From nobody Sun May 10 12:55:16 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EE3EC433F5 for ; Tue, 3 May 2022 20:55:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242432AbiECU67 (ORCPT ); Tue, 3 May 2022 16:58:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32980 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242028AbiECU6n (ORCPT ); Tue, 3 May 2022 16:58:43 -0400 Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DAFA43B29F for ; Tue, 3 May 2022 13:55:09 -0700 (PDT) Received: by mail-pg1-x532.google.com with SMTP id j70so4010038pge.1 for ; Tue, 03 May 2022 13:55:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=BdPS+6ovNgbIR6W/BvJieSFy4bz2cMdTMxnCOUR1BJQ=; b=bHU4VjAzp8C1M1XvHG68mTOvyMkOTXD8Q8IxxwTh/pA96lQ08ploXyPVuewqneNz7I BTQ66bsHXECQh9Ps4JwaMRw3GdAoyRlyvhHlbP2L7nt77gqS2adyofBziaB45Vm2D4Ez x0zbBoaGMSU5UEzo8IM1GgUfpoiiajG6cYGco= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BdPS+6ovNgbIR6W/BvJieSFy4bz2cMdTMxnCOUR1BJQ=; b=2Oimo/6Hxia98Q1wOc9IuJSfAWda2JIvnU9V298T5AFWnKVGP//UXNsUYRRzpVxt6Q /UqoUEh1uNar3CGfjTUer5QTcbE7iYROQWhLzDpqIVeGj74RdcuNO0NhnAqYqEG0CWdX XLEnUDT1aeI4UAtQY1cADoD7IAYcFbFqZxfZwf6aX6Tawb62p3wwhBck1/oDWfMeJP5y kdo8xZ6qQpfw1Aircez0eXTJ56WeDaidXajNO/Kzz/GSVyDohDLL+YPctQeUnUZo8iT6 9dUAqRnht8s/nYouMW9TavJwVDsqoS/fZ3ep8THm5OiSYI33shCdWIMYBRXtGa/vUE2E FLSw== X-Gm-Message-State: AOAM530REbSknyj+HU2AZZUFCTXa8AzVEQ8dt7XiKBuQR2EbfPfJpJJ8 MMurkpInORj8HijzxawoyxfVBw== X-Google-Smtp-Source: ABdhPJy3MRDXrmUhZUJX+fO+Iudo78mE4XAjOuV5u2/RFaENGy2ohzpd4UwzaRV08TDRJgxybO+Kig== X-Received: by 2002:a05:6a00:124f:b0:50d:efb8:6afa with SMTP id u15-20020a056a00124f00b0050defb86afamr10587579pfi.14.1651611309415; Tue, 03 May 2022 13:55:09 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z20-20020a630a54000000b003c219c0871asm3933040pgk.74.2022.05.03.13.55.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:08 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , David Howells , Jeff Layton , Masahiro Yamada , Nick Desaulniers , linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 1/6] netfs: Eliminate Clang randstruct warning Date: Tue, 3 May 2022 13:54:58 -0700 Message-Id: <20220503205503.3054173-2-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1970; h=from:subject; bh=bEl5c+oL0DHs9c0JKOjQVQhGUtntych2+mEKBNpt6+0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZaljMui7HM5C2nUhMVbY5QZL7cXs2WS/tnBqO2w QmtevbyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpQAKCRCJcvTf3G3AJj7nD/ 9EN/kMgbEYlp++FHvHW8ma1iM+kP7FMs+DalBiKQfkIeScig0IVM5Q3dbvmXF1a26tX7uVVdilImNn hZvggBQj2ca6FXKUR60ZWvagiS3PrqNy/RdFhO4F29yx6c6gWrFJmsx2c25jJ1sJXp5sx6onOD64Dc eLXJPFVDQrMssMfu9+SQCRfcf3SDsKHcV5PRjOp5aiWqKI9yR6dWUheY3Sa4bsBYn645OAdQI93Z5k kmYosamsbYqGm9Xa2wWXalmB3W9x5Licr6O86aeeCfhuL8q12lrebTGwLo2PwpigLCbIgHrxSqJXIn stPRkOoWqNufv4kkQbewUAitGsMC6vT/2o7MylXDzRnKJujUZQY5wRBekBslXliKHtkxBb6ZGF8RQU fmbUaDHA9aKUMgMVHjzacxPBbJPV7oycgCPiRwbOBOmJNg3sYJQ0Y306ki6v+dOHLcj7wedfcPM0OU uolaHrzpi63qdj96tcn1R6hMdI166zDodVrQQ+NERYFJkdvfL7eSA+a6nfJ1GhI8W7R6HKS7CcJ+Xg Jj+pEWxNzyJ2Ee+WfxBM1qdcLOfVN64qrjDWaK0A6LKoH+NVZUbT5pYEv2eoow+Rll6b+uSLhDaqWX uVOm6X9q1dBcMoZx5a3JgZpzg9B8yHotQF8ovOWc5X15GHixJg4Er4sXOCkg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Clang's structure layout randomization feature gets upset when it sees struct inode (which is randomized) cast to struct netfs_i_context. This is due to seeing the inode pointer as being treated as an array of inodes, rather than "something else, following struct inode". Since netfs can't use container_of() (since it doesn't know what the true containing struct is), it uses this direct offset instead. Adjust the code to better reflect what is happening: an arbitrary pointer is being adjusted and cast to something else: use a "void *" for the math. The resulting binary output is the same, but Clang no longer sees an unexpected cross-structure cast: In file included from ../fs/nfs/inode.c:50: In file included from ../fs/nfs/fscache.h:15: In file included from ../include/linux/fscache.h:18: ../include/linux/netfs.h:298:9: error: casting from randomized structure po= inter type 'struct inode *' to 'struct netfs_i_context *' return (struct netfs_i_context *)(inode + 1); ^ 1 error generated. Cc: David Howells Cc: Jeff Layton Signed-off-by: Kees Cook Reviewed-by: Jeff Layton --- include/linux/netfs.