panic_on_oops = CONFIG_PANIC_ON_OOPS_VALUE; static unsigned long tainted_mask = - IS_ENABLED(CONFIG_GCC_PLUGIN_RANDSTRUCT) ? (1 << TAINT_RANDSTRUCT) : 0; + IS_ENABLED(CONFIG_RANDSTRUCT) ? (1 << TAINT_RANDSTRUCT) : 0; static int pause_on_oops; static int pause_on_oops_flag; static DEFINE_SPINLOCK(pause_on_oops_lock); diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins index 927c3dd57f84..827c47ce5c73 100644 --- a/scripts/Makefile.gcc-plugins +++ b/scripts/Makefile.gcc-plugins @@ -24,8 +24,8 @@ gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) \ gcc-plugin-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) += randomize_layout_plugin.so gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \ - += -DRANDSTRUCT_PLUGIN -gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE) \ + += -DRANDSTRUCT +gcc-plugin-cflags-$(CONFIG_RANDSTRUCT_PERFORMANCE) \ += -fplugin-arg-randomize_layout_plugin-performance-mode gcc-plugin-$(CONFIG_GCC_PLUGIN_STACKLEAK) += stackleak_plugin.so diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index 51d81c3f03d6..e383cda05367 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig @@ -46,44 +46,6 @@ config GCC_PLUGIN_LATENT_ENTROPY * https://grsecurity.net/ * https://pax.grsecurity.net/ -config GCC_PLUGIN_RANDSTRUCT - bool "Randomize layout of sensitive kernel structures" - select MODVERSIONS if MODULES - help - If you say Y here, the layouts of structures that are entirely - function pointers (and have not been manually annotated with - __no_randomize_layout), or structures that have been explicitly - marked with __randomize_layout, will be randomized at compile-time. - This can introduce the requirement of an additional information - exposure vulnerability for exploits targeting these structure - types. - - Enabling this feature will introduce some performance impact, - slightly increase memory usage, and prevent the use of forensic - tools like Volatility against the system (unless the kernel - source tree isn't cleaned after kernel installation). - - The seed used for compilation is located at - scripts/gcc-plugins/randomize_layout_seed.h. It remains after - a make clean to allow for external modules to be compiled with - the existing seed and will be removed by a make mrproper or - make distclean. - - This plugin was ported from grsecurity/PaX. More information at: - * https://grsecurity.net/ - * https://pax.grsecurity.net/ - -config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE - bool "Use cacheline-aware structure randomization" - depends on GCC_PLUGIN_RANDSTRUCT - depends on !COMPILE_TEST # do not reduce test coverage - help - If you say Y here, the RANDSTRUCT randomization will make a - best effort at restricting randomization to cacheline-sized - groups of elements. It will further not randomize bitfields - in structures. This reduces the performance hit of RANDSTRUCT - at the cost of weakened randomization. - config GCC_PLUGIN_ARM_SSP_PER_TASK bool depends on GCC_PLUGINS && ARM diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index ded4d7c0d132..364e3f8c6eea 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -266,4 +266,66 @@ config ZERO_CALL_USED_REGS endmenu +choice + prompt "Randomize layout of sensitive kernel structures" + default RANDSTRUCT_FULL if COMPILE_TEST && GCC_PLUGINS + default RANDSTRUCT_NONE + help + If you enable this, the layouts of structures that are entirely + function pointers (and have not been manually annotated with + __no_randomize_layout), or structures that have been explicitly + marked with __randomize_layout, will be randomized at compile-time. + This can introduce the requirement of an additional information + exposure vulnerability for exploits targeting these structure + types. + + Enabling this feature will introduce some performance impact, + slightly increase memory usage, and prevent the use of forensic + tools like Volatility against the system (unless the kernel + source tree isn't cleaned after kernel installation). + + The seed used for compilation is located at + scripts/randomize_layout_seed.h. It remains after a "make clean" + to allow for external modules to be compiled with the existing + seed and will be removed by a "make mrproper" or "make distclean". + + config RANDSTRUCT_NONE + bool "Disable structure layout randomization" + help + Build normally: no structure layout randomization. + + config RANDSTRUCT_FULL + bool "Fully randomize structure layout" + depends on GCC_PLUGINS + select MODVERSIONS if MODULES + help + Fully randomize the member layout of sensitive + structures as much as possible, which may have both a + memory size and performance impact. + + config RANDSTRUCT_PERFORMANCE + bool "Limit randomization of structure layout to cache-lines" + depends on GCC_PLUGINS + select MODVERSIONS if MODULES + help + Randomization of sensitive kernel structures will make a + best effort at restricting randomization to cacheline-sized + groups of members. It will further not randomize bitfields + in structures. This reduces the performance hit of RANDSTRUCT + at the cost of weakened randomization. +endchoice + +config RANDSTRUCT + def_bool !RANDSTRUCT_NONE + +config GCC_PLUGIN_RANDSTRUCT + def_bool GCC_PLUGINS && RANDSTRUCT + help + Use GCC plugin to randomize structure layout. + + This plugin was ported from grsecurity/PaX. More + information at: + * https://grsecurity.net/ + * https://pax.grsecurity.net/ + endmenu From patchwork Tue May 3 20:55:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836273 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C72BC43219 for ; Tue, 3 May 2022 20:55:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230520AbiECU6p (ORCPT ); Tue, 3 May 2022 16:58:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32988 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242080AbiECU6o (ORCPT ); Tue, 3 May 2022 16:58:44 -0400 Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 503B73E5F0 for ; Tue, 3 May 2022 13:55:10 -0700 (PDT) Received: by mail-pg1-x530.google.com with SMTP id v10so14904014pgl.11 for ; Tue, 03 May 2022 13:55:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=0s2l8L34z34MUkPb/xcNxM9oOQ5pfRGE8+PgPesbjxc=; b=bhVNBEZ+27B/SccXVadaHG1jvpOqXyYJ+hj8GEC9P9p9MQDKaF4BLipZ7tMCTUGtNz PICi0sZeHr7t7kjGGRSBO8mzLluE7LOSWG4BnDKhxnnOuZFtTMVW6xXYTxLuym405lSP B3+FxDhigUqiTNZFl1mYMxRpZfBypDicHUpbM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=0s2l8L34z34MUkPb/xcNxM9oOQ5pfRGE8+PgPesbjxc=; b=gWM368laAhLx63kXxnL3jKKJn3vW+GdVydEUSkflFOTCMlJ2HUmU41T5D+zAC1kDYR qu9/uFXT7bbpm3qTaCMjFOrkWkVB7fGjGgrQYmAZMItQ9W3xNm2w/2xIg/g1D4klbPu5 L2fwjFOaeCbQRkEmQEh2k2u/cBG0qWWzUZV2+6cc/BkjI/M9y4qXQuhxb0zI/QiFp8yS ZnEH/eb775aCoVWAF+4x7B4fQNWM2BoBwYmBnR1jXF7eOit0yefrJDrXsn6l3aKLELCj IiDd7H6nVTkFyo45N08oMtMQtd/17ECotIMdAho50cKzUfe8ZmRN+IpzpbJUqtk5j5ca iaog== X-Gm-Message-State: AOAM532tWb76IQZqjtGQ60wlWDuCss4EwMngDmxMNOdllmXlkyJyqppM AB/2UbAa9MqOBFhWU4EJ8B777Q== X-Google-Smtp-Source: ABdhPJxNh718o6lZcnrjFVdXM6pAZT3sVcEOZcCHQo1I7zTGHYHYdiEGHt2M12oOpzHuik2BFiOqqA== X-Received: by 2002:a63:2d46:0:b0:3c1:424a:2a90 with SMTP id t67-20020a632d46000000b003c1424a2a90mr15245588pgt.35.1651611309785; Tue, 03 May 2022 13:55:09 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e24-20020a63f558000000b003c14af50638sm3571630pgk.80.2022.05.03.13.55.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:08 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , linux-hardening@vger.kernel.org, Masahiro Yamada , Nick Desaulniers , David Howells , Jeff Layton , linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 4/6] randstruct: Split randstruct Makefile and CFLAGS Date: Tue, 3 May 2022 13:55:01 -0700 Message-Id: <20220503205503.3054173-5-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6703; h=from:subject; bh=ZEmrZ0k2Reix3PKt6lfCkuyHYsw1YqQ5sKxXW11+HTw=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZam4zhEqDWTM2MIktnKTuhNVNv/8H6Fea3xejgt HnjQkAKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpgAKCRCJcvTf3G3AJq7lEA CuZ+xeZNdVslL1dtCv78SwqgkVF0Irvo2o5Ics+MdKOz0zPRHZP6oMToUFSgisWVwucBw1doPlHwwF zhbFZ5b9Z/mtyEvMqJQMoRsw/4Z7muCHglm3Dv8O47FpzI+yiiO30zPSHWfI74tHx92EWmSpJ/2Gxj R+Q4E8GQUabJY6Jh+dJuOpyF5HHJViaVqL7bdj5/mm5HymCYOEq5Jr71Cw/oyS7FGHAeEqyoaT1KUx srmuQy5RY0pPrL9SMAlO6//qsp85AalH8rgppGOsAl/H2/MkYpbouZtgklux7zpjPVLXrZxWWs3FL8 j0IynPZlYJImwZQlLdXPHm3O1BmKSHCQgQ8932YDoPHTJpTomyOeIjSvUD0FM1CGs4IisY5almpKHa 7mI4Ac0Zq7V2/VjDhtDgt343eONTqXX0hdzLr8CAK/ZlwFgi3TrXwqP7LN+t9Deb3tAzJPl1P4SNPK 09KMgW8IobL0wwL3um45dfvqf4uIvDJyAW1pcWbkWPuanq553xzB0h3RhRqtGB4+2uCCRbl9O1hXrT iBZ1IJYTRPfXawzfDUNGV73thtPTZmvfKZTnocs6/UKcP6sCw3XM8DEYkh/GE0q1u68QlcGu6agRXQ uUIg1L8Hn/FAG0pt19d+14PNYE3uHeKpWoNkw7Dva1Fdd9aWiHHtqQbmnoww== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org To enable the new Clang randstruct implementation[1], move randstruct into its own Makefile and split the CFLAGS from GCC_PLUGINS_CFLAGS into RANDSTRUCT_CFLAGS. [1] https://reviews.llvm.org/D121556 Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- Makefile | 1 + arch/arm/vdso/Makefile | 2 +- arch/arm64/kernel/vdso/Makefile | 3 ++- arch/sparc/vdso/Makefile | 3 ++- arch/x86/entry/vdso/Makefile | 3 ++- scripts/Makefile.gcc-plugins | 8 ++------ scripts/Makefile.randstruct | 14 ++++++++++++++ 7 files changed, 24 insertions(+), 10 deletions(-) create mode 100644 scripts/Makefile.randstruct diff --git a/Makefile b/Makefile index 29e273d3f8cc..91c91fcf3c24 100644 --- a/Makefile +++ b/Makefile @@ -1011,6 +1011,7 @@ include-$(CONFIG_KASAN) += scripts/Makefile.kasan include-$(CONFIG_KCSAN) += scripts/Makefile.kcsan include-$(CONFIG_UBSAN) += scripts/Makefile.ubsan include-$(CONFIG_KCOV) += scripts/Makefile.kcov +include-$(CONFIG_RANDSTRUCT) += scripts/Makefile.randstruct include-$(CONFIG_GCC_PLUGINS) += scripts/Makefile.gcc-plugins include $(addprefix $(srctree)/, $(include-y)) diff --git a/arch/arm/vdso/Makefile b/arch/arm/vdso/Makefile index ec52b776f926..8ca1c9f262a2 100644 --- a/arch/arm/vdso/Makefile +++ b/arch/arm/vdso/Makefile @@ -28,7 +28,7 @@ CPPFLAGS_vdso.lds += -P -C -U$(ARCH) CFLAGS_REMOVE_vdso.o = -pg # Force -O2 to avoid libgcc dependencies -CFLAGS_REMOVE_vgettimeofday.o = -pg -Os $(GCC_PLUGINS_CFLAGS) +CFLAGS_REMOVE_vgettimeofday.o = -pg -Os $(RANDSTRUCT_CFLAGS) $(GCC_PLUGINS_CFLAGS) ifeq ($(c-gettimeofday-y),) CFLAGS_vgettimeofday.o = -O2 else diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makefile index 172452f79e46..d9147fba1a0b 100644 --- a/arch/arm64/kernel/vdso/Makefile +++ b/arch/arm64/kernel/vdso/Makefile @@ -32,7 +32,8 @@ ccflags-y += -DDISABLE_BRANCH_PROFILING -DBUILD_VDSO # -Wmissing-prototypes and -Wmissing-declarations are removed from # the CFLAGS of vgettimeofday.c to make possible to build the # kernel with CONFIG_WERROR enabled. -CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE) -Os $(CC_FLAGS_SCS) $(GCC_PLUGINS_CFLAGS) \ +CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE) -Os $(CC_FLAGS_SCS) \ + $(RANDSTRUCT_CFLAGS) $(GCC_PLUGINS_CFLAGS) \ $(CC_FLAGS_LTO) -Wmissing-prototypes -Wmissing-declarations KASAN_SANITIZE := n KCSAN_SANITIZE := n diff --git a/arch/sparc/vdso/Makefile b/arch/sparc/vdso/Makefile index c5e1545bc5cf..77d7b9032158 100644 --- a/arch/sparc/vdso/Makefile +++ b/arch/sparc/vdso/Makefile @@ -58,7 +58,7 @@ CFL := $(PROFILING) -mcmodel=medlow -fPIC -O2 -fasynchronous-unwind-tables -m64 SPARC_REG_CFLAGS = -ffixed-g4 -ffixed-g5 -fcall-used-g5 -fcall-used-g7 -$(vobjs): KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS) $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) +$(vobjs): KBUILD_CFLAGS := $(filter-out $(RANDSTRUCT_CFLAGS) $(GCC_PLUGINS_CFLAGS) $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) # # vDSO code runs in userspace and -pg doesn't help with profiling anyway. @@ -88,6 +88,7 @@ $(obj)/vdso32.so.dbg: asflags-$(CONFIG_SPARC64) += -m32 KBUILD_CFLAGS_32 := $(filter-out -m64,$(KBUILD_CFLAGS)) KBUILD_CFLAGS_32 := $(filter-out -mcmodel=medlow,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out -fno-pic,$(KBUILD_CFLAGS_32)) +KBUILD_CFLAGS_32 := $(filter-out $(RANDSTRUCT_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 += -m32 -msoft-float -fpic diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile index 693f8b9031fb..c2a8b76ae0bc 100644 --- a/arch/x86/entry/vdso/Makefile +++ b/arch/x86/entry/vdso/Makefile @@ -91,7 +91,7 @@ ifneq ($(RETPOLINE_VDSO_CFLAGS),) endif endif -$(vobjs): KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_LTO) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) +$(vobjs): KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_LTO) $(RANDSTRUCT_CFLAGS) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) # # vDSO code runs in userspace and -pg doesn't help with profiling anyway. @@ -148,6 +148,7 @@ KBUILD_CFLAGS_32 := $(filter-out -m64,$(KBUILD_CFLAGS)) KBUILD_CFLAGS_32 := $(filter-out -mcmodel=kernel,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out -fno-pic,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out -mfentry,$(KBUILD_CFLAGS_32)) +KBUILD_CFLAGS_32 := $(filter-out $(RANDSTRUCT_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out $(CC_FLAGS_LTO),$(KBUILD_CFLAGS_32)) diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins index 827c47ce5c73..692d64a70542 100644 --- a/scripts/Makefile.gcc-plugins +++ b/scripts/Makefile.gcc-plugins @@ -22,12 +22,6 @@ export DISABLE_STRUCTLEAK_PLUGIN gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) \ += -DSTRUCTLEAK_PLUGIN -gcc-plugin-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) += randomize_layout_plugin.so -gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \ - += -DRANDSTRUCT -gcc-plugin-cflags-$(CONFIG_RANDSTRUCT_PERFORMANCE) \ - += -fplugin-arg-randomize_layout_plugin-performance-mode - gcc-plugin-$(CONFIG_GCC_PLUGIN_STACKLEAK) += stackleak_plugin.so gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ += -DSTACKLEAK_PLUGIN @@ -60,6 +54,8 @@ KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) # be included in GCC_PLUGIN so they can get built. gcc-plugin-external-$(CONFIG_GCC_PLUGIN_SANCOV) \ += sancov_plugin.so +gcc-plugin-external-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \ + += randomize_layout_plugin.so # All enabled GCC plugins are collected here for building in # scripts/gcc-scripts/Makefile. diff --git a/scripts/Makefile.randstruct b/scripts/Makefile.randstruct new file mode 100644 index 000000000000..4d741e6db554 --- /dev/null +++ b/scripts/Makefile.randstruct @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: GPL-2.0 + +randstruct-cflags-y += -DRANDSTRUCT + +ifdef CONFIG_GCC_PLUGIN_RANDSTRUCT +randstruct-cflags-y \ + += -fplugin=$(objtree)/scripts/gcc-plugins/randomize_layout_plugin.so +randstruct-cflags-$(CONFIG_RANDSTRUCT_PERFORMANCE) \ + += -fplugin-arg-randomize_layout_plugin-performance-mode +endif + +export RANDSTRUCT_CFLAGS := $(randstruct-cflags-y) + +KBUILD_CFLAGS += $(RANDSTRUCT_CFLAGS) From patchwork Tue May 3 20:55:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836276 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95BC1C433EF for ; Tue, 3 May 2022 20:55:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233119AbiECU7M (ORCPT ); Tue, 3 May 2022 16:59:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33242 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242377AbiECU6t (ORCPT ); Tue, 3 May 2022 16:58:49 -0400 Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5A103E5F0 for ; Tue, 3 May 2022 13:55:12 -0700 (PDT) Received: by mail-pl1-x634.google.com with SMTP id n8so16019515plh.1 for ; Tue, 03 May 2022 13:55:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=71QHvmVbzbum/E3ZAVgy97tXOS8tK26BfXNggSRktyw=; b=mNBJz/XxKt2KFJk2CFepuhN/xZJ9Uv/rz50WON+4ZRBqQGxaTvzRxuzOr8mgvdSLb1 NPLtvHfakt3e74WR26Z3Hp3lQMac4mwkW+TTeTMhZW7eR4xkAOhBJl89txhv7sIl6ZU3 R/p0OcsGRJ9TZUFVA94bG5hnIYF/Me0VROUlc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=71QHvmVbzbum/E3ZAVgy97tXOS8tK26BfXNggSRktyw=; b=7iJr+LSBlSrk1ImiF3keNf8bbPxCT+2NwJpsGriVYKAT7UFfFnJ2vyVFdB1P/moXI5 xWbTFwvCs5xBMYXIxT/NFQwb2i5bDnP2iAJWLcLcKUxe3cmRVCXS13hrMoaFn2Q5GV2O Ubl+29X7KOFNOve1OOZIzKUvcXaoiLd4OoDHdf9YbFqJ377g6/nBr02vXSn78nlKHQgY 77tq5M0BVk2Q2zBJyguhSw8kYWQteITsto9zetXJ5B5wOZKI0LXlDZA1L+tqeGnC9I4q FAX/mjoqOQKVMvx7JhzGNG4xSDYBpcHiaRxEXcpF46SRAzrssiF3HKiyCbU0makBu5iX S8RQ== X-Gm-Message-State: AOAM533b+SHHVKIO5K/XPbNV5KSY2EtKXD5NwL8TDMUZ5q7Qb8A5VE/1 FSBkEdWWOtRfeGIOJoso0+xxZw== X-Google-Smtp-Source: ABdhPJwVWBkyzyFxX6liiB55m10I4fUKnwsv3ihyDoa4NBY+1rzycYUA4hGuRSyZWfG4uHgq2ucCWg== X-Received: by 2002:a17:902:b694:b0:153:1d9a:11a5 with SMTP id c20-20020a170902b69400b001531d9a11a5mr18075548pls.151.1651611311893; Tue, 03 May 2022 13:55:11 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id t7-20020a62ea07000000b0050dc76281f1sm6709358pfh.203.2022.05.03.13.55.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:10 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , linux-hardening@vger.kernel.org, Masahiro Yamada , Nick Desaulniers , David Howells , Jeff Layton , linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 5/6] randstruct: Move seed generation into scripts/basic/ Date: Tue, 3 May 2022 13:55:02 -0700 Message-Id: <20220503205503.3054173-6-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6991; h=from:subject; bh=POSwG5vGM5ePjK+NnCJy7zXZuBYgVkMBrdQajWqSdos=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZamheMTQbFPcgMuGPTOLLAi+SSC63O6IOd2ZB8G s01qn/WJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpgAKCRCJcvTf3G3AJmrYD/ 9/S4SyNCCc6JysEizCShXfywKRGd/VypdZzFIpfGVbMWoWwduoZHcTO2KvS/88sMU72c4E6tNHVTRW JNSdq6HqbNyLDa2c3Dr07Ke9TEO3YZJ/bWwUeEOvEiKdyRNOMFU5picScsWYclKC8xdqB/Nq3wXBbd Syaf1Pdc6CFYgTnv6Ve4xYPoQAl0Pl4SxmPZV7QhdnJlRh0sGZzcRQJHdIn2MKAzEJLjCdPSTPJeqV OympuT/CPrl65t1f3iQN/m62UbI2nL8alWR7RHtr3qQ4HhZYIh+b2JufhOxFBEW/4BGFvEPSA3UsOG Q0SZwl70gwV44QEX/3jgTI86Lyld20sO8Px5z9cwUb0L004gQA+AR9sPwkEfe7QOEqEwDXJfyqtfMP cjy+VOCP7JFHS07booUAPGlUozGNlpzI2aT4rC4QiBQa0lcOEwXEzy8D9RrGj1zD0V/dz0e65UeQrg 2+Ibt4ziS+cHW6V+xUWPVZiQEKR+KyFb4aoHY+KCo3WR4LxiNbBNYWL6rUOXurCrSohkdU5mhkXyMH BmD60mww0e9EASzMySkYpkNIdlzimz0ekp8TAxceKDEb206dnxQOucbY9ntdg07Ffyf3pC5dywOqgy quouzBQoX6hoUJwnW2nDegfzTxW0QgU8tYhLnXP0sZvayjjDxnZhkl0UpOig== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org To enable Clang randstruct support, move the structure layout randomization seed generation out of scripts/gcc-plugins/ into scripts/basic/ so it happens early enough that it can be used by either compiler implementation. The gcc-plugin still builds its own header file, but now does so from the common "randstruct.seed" file. Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- Documentation/dontdiff | 1 + Documentation/kbuild/reproducible-builds.rst | 5 +++-- include/linux/vermagic.h | 2 +- scripts/basic/.gitignore | 1 + scripts/basic/Makefile | 11 +++++++++++ scripts/gcc-plugins/Makefile | 15 ++++++++++----- scripts/gcc-plugins/gen-random-seed.sh | 9 --------- scripts/gen-randstruct-seed.sh | 7 +++++++ security/Kconfig.hardening | 9 +++++---- 9 files changed, 39 insertions(+), 21 deletions(-) delete mode 100755 scripts/gcc-plugins/gen-random-seed.sh create mode 100755 scripts/gen-randstruct-seed.sh diff --git a/Documentation/dontdiff b/Documentation/dontdiff index 910b30a2a7d9..352ff53a2306 100644 --- a/Documentation/dontdiff +++ b/Documentation/dontdiff @@ -211,6 +211,7 @@ r200_reg_safe.h r300_reg_safe.h r420_reg_safe.h r600_reg_safe.h +randstruct.seed randomize_layout_hash.h randomize_layout_seed.h recordmcount diff --git a/Documentation/kbuild/reproducible-builds.rst b/Documentation/kbuild/reproducible-builds.rst index 81ff30505d35..071f0151a7a4 100644 --- a/Documentation/kbuild/reproducible-builds.rst +++ b/Documentation/kbuild/reproducible-builds.rst @@ -100,8 +100,9 @@ Structure randomisation ----------------------- If you enable ``CONFIG_RANDSTRUCT``, you will need to pre-generate -the random seed in ``scripts/gcc-plugins/randomize_layout_seed.h`` -so the same value is used in rebuilds. +the random seed in ``scripts/basic/randstruct.seed`` so the same +value is used by each build. See ``scripts/gen-randstruct-seed.sh`` +for details. Debug info conflicts -------------------- diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h index efb51a2da599..a54046bf37e5 100644 --- a/include/linux/vermagic.h +++ b/include/linux/vermagic.h @@ -33,7 +33,7 @@ #define MODULE_VERMAGIC_MODVERSIONS "" #endif #ifdef RANDSTRUCT -#include +#include #define MODULE_RANDSTRUCT "RANDSTRUCT_" RANDSTRUCT_HASHED_SEED #else #define MODULE_RANDSTRUCT diff --git a/scripts/basic/.gitignore b/scripts/basic/.gitignore index 961c91c8a884..07c195f605a1 100644 --- a/scripts/basic/.gitignore +++ b/scripts/basic/.gitignore @@ -1,2 +1,3 @@ # SPDX-License-Identifier: GPL-2.0-only /fixdep +/randstruct.seed diff --git a/scripts/basic/Makefile b/scripts/basic/Makefile index eeb6a38c5551..dd289a6725ac 100644 --- a/scripts/basic/Makefile +++ b/scripts/basic/Makefile @@ -3,3 +3,14 @@ # fixdep: used to generate dependency information during build process hostprogs-always-y += fixdep + +# randstruct: the seed is needed before building the gcc-plugin or +# before running a Clang kernel build. +gen-randstruct-seed := $(srctree)/scripts/gen-randstruct-seed.sh +quiet_cmd_create_randstruct_seed = GENSEED $@ +cmd_create_randstruct_seed = \ + $(CONFIG_SHELL) $(gen-randstruct-seed) \ + $@ $(objtree)/include/generated/randstruct_hash.h +$(obj)/randstruct.seed: $(gen-randstruct-seed) FORCE + $(call if_changed,create_randstruct_seed) +always-$(CONFIG_RANDSTRUCT) += randstruct.seed diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile index 1952d3bb80c6..148f4639cf09 100644 --- a/scripts/gcc-plugins/Makefile +++ b/scripts/gcc-plugins/Makefile @@ -1,12 +1,17 @@ # SPDX-License-Identifier: GPL-2.0 -$(obj)/randomize_layout_plugin.so: $(objtree)/$(obj)/randomize_layout_seed.h -quiet_cmd_create_randomize_layout_seed = GENSEED $@ +$(obj)/randomize_layout_plugin.so: $(obj)/randomize_layout_seed.h +quiet_cmd_create_randomize_layout_seed = SEEDHDR $@ cmd_create_randomize_layout_seed = \ - $(CONFIG_SHELL) $(srctree)/$(src)/gen-random-seed.sh $@ $(objtree)/include/generated/randomize_layout_hash.h -$(objtree)/$(obj)/randomize_layout_seed.h: FORCE + SEED=$$(cat $(filter-out FORCE,$^) $@; \ + echo ' * This file is automatically generated. Keep it private.' >> $@; \ + echo ' * Exposing this value will expose the layout of randomized structures.' >> $@; \ + echo ' */' >> $@; \ + echo "const char *randstruct_seed = \"$$SEED\";" >> $@ +$(obj)/randomize_layout_seed.h: $(objtree)/scripts/basic/randstruct.seed FORCE $(call if_changed,create_randomize_layout_seed) -targets += randomize_layout_seed.h randomize_layout_hash.h +targets += randomize_layout_seed.h # Build rules for plugins # diff --git a/scripts/gcc-plugins/gen-random-seed.sh b/scripts/gcc-plugins/gen-random-seed.sh deleted file mode 100755 index 68af5cc20a64..000000000000 --- a/scripts/gcc-plugins/gen-random-seed.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: GPL-2.0 - -if [ ! -f "$1" ]; then - SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` - echo "const char *randstruct_seed = \"$SEED\";" > "$1" - HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'` - echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2" -fi diff --git a/scripts/gen-randstruct-seed.sh b/scripts/gen-randstruct-seed.sh new file mode 100755 index 000000000000..61017b36c464 --- /dev/null +++ b/scripts/gen-randstruct-seed.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +SEED=$(od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n') +echo "$SEED" > "$1" +HASH=$(echo -n "$SEED" | sha256sum | cut -d" " -f1) +echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2" diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index 364e3f8c6eea..0277ba578779 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -284,10 +284,11 @@ choice tools like Volatility against the system (unless the kernel source tree isn't cleaned after kernel installation). - The seed used for compilation is located at - scripts/randomize_layout_seed.h. It remains after a "make clean" - to allow for external modules to be compiled with the existing - seed and will be removed by a "make mrproper" or "make distclean". + The seed used for compilation is in scripts/basic/randomize.seed. + It remains after a "make clean" to allow for external modules to + be compiled with the existing seed and will be removed by a + "make mrproper" or "make distclean". This file should not be made + public, or the structure layout can be determined. config RANDSTRUCT_NONE bool "Disable structure layout randomization" From patchwork Tue May 3 20:55:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12836275 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65810C433EF for ; Tue, 3 May 2022 20:55:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242387AbiECU6v (ORCPT ); Tue, 3 May 2022 16:58:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33158 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242308AbiECU6r (ORCPT ); Tue, 3 May 2022 16:58:47 -0400 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 30B7035DE2 for ; Tue, 3 May 2022 13:55:11 -0700 (PDT) Received: by mail-pj1-x1032.google.com with SMTP id z5-20020a17090a468500b001d2bc2743c4so3042006pjf.0 for ; Tue, 03 May 2022 13:55:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=G7gjgj4/4LSK9c/JAyPIXqGgMKHVguykDn2bHyT8voA=; b=lPFLR0C5AR5qKEBPAIWTWtzBk+9lgyDMXniJNA7VZybl5Svtynw7Q/xjEYdb832RxY jR+mmBUtRcDesMD4DEG7CNWGz0KtJaT50b3NMMS76x0LFx22QrYMECu2xX38hf/AwNb7 MMJL5gT3MvziRSysXThA4xSGWJAbkPXC9dKQU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=G7gjgj4/4LSK9c/JAyPIXqGgMKHVguykDn2bHyT8voA=; b=LHzrCSdZ8w13itWoF9j0fNXNxwNdC22w8Bgy4UaFVqU+q7UgWic9W1gav13JXYIXIf 90f78n3MD/VqrW2n8mSYhT09BJAsW/QXPK+HP3Kw16JkL1+zz01wE9Kusq8kCm5CwGQX U43u9LtHHLA2rBXpnmpmvPKn3HJ8tUxqVwlCinE1Jajyl+h4H4Yi9DLR4bJvNJ2Hbb0m y9Z0VJHm8ZaxlTkriS9uuszdoBNGZwAZG6aEq69SDVLrkdJUq5iIarUVaZmX6xBzJqDP 6aLye+RPlGNu2fQfBnW6ZGRtrvZYwo4DxSXJAk/e3tWllgGERekub9/4AVDx2K+zEvm5 TxqQ== X-Gm-Message-State: AOAM532KyludDhlI+QGEsUQkiXPvU8ZGWeHN69DO5Yajk6zUwPOC8mh3 fUjjIy2k2TvxaQHY5aTzjgFVww== X-Google-Smtp-Source: ABdhPJzlRQDlCCwN12p3T2iXLOmaoOKLrPyOTgiWQ5BWcgjSqfBDOLgzhdNXlPBULmM7f+FaLlbpCA== X-Received: by 2002:a17:902:bb90:b0:158:a031:2ff2 with SMTP id m16-20020a170902bb9000b00158a0312ff2mr18429818pls.117.1651611311296; Tue, 03 May 2022 13:55:11 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s10-20020a63450a000000b003c14af50607sm13111823pga.31.2022.05.03.13.55.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:10 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , Masahiro Yamada , linux-kbuild@vger.kernel.org, Nick Desaulniers , David Howells , Jeff Layton , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 6/6] randstruct: Enable Clang support Date: Tue, 3 May 2022 13:55:03 -0700 Message-Id: <20220503205503.3054173-7-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2492; h=from:subject; bh=70QhakHoqRBTF2BhS4yZEwFNAa1mWnEa/ie6xwzJGBY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZamZGgPTMDtkz2lAP6v2msQMzZKulCSX+KAGB5j E1bmlEqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpgAKCRCJcvTf3G3AJlU5D/ 9Xyd51aYNqszUUL7SvvNyC19VjSU0o+jEEkpPilQKRN1uRHK9nWVWsrPw3aFhoMz4iTS5XBzAGpYfE DZEIcZQKS7f0MQGz6vgp5cG+EgrB5CcQ4ePyGGRn7IdfAg53lo+OIxP2oilAbt8NP58LUyzfd4EjYV kt5olI/+81/6ht6froYHo+0Qv+4W3GPz9sGufyfAEbFQyXjsEcy9Ro2qAdyOxtoCS8aDDznVpsbfQL 9z41A3ZD5ml0/L04Rk485Bom22yCPUP/1gkISFHvDq23I4slmV8kNHcqAFOPhTq4bc4MJ8+3dUZqmD VvFFb5wmyDS0grBSDnO9ihBplIWn5/Aq5sH2CcmQKp7DKALkQPjHNdED2ABfy/jQdoGogxCHAyuP9F zW7FjuKazB8lTmSMZKxUakxyGS0ANjJR32zyrofE+RdyI7hElnpEzP7vnVTb3vnK8zo+Vk6KYGGEzZ 4yZIbE1lnLdCkvvS3GxZubDQI7e/adQqf/kcL2bKQ9RXvw4IAWaBA4onxJpmaRDtEBar+YGUT9jS3E hcT67gCbpkmG3Vccv5IlmGAI/6hpgM986H4ODejuZbIJymhKClI/n8pqWJdg9ZBGccPsezfwigdKIu oPS4Fo4Cf2D4ZToRh8wuX98q/HcA7kcOkiuSlaUmKQWv49ct43TIINfIBBkQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Clang 15 will support randstruct via the -frandomize-layout-seed-file=... option. Update the Kconfig and Makefile to recognize this feature. Cc: Masahiro Yamada Cc: linux-kbuild@vger.kernel.org Signed-off-by: Kees Cook --- scripts/Makefile.randstruct | 3 +++ security/Kconfig.hardening | 14 ++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/scripts/Makefile.randstruct b/scripts/Makefile.randstruct index 4d741e6db554..24e283e89893 100644 --- a/scripts/Makefile.randstruct +++ b/scripts/Makefile.randstruct @@ -7,6 +7,9 @@ randstruct-cflags-y \ += -fplugin=$(objtree)/scripts/gcc-plugins/randomize_layout_plugin.so randstruct-cflags-$(CONFIG_RANDSTRUCT_PERFORMANCE) \ += -fplugin-arg-randomize_layout_plugin-performance-mode +else +randstruct-cflags-y \ + += -frandomize-layout-seed-file=$(objtree)/scripts/basic/randstruct.seed endif export RANDSTRUCT_CFLAGS := $(randstruct-cflags-y) diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index 0277ba578779..bd2aabb2c60f 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -266,9 +266,12 @@ config ZERO_CALL_USED_REGS endmenu +config CC_HAS_RANDSTRUCT + def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null) + choice prompt "Randomize layout of sensitive kernel structures" - default RANDSTRUCT_FULL if COMPILE_TEST && GCC_PLUGINS + default RANDSTRUCT_FULL if COMPILE_TEST && (GCC_PLUGINS || CC_HAS_RANDSTRUCT) default RANDSTRUCT_NONE help If you enable this, the layouts of structures that are entirely @@ -297,13 +300,20 @@ choice config RANDSTRUCT_FULL bool "Fully randomize structure layout" - depends on GCC_PLUGINS + depends on CC_HAS_RANDSTRUCT || GCC_PLUGINS select MODVERSIONS if MODULES help Fully randomize the member layout of sensitive structures as much as possible, which may have both a memory size and performance impact. + One difference between the Clang and GCC plugin + implementations is the handling of bitfields. The GCC + plugin treats them as fully separate variables, + introducing sometimes significant padding. Clang tries + to keep adjacent bitfields together, but with their bit + ordering randomized. + config RANDSTRUCT_PERFORMANCE bool "Limit randomization of structure layout to cache-lines" depends on GCC_PLUGINS