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/netfs.h b/include/linux/netfs.h index c7bf1eaf51d5..0c33b715cbfd 100644 --- a/include/linux/netfs.h +++ b/include/linux/netfs.h @@ -295,7 +295,7 @@ extern void netfs_stats_show(struct seq_file *); */ static inline struct netfs_i_context *netfs_i_context(struct inode *inode) { - return (struct netfs_i_context *)(inode + 1); + return (void *)inode + sizeof(*inode); } =20 /** @@ -307,7 +307,7 @@ static inline struct netfs_i_context *netfs_i_context(s= truct inode *inode) */ static inline struct inode *netfs_inode(struct netfs_i_context *ctx) { - return ((struct inode *)ctx) - 1; + return (void *)ctx - sizeof(struct inode); } =20 /** --=20 2.32.0 From nobody Sun May 10 12:55:16 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E6BDC4332F for ; Tue, 3 May 2022 20:55:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242567AbiECU7C (ORCPT ); Tue, 3 May 2022 16:59:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32980 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242148AbiECU6o (ORCPT ); Tue, 3 May 2022 16:58:44 -0400 Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B004633E04 for ; Tue, 3 May 2022 13:55:10 -0700 (PDT) Received: by mail-pf1-x433.google.com with SMTP id x23so10406522pff.9 for ; Tue, 03 May 2022 13:55:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=D8001mr4LabgPK6vdQOkTgjpB8frOhBImqWC9OKD9m8=; b=a6XXUyblvoUHJJ2m8UB7SU0n251adAuXNR9X6v+Za2Hlmw1sNp0o/S7+TNefs8MDJU 1K/zSR1PUN+uRHggUvZwKd7XqE9esYkWif0Ca3ZgdL7z/u8LPOLEliBLqz4gDpXb8NxR lxoWF5b0hqYzYmX7E6RCC1SdQfGlIXXqkFpmw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=D8001mr4LabgPK6vdQOkTgjpB8frOhBImqWC9OKD9m8=; b=tN9AKaILqElkasrIq9TviiqAZdzZA48CUxo5UAeN3IPcKC96qdNxKPpLDrIHKatdrY 7CdkphUXbU19JaGKZLVjygp6SFN8gqFT5Cwr+p3eFkPAF13zTF97lgh2KbZGY48Clwkt 9VoSXV4ZbwK2UJbZdPw3vERBgSPEdrsROnPPEoVh+1zFzVXGUxJb+EUJBCuSTsAmJI4W Ee6MxsguGZ5sZjvD9fErvY1gRUV4J/FygqRPnMCOdW41mudWnWHny+ekwtOCyscsU8Vn 7SbLRnNXWHELN4mK7Q8VbNxfXWq7isbqMszem7BKKrRaRb8XMTdAciODjaIkVlt/BSwC ORMw== X-Gm-Message-State: AOAM5335gOU8nlYzc2BJ0A9lXWa1ceA38Zoy/sF3yblYcntPcMfzXJ3d g7uOZwlJFhyReJbGp0OYYln6JQ== X-Google-Smtp-Source: ABdhPJy0r6jfI214JohcyFyrwVL84vsHM25sexru4n4aT6ATYpL01QZWrLNASKhCm8I23UcXpHmx/w== X-Received: by 2002:a63:191e:0:b0:3c1:6920:c4a4 with SMTP id z30-20020a63191e000000b003c16920c4a4mr15613857pgl.365.1651611310150; Tue, 03 May 2022 13:55:10 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id w13-20020aa7858d000000b0050dc762814bsm6716806pfn.37.2022.05.03.13.55.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:08 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , Masahiro Yamada , linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org, Nick Desaulniers , David Howells , Jeff Layton , linux-kernel@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 2/6] sancov: Split plugin build from plugin CFLAGS Date: Tue, 3 May 2022 13:54:59 -0700 Message-Id: <20220503205503.3054173-3-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2293; h=from:subject; bh=Z+W1/VzUmR9ZJufPDIl2IGsNAVokPGco3yw6gcXBPsw=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZalfdpPHCtbFo/0LtbdJECo+DuY6+Cvl0iSgGt8 qmJAIyWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpQAKCRCJcvTf3G3AJpGVD/ 45paKBOSJMGdYykZni1+b9PFueY4o7xyFCrnukAmYC807VctcCbZeTj9kOFVbB6FUqRl299CyE5lOS 0Vv2x1ORa5MDkdnewBrkAhinq3hf6VYQjQa1WhwghwMcR7O8dkjldlYFQFfWNd+vkHqWGplWx9AtoM 9LqQiDjUBDblzBywzgTI1U9wsStkT5D8OfCxeRCIBpDmrFCimfXKY7nBxWd6NYhX3Gp+zGqP72w18c 9KchJnxEW7GgG5kUUyEgTtJkzHjmvqvMs9TjDk3NIjdHXeqbbgUzqzRpTf57BvDoGnR/NIzSCeQRr6 pBQwd/e0X/JfhMFlCms1vzSrsNpH2mti4MoexFcY8LbRMERFPNbDjGJe7cX+bVbl96QIxPonay3PIF gIcRUVZV5fHy2ufAT1QpQfEaBbAiiW6i4IqgymV9h7oTO+xntdnPrUMdnj8lqYNJJzQHVyncHaNwuv BoB4DQe3wA83QmlAAKISXfQHkxRrfvE2Krf15KnElZEJ96K5TtMPr3wzOUYHFvi7xXmkIyJEsGTcra NWUP2AAiRfv5tLmmjyF8VI8Plz9H0wMy4puNT+CrlVsO0+1sttwAcxXdNjfT16kEfS/1qUStk/AHCE 1JxYtah2EwLWng98hEZwZ9f0aqO+Bc7VIK05wgHnm4eYG7ztr4gF3u8poq9g== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" When the sancov_plugin is enabled, it gets added to gcc-plugin-y which is used to populate both GCC_PLUGIN (for building the plugin) and GCC_PLUGINS_CFLAGS (for enabling and options). Instead of adding sancov to both and then removing it from GCC_PLUGINS_CFLAGS, create a separate list, gcc-plugin-external-y, which is only added to GCC_PLUGIN. This will also be used by the coming randstruct build changes. Cc: Masahiro Yamada Cc: linux-kbuild@vger.kernel.org Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- scripts/Makefile.gcc-plugins | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins index f67153b260c0..927c3dd57f84 100644 --- a/scripts/Makefile.gcc-plugins +++ b/scripts/Makefile.gcc-plugins @@ -8,8 +8,6 @@ ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY endif export DISABLE_LATENT_ENTROPY_PLUGIN =20 -gcc-plugin-$(CONFIG_GCC_PLUGIN_SANCOV) +=3D sancov_plugin.so - gcc-plugin-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) +=3D structleak_plugin.so gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE) \ +=3D -fplugin-arg-structleak_plugin-verbose @@ -53,13 +51,17 @@ export DISABLE_ARM_SSP_PER_TASK_PLUGIN # All the plugin CFLAGS are collected here in case a build target needs to # filter them out of the KBUILD_CFLAGS. GCC_PLUGINS_CFLAGS :=3D $(strip $(addprefix -fplugin=3D$(objtree)/scripts/= gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y)) -# The sancov_plugin.so is included via CFLAGS_KCOV, so it is removed here. -GCC_PLUGINS_CFLAGS :=3D $(filter-out %/sancov_plugin.so, $(GCC_PLUGINS_CFL= AGS)) export GCC_PLUGINS_CFLAGS =20 # Add the flags to the build! KBUILD_CFLAGS +=3D $(GCC_PLUGINS_CFLAGS) =20 -# All enabled GCC plugins are collected here for building below. -GCC_PLUGIN :=3D $(gcc-plugin-y) +# Some plugins are enabled outside of this Makefile, but they still need to +# be included in GCC_PLUGIN so they can get built. +gcc-plugin-external-$(CONFIG_GCC_PLUGIN_SANCOV) \ + +=3D sancov_plugin.so + +# All enabled GCC plugins are collected here for building in +# scripts/gcc-scripts/Makefile. +GCC_PLUGIN :=3D $(gcc-plugin-y) $(gcc-plugin-external-y) export GCC_PLUGIN --=20 2.32.0 From nobody Sun May 10 12:55:16 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25307C433F5 for ; Tue, 3 May 2022 20:55:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242321AbiECU6s (ORCPT ); Tue, 3 May 2022 16:58:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242011AbiECU6n (ORCPT ); Tue, 3 May 2022 16:58:43 -0400 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 69B6233E1C for ; Tue, 3 May 2022 13:55:09 -0700 (PDT) Received: by mail-pj1-x102e.google.com with SMTP id cx11-20020a17090afd8b00b001d9fe5965b3so3368380pjb.3 for ; Tue, 03 May 2022 13:55:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ANvvfoJsMHIU8J1whkw86mXyIuy11/zkPRCmweDyDUY=; b=LfYvXfo5UrFi7QqSgYjmkU+NuXhIug3URPDe+TZJDsdTgB/ty6XtCDF+ZAeiM0QhNl W3kUGOV6FakPN3IdBaAgQoVEVuGtoGX0MD7mTZkxZYTMDkI0eC4wnd1h9CiS/i+D0FBE bVFcX/KTUlMNfkdEKGM9l9LqNZSrwHGI9qI9I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ANvvfoJsMHIU8J1whkw86mXyIuy11/zkPRCmweDyDUY=; b=EEfh5HprgeKFZM+yAfdZUaj0JooAYSRxQjo6NwdyQNhU8xIdRYPtTyTcHBEuvGmEEr FbQi/F1M3gyFuSEKyfdQo+QlypBgfwpxXxtEL7CZe9mv7m99cYf5iOh3T/1kMu8MvnEu eaRjNG1Lof8dy8VeXPw7FUxpGDSYUof/h2QnTUj31hWIiKtTq01WwIDfllT1dieaBpQx 6xiWbi0VFwACCUnguPzchzC3DXG0SmuKsBY0Dl2cjlIM5TWnpotlxt8cUwTTx1B7nJZv joKnpOziuDEj47+lQDWF7OlOzlL+u3c5u6vOhD63ODuRtwiw7sKlxTdrvIVtHsmRRBNK eHsA== X-Gm-Message-State: AOAM531LsDbT3r/rQvosDFT/OhSeZLyTV3jwo5xG77miqO30sujFTq9v Xk54cUN4iOaBEIDmr1ZqiJWVTg== X-Google-Smtp-Source: ABdhPJzQUhU7EJ/fEAemFTQQf6TTJP8RdhEmqho4i+ZCEnAstDVV2hZW+oFWSzMdgmiO/WObDWQDsw== X-Received: by 2002:a17:902:9a49:b0:15d:1da8:81fa with SMTP id x9-20020a1709029a4900b0015d1da881famr18374107plv.114.1651611308698; Tue, 03 May 2022 13:55:08 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d16-20020aa78690000000b0050dc7628148sm6716986pfo.34.2022.05.03.13.55.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:08 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , linux-hardening@vger.kernel.org, Masahiro Yamada , Nick Desaulniers , David Howells , Jeff Layton , linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 3/6] randstruct: Reorganize Kconfigs and attribute macros Date: Tue, 3 May 2022 13:55:00 -0700 Message-Id: <20220503205503.3054173-4-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=11221; h=from:subject; bh=LM/CNktcq953xhv+5bXRTSGy0dLJ5YoNbozOnQpL+r4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZamxn+qjom7FQIM9lrMVjKtUwJLzsxPHLLRZpDw gcUBks6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpgAKCRCJcvTf3G3AJh/RD/ 9AmXstTaGlTMOYjKI5q9Zxwb7mYJ8FkDOJdljwOi9CFAVl66HjC7OAazNegIagS/f91871rMMqyTZq NcxPrjqqexcrJvElnbSHSHBrUVDKvXDfkFRsylNpf79NRDaqLMhrxHINtle1DBVlm6Ee8dYj7AnBtB MZcy10JlrewqFNywN/iXpkSe+KDtiy8q3nLqsk6x9lOE/1qli/UJSsgnqSpYDJysXldr7eDBnpIlMk gHGX/8uCwWli3IrSYSki2arevQoH/7nH06MKuLRSZVbbBI/uLCVJc9UtM+DUuLMWUdlZRFHGU6giyD B3FcQ3Jdg6Zp3Hj4/eF+rx2Ain/4C4g7daNKa66XDbSX/pHAg0wmbCgOUetBO4tCl9pgZEr6ahIoI5 ljn4IOl7irfc1+pzHdj9Qk9fgzY6J0SFdp978dvbWGw2B1ppJs+lPBhFoZIpgx8kvwLtPhVWoLwobM kBB5+IszvAclP7vL/Mit5B7sPzeDmj/zCS4ZWo6i+KHUA/XiL1VOaf6q2iNn/2uOmmhIPJTiQFc94P mSXgRJp8UZRgWqCUWp2CG+ej9QwQufTDobK8FFYueyshAe0M10V+bpTasJHccfzpf6P+/Uldal4sqO uPId+UbGIlPdohiJg/vRy6N35kyEgim+026mJAz/mvxLx+3zWBfZ0Gkuj43Q== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In preparation for Clang supporting randstruct, reorganize the Kconfigs, move the attribute macros, and generalize the feature to be named CONFIG_RANDSTRUCT for on/off, CONFIG_RANDSTRUCT_FULL for the full randomization mode, and CONFIG_RANDSTRUCT_PERFORMANCE for the cache-line sized mode. Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- Documentation/kbuild/reproducible-builds.rst | 7 +-- arch/riscv/Kconfig | 2 +- arch/x86/mm/pti.c | 2 +- include/linux/compiler-gcc.h | 8 --- include/linux/compiler_types.h | 14 ++--- include/linux/vermagic.h | 8 +-- kernel/panic.c | 2 +- scripts/Makefile.gcc-plugins | 4 +- scripts/gcc-plugins/Kconfig | 38 ------------ security/Kconfig.hardening | 62 ++++++++++++++++++++ 10 files changed, 81 insertions(+), 66 deletions(-) diff --git a/Documentation/kbuild/reproducible-builds.rst b/Documentation/k= build/reproducible-builds.rst index 3b25655e441b..81ff30505d35 100644 --- a/Documentation/kbuild/reproducible-builds.rst +++ b/Documentation/kbuild/reproducible-builds.rst @@ -99,10 +99,9 @@ unreproducible parts can be treated as sources: Structure randomisation ----------------------- =20 -If you enable ``CONFIG_GCC_PLUGIN_RANDSTRUCT``, you will need to -pre-generate the random seed in -``scripts/gcc-plugins/randomize_layout_seed.h`` so the same value -is used in rebuilds. +If you enable ``CONFIG_RANDSTRUCT``, you will need to pre-generate +the random seed in ``scripts/gcc-plugins/randomize_layout_seed.h`` +so the same value is used in rebuilds. =20 Debug info conflicts -------------------- diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index 00fd9c548f26..3ac2a81a55eb 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -468,7 +468,7 @@ config CC_HAVE_STACKPROTECTOR_TLS =20 config STACKPROTECTOR_PER_TASK def_bool y - depends on !GCC_PLUGIN_RANDSTRUCT + depends on !RANDSTRUCT depends on STACKPROTECTOR && CC_HAVE_STACKPROTECTOR_TLS =20 config PHYS_RAM_BASE_FIXED diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c index 5d5c7bb50ce9..ffe3b3a087fe 100644 --- a/arch/x86/mm/pti.c +++ b/arch/x86/mm/pti.c @@ -540,7 +540,7 @@ static inline bool pti_kernel_image_global_ok(void) * cases where RANDSTRUCT is in use to help keep the layout a * secret. */ - if (IS_ENABLED(CONFIG_GCC_PLUGIN_RANDSTRUCT)) + if (IS_ENABLED(CONFIG_RANDSTRUCT)) return false; =20 return true; diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h index 52299c957c98..a0c55eeaeaf1 100644 --- a/include/linux/compiler-gcc.h +++ b/include/linux/compiler-gcc.h @@ -66,14 +66,6 @@ __builtin_unreachable(); \ } while (0) =20 -#if defined(RANDSTRUCT_PLUGIN) && !defined(__CHECKER__) -#define __randomize_layout __attribute__((randomize_layout)) -#define __no_randomize_layout __attribute__((no_randomize_layout)) -/* This anon struct can add padding, so only enable it under randstruct. */ -#define randomized_struct_fields_start struct { -#define randomized_struct_fields_end } __randomize_layout; -#endif - /* * GCC 'asm goto' miscompiles certain code sequences: * diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index 1c2c33ae1b37..d08dfcb0ac68 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -242,15 +242,15 @@ struct ftrace_likely_data { # define __latent_entropy #endif =20 -#ifndef __randomize_layout +#if defined(RANDSTRUCT) && !defined(__CHECKER__) +# define __randomize_layout __designated_init __attribute__((randomize_lay= out)) +# define __no_randomize_layout __attribute__((no_randomize_layout)) +/* This anon struct can add padding, so only enable it under randstruct. */ +# define randomized_struct_fields_start struct { +# define randomized_struct_fields_end } __randomize_layout; +#else # define __randomize_layout __designated_init -#endif - -#ifndef __no_randomize_layout # define __no_randomize_layout -#endif - -#ifndef randomized_struct_fields_start # define randomized_struct_fields_start # define randomized_struct_fields_end #endif diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h index 329d63babaeb..efb51a2da599 100644 --- a/include/linux/vermagic.h +++ b/include/linux/vermagic.h @@ -32,11 +32,11 @@ #else #define MODULE_VERMAGIC_MODVERSIONS "" #endif -#ifdef RANDSTRUCT_PLUGIN +#ifdef RANDSTRUCT #include -#define MODULE_RANDSTRUCT_PLUGIN "RANDSTRUCT_PLUGIN_" RANDSTRUCT_HASHED_SE= ED +#define MODULE_RANDSTRUCT "RANDSTRUCT_" RANDSTRUCT_HASHED_SEED #else -#define MODULE_RANDSTRUCT_PLUGIN +#define MODULE_RANDSTRUCT #endif =20 #define VERMAGIC_STRING \ @@ -44,6 +44,6 @@ MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \ MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \ MODULE_ARCH_VERMAGIC \ - MODULE_RANDSTRUCT_PLUGIN + MODULE_RANDSTRUCT =20 #endif /* _LINUX_VERMAGIC_H */ diff --git a/kernel/panic.c b/kernel/panic.c index eb4dfb932c85..8355b19676f8 100644 --- a/kernel/panic.c +++ b/kernel/panic.c @@ -48,7 +48,7 @@ unsigned int __read_mostly sysctl_oops_all_cpu_backtrace; =20 int panic_on_oops =3D CONFIG_PANIC_ON_OOPS_VALUE; static unsigned long tainted_mask =3D - IS_ENABLED(CONFIG_GCC_PLUGIN_RANDSTRUCT) ? (1 << TAINT_RANDSTRUCT) : 0; + IS_ENABLED(CONFIG_RANDSTRUCT) ? (1 << TAINT_RANDSTRUCT) : 0; static int pause_on_oops; static int pause_on_oops_flag; static DEFINE_SPINLOCK(pause_on_oops_lock); diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins index 927c3dd57f84..827c47ce5c73 100644 --- a/scripts/Makefile.gcc-plugins +++ b/scripts/Makefile.gcc-plugins @@ -24,8 +24,8 @@ gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) \ =20 gcc-plugin-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) +=3D randomize_layout_plugin.so gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \ - +=3D -DRANDSTRUCT_PLUGIN -gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE) \ + +=3D -DRANDSTRUCT +gcc-plugin-cflags-$(CONFIG_RANDSTRUCT_PERFORMANCE) \ +=3D -fplugin-arg-randomize_layout_plugin-performance-mode =20 gcc-plugin-$(CONFIG_GCC_PLUGIN_STACKLEAK) +=3D stackleak_plugin.so diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index 51d81c3f03d6..e383cda05367 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig @@ -46,44 +46,6 @@ config GCC_PLUGIN_LATENT_ENTROPY * https://grsecurity.net/ * https://pax.grsecurity.net/ =20 -config GCC_PLUGIN_RANDSTRUCT - bool "Randomize layout of sensitive kernel structures" - select MODVERSIONS if MODULES - help - If you say Y here, the layouts of structures that are entirely - function pointers (and have not been manually annotated with - __no_randomize_layout), or structures that have been explicitly - marked with __randomize_layout, will be randomized at compile-time. - This can introduce the requirement of an additional information - exposure vulnerability for exploits targeting these structure - types. - - Enabling this feature will introduce some performance impact, - slightly increase memory usage, and prevent the use of forensic - tools like Volatility against the system (unless the kernel - source tree isn't cleaned after kernel installation). - - The seed used for compilation is located at - scripts/gcc-plugins/randomize_layout_seed.h. It remains after - a make clean to allow for external modules to be compiled with - the existing seed and will be removed by a make mrproper or - make distclean. - - This plugin was ported from grsecurity/PaX. More information at: - * https://grsecurity.net/ - * https://pax.grsecurity.net/ - -config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE - bool "Use cacheline-aware structure randomization" - depends on GCC_PLUGIN_RANDSTRUCT - depends on !COMPILE_TEST # do not reduce test coverage - help - If you say Y here, the RANDSTRUCT randomization will make a - best effort at restricting randomization to cacheline-sized - groups of elements. It will further not randomize bitfields - in structures. This reduces the performance hit of RANDSTRUCT - at the cost of weakened randomization. - config GCC_PLUGIN_ARM_SSP_PER_TASK bool depends on GCC_PLUGINS && ARM diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index ded4d7c0d132..364e3f8c6eea 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -266,4 +266,66 @@ config ZERO_CALL_USED_REGS =20 endmenu =20 +choice + prompt "Randomize layout of sensitive kernel structures" + default RANDSTRUCT_FULL if COMPILE_TEST && GCC_PLUGINS + default RANDSTRUCT_NONE + help + If you enable this, the layouts of structures that are entirely + function pointers (and have not been manually annotated with + __no_randomize_layout), or structures that have been explicitly + marked with __randomize_layout, will be randomized at compile-time. + This can introduce the requirement of an additional information + exposure vulnerability for exploits targeting these structure + types. + + Enabling this feature will introduce some performance impact, + slightly increase memory usage, and prevent the use of forensic + tools like Volatility against the system (unless the kernel + source tree isn't cleaned after kernel installation). + + The seed used for compilation is located at + scripts/randomize_layout_seed.h. It remains after a "make clean" + to allow for external modules to be compiled with the existing + seed and will be removed by a "make mrproper" or "make distclean". + + config RANDSTRUCT_NONE + bool "Disable structure layout randomization" + help + Build normally: no structure layout randomization. + + config RANDSTRUCT_FULL + bool "Fully randomize structure layout" + depends on GCC_PLUGINS + select MODVERSIONS if MODULES + help + Fully randomize the member layout of sensitive + structures as much as possible, which may have both a + memory size and performance impact. + + config RANDSTRUCT_PERFORMANCE + bool "Limit randomization of structure layout to cache-lines" + depends on GCC_PLUGINS + select MODVERSIONS if MODULES + help + Randomization of sensitive kernel structures will make a + best effort at restricting randomization to cacheline-sized + groups of members. It will further not randomize bitfields + in structures. This reduces the performance hit of RANDSTRUCT + at the cost of weakened randomization. +endchoice + +config RANDSTRUCT + def_bool !RANDSTRUCT_NONE + +config GCC_PLUGIN_RANDSTRUCT + def_bool GCC_PLUGINS && RANDSTRUCT + help + Use GCC plugin to randomize structure layout. + + This plugin was ported from grsecurity/PaX. More + information at: + * https://grsecurity.net/ + * https://pax.grsecurity.net/ + endmenu --=20 2.32.0 From nobody Sun May 10 12:55:16 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A741DC433FE for ; Tue, 3 May 2022 20:55:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237032AbiECU7Q (ORCPT ); Tue, 3 May 2022 16:59:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242174AbiECU6o (ORCPT ); Tue, 3 May 2022 16:58:44 -0400 Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 500363E5E7 for ; Tue, 3 May 2022 13:55:10 -0700 (PDT) Received: by mail-pf1-x42c.google.com with SMTP id v11so6224189pff.6 for ; Tue, 03 May 2022 13:55:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=0s2l8L34z34MUkPb/xcNxM9oOQ5pfRGE8+PgPesbjxc=; b=bhVNBEZ+27B/SccXVadaHG1jvpOqXyYJ+hj8GEC9P9p9MQDKaF4BLipZ7tMCTUGtNz PICi0sZeHr7t7kjGGRSBO8mzLluE7LOSWG4BnDKhxnnOuZFtTMVW6xXYTxLuym405lSP B3+FxDhigUqiTNZFl1mYMxRpZfBypDicHUpbM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=0s2l8L34z34MUkPb/xcNxM9oOQ5pfRGE8+PgPesbjxc=; b=C5DVAx6iwMu/pVrSbCk4JkmhLhVAmZsLkcKdpL51t9IZTw91/lZDf0aCwE6Usgvo58 ByHWiHyHXF+hSIyVR8nwvQ4zW90YpYk+6Jty3MWa9vJEMyxCOgwEXwNjQrA9o8ypGHnJ /CrgHXXaMcEZmTLzsc7ReSTQ5WLqzpW9pqjWXzU/O/IAJ5YrqcDC8tZmPW4MnAp2XX18 mDnZMb8Y21IP78SIUNIGfnJSr+f0oxlwKhJ9/Q+p8Kp2/Hng7Fc2TdKD3IJJxANGkANS LwQHGfo39cZNzHzIno6u92i3OG9s0ZYr7HFaeXnrfRdT7khHiXASS+DIQNyI/vq8eJSE Xl8g== X-Gm-Message-State: AOAM533EorY+vOVFXssR1b+XnNRlxMX567jzqKnIbrvnvr9lKBdu1rY+ Ss4Ps7yB20m6JmxoKXFy0yP+XA== X-Google-Smtp-Source: ABdhPJxNh718o6lZcnrjFVdXM6pAZT3sVcEOZcCHQo1I7zTGHYHYdiEGHt2M12oOpzHuik2BFiOqqA== X-Received: by 2002:a63:2d46:0:b0:3c1:424a:2a90 with SMTP id t67-20020a632d46000000b003c1424a2a90mr15245588pgt.35.1651611309785; Tue, 03 May 2022 13:55:09 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e24-20020a63f558000000b003c14af50638sm3571630pgk.80.2022.05.03.13.55.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:08 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , linux-hardening@vger.kernel.org, Masahiro Yamada , Nick Desaulniers , David Howells , Jeff Layton , linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 4/6] randstruct: Split randstruct Makefile and CFLAGS Date: Tue, 3 May 2022 13:55:01 -0700 Message-Id: <20220503205503.3054173-5-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6703; h=from:subject; bh=ZEmrZ0k2Reix3PKt6lfCkuyHYsw1YqQ5sKxXW11+HTw=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZam4zhEqDWTM2MIktnKTuhNVNv/8H6Fea3xejgt HnjQkAKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpgAKCRCJcvTf3G3AJq7lEA CuZ+xeZNdVslL1dtCv78SwqgkVF0Irvo2o5Ics+MdKOz0zPRHZP6oMToUFSgisWVwucBw1doPlHwwF zhbFZ5b9Z/mtyEvMqJQMoRsw/4Z7muCHglm3Dv8O47FpzI+yiiO30zPSHWfI74tHx92EWmSpJ/2Gxj R+Q4E8GQUabJY6Jh+dJuOpyF5HHJViaVqL7bdj5/mm5HymCYOEq5Jr71Cw/oyS7FGHAeEqyoaT1KUx srmuQy5RY0pPrL9SMAlO6//qsp85AalH8rgppGOsAl/H2/MkYpbouZtgklux7zpjPVLXrZxWWs3FL8 j0IynPZlYJImwZQlLdXPHm3O1BmKSHCQgQ8932YDoPHTJpTomyOeIjSvUD0FM1CGs4IisY5almpKHa 7mI4Ac0Zq7V2/VjDhtDgt343eONTqXX0hdzLr8CAK/ZlwFgi3TrXwqP7LN+t9Deb3tAzJPl1P4SNPK 09KMgW8IobL0wwL3um45dfvqf4uIvDJyAW1pcWbkWPuanq553xzB0h3RhRqtGB4+2uCCRbl9O1hXrT iBZ1IJYTRPfXawzfDUNGV73thtPTZmvfKZTnocs6/UKcP6sCw3XM8DEYkh/GE0q1u68QlcGu6agRXQ uUIg1L8Hn/FAG0pt19d+14PNYE3uHeKpWoNkw7Dva1Fdd9aWiHHtqQbmnoww== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" To enable the new Clang randstruct implementation[1], move randstruct into its own Makefile and split the CFLAGS from GCC_PLUGINS_CFLAGS into RANDSTRUCT_CFLAGS. [1] https://reviews.llvm.org/D121556 Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- Makefile | 1 + arch/arm/vdso/Makefile | 2 +- arch/arm64/kernel/vdso/Makefile | 3 ++- arch/sparc/vdso/Makefile | 3 ++- arch/x86/entry/vdso/Makefile | 3 ++- scripts/Makefile.gcc-plugins | 8 ++------ scripts/Makefile.randstruct | 14 ++++++++++++++ 7 files changed, 24 insertions(+), 10 deletions(-) create mode 100644 scripts/Makefile.randstruct diff --git a/Makefile b/Makefile index 29e273d3f8cc..91c91fcf3c24 100644 --- a/Makefile +++ b/Makefile @@ -1011,6 +1011,7 @@ include-$(CONFIG_KASAN) +=3D scripts/Makefile.kasan include-$(CONFIG_KCSAN) +=3D scripts/Makefile.kcsan include-$(CONFIG_UBSAN) +=3D scripts/Makefile.ubsan include-$(CONFIG_KCOV) +=3D scripts/Makefile.kcov +include-$(CONFIG_RANDSTRUCT) +=3D scripts/Makefile.randstruct include-$(CONFIG_GCC_PLUGINS) +=3D scripts/Makefile.gcc-plugins =20 include $(addprefix $(srctree)/, $(include-y)) diff --git a/arch/arm/vdso/Makefile b/arch/arm/vdso/Makefile index ec52b776f926..8ca1c9f262a2 100644 --- a/arch/arm/vdso/Makefile +++ b/arch/arm/vdso/Makefile @@ -28,7 +28,7 @@ CPPFLAGS_vdso.lds +=3D -P -C -U$(ARCH) CFLAGS_REMOVE_vdso.o =3D -pg =20 # Force -O2 to avoid libgcc dependencies -CFLAGS_REMOVE_vgettimeofday.o =3D -pg -Os $(GCC_PLUGINS_CFLAGS) +CFLAGS_REMOVE_vgettimeofday.o =3D -pg -Os $(RANDSTRUCT_CFLAGS) $(GCC_PLUGI= NS_CFLAGS) ifeq ($(c-gettimeofday-y),) CFLAGS_vgettimeofday.o =3D -O2 else diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makef= ile index 172452f79e46..d9147fba1a0b 100644 --- a/arch/arm64/kernel/vdso/Makefile +++ b/arch/arm64/kernel/vdso/Makefile @@ -32,7 +32,8 @@ ccflags-y +=3D -DDISABLE_BRANCH_PROFILING -DBUILD_VDSO # -Wmissing-prototypes and -Wmissing-declarations are removed from # the CFLAGS of vgettimeofday.c to make possible to build the # kernel with CONFIG_WERROR enabled. -CFLAGS_REMOVE_vgettimeofday.o =3D $(CC_FLAGS_FTRACE) -Os $(CC_FLAGS_SCS) $= (GCC_PLUGINS_CFLAGS) \ +CFLAGS_REMOVE_vgettimeofday.o =3D $(CC_FLAGS_FTRACE) -Os $(CC_FLAGS_SCS) \ + $(RANDSTRUCT_CFLAGS) $(GCC_PLUGINS_CFLAGS) \ $(CC_FLAGS_LTO) -Wmissing-prototypes -Wmissing-declarations KASAN_SANITIZE :=3D n KCSAN_SANITIZE :=3D n diff --git a/arch/sparc/vdso/Makefile b/arch/sparc/vdso/Makefile index c5e1545bc5cf..77d7b9032158 100644 --- a/arch/sparc/vdso/Makefile +++ b/arch/sparc/vdso/Makefile @@ -58,7 +58,7 @@ CFL :=3D $(PROFILING) -mcmodel=3Dmedlow -fPIC -O2 -fasync= hronous-unwind-tables -m64 =20 SPARC_REG_CFLAGS =3D -ffixed-g4 -ffixed-g5 -fcall-used-g5 -fcall-used-g7 =20 -$(vobjs): KBUILD_CFLAGS :=3D $(filter-out $(GCC_PLUGINS_CFLAGS) $(SPARC_RE= G_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) +$(vobjs): KBUILD_CFLAGS :=3D $(filter-out $(RANDSTRUCT_CFLAGS) $(GCC_PLUGI= NS_CFLAGS) $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) =20 # # vDSO code runs in userspace and -pg doesn't help with profiling anyway. @@ -88,6 +88,7 @@ $(obj)/vdso32.so.dbg: asflags-$(CONFIG_SPARC64) +=3D -m32 KBUILD_CFLAGS_32 :=3D $(filter-out -m64,$(KBUILD_CFLAGS)) KBUILD_CFLAGS_32 :=3D $(filter-out -mcmodel=3Dmedlow,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out -fno-pic,$(KBUILD_CFLAGS_32)) +KBUILD_CFLAGS_32 :=3D $(filter-out $(RANDSTRUCT_CFLAGS),$(KBUILD_CFLAGS_32= )) KBUILD_CFLAGS_32 :=3D $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS_3= 2)) KBUILD_CFLAGS_32 :=3D $(filter-out $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 +=3D -m32 -msoft-float -fpic diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile index 693f8b9031fb..c2a8b76ae0bc 100644 --- a/arch/x86/entry/vdso/Makefile +++ b/arch/x86/entry/vdso/Makefile @@ -91,7 +91,7 @@ ifneq ($(RETPOLINE_VDSO_CFLAGS),) endif endif =20 -$(vobjs): KBUILD_CFLAGS :=3D $(filter-out $(CC_FLAGS_LTO) $(GCC_PLUGINS_CF= LAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) +$(vobjs): KBUILD_CFLAGS :=3D $(filter-out $(CC_FLAGS_LTO) $(RANDSTRUCT_CFL= AGS) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) =20 # # vDSO code runs in userspace and -pg doesn't help with profiling anyway. @@ -148,6 +148,7 @@ KBUILD_CFLAGS_32 :=3D $(filter-out -m64,$(KBUILD_CFLAGS= )) KBUILD_CFLAGS_32 :=3D $(filter-out -mcmodel=3Dkernel,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out -fno-pic,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out -mfentry,$(KBUILD_CFLAGS_32)) +KBUILD_CFLAGS_32 :=3D $(filter-out $(RANDSTRUCT_CFLAGS),$(KBUILD_CFLAGS_32= )) KBUILD_CFLAGS_32 :=3D $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS_3= 2)) KBUILD_CFLAGS_32 :=3D $(filter-out $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 :=3D $(filter-out $(CC_FLAGS_LTO),$(KBUILD_CFLAGS_32)) diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins index 827c47ce5c73..692d64a70542 100644 --- a/scripts/Makefile.gcc-plugins +++ b/scripts/Makefile.gcc-plugins @@ -22,12 +22,6 @@ export DISABLE_STRUCTLEAK_PLUGIN gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) \ +=3D -DSTRUCTLEAK_PLUGIN =20 -gcc-plugin-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) +=3D randomize_layout_plugin.so -gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \ - +=3D -DRANDSTRUCT -gcc-plugin-cflags-$(CONFIG_RANDSTRUCT_PERFORMANCE) \ - +=3D -fplugin-arg-randomize_layout_plugin-performance-mode - gcc-plugin-$(CONFIG_GCC_PLUGIN_STACKLEAK) +=3D stackleak_plugin.so gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ +=3D -DSTACKLEAK_PLUGIN @@ -60,6 +54,8 @@ KBUILD_CFLAGS +=3D $(GCC_PLUGINS_CFLAGS) # be included in GCC_PLUGIN so they can get built. gcc-plugin-external-$(CONFIG_GCC_PLUGIN_SANCOV) \ +=3D sancov_plugin.so +gcc-plugin-external-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \ + +=3D randomize_layout_plugin.so =20 # All enabled GCC plugins are collected here for building in # scripts/gcc-scripts/Makefile. diff --git a/scripts/Makefile.randstruct b/scripts/Makefile.randstruct new file mode 100644 index 000000000000..4d741e6db554 --- /dev/null +++ b/scripts/Makefile.randstruct @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: GPL-2.0 + +randstruct-cflags-y +=3D -DRANDSTRUCT + +ifdef CONFIG_GCC_PLUGIN_RANDSTRUCT +randstruct-cflags-y \ + +=3D -fplugin=3D$(objtree)/scripts/gcc-plugins/randomize_layout_plugin.so +randstruct-cflags-$(CONFIG_RANDSTRUCT_PERFORMANCE) \ + +=3D -fplugin-arg-randomize_layout_plugin-performance-mode +endif + +export RANDSTRUCT_CFLAGS :=3D $(randstruct-cflags-y) + +KBUILD_CFLAGS +=3D $(RANDSTRUCT_CFLAGS) --=20 2.32.0 From nobody Sun May 10 12:55:16 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA90BC433EF for ; Tue, 3 May 2022 20:55:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242437AbiECU70 (ORCPT ); Tue, 3 May 2022 16:59:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33240 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242360AbiECU6t (ORCPT ); Tue, 3 May 2022 16:58:49 -0400 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5DCB3E5FC for ; Tue, 3 May 2022 13:55:12 -0700 (PDT) Received: by mail-pl1-x632.google.com with SMTP id j14so544699plx.3 for ; Tue, 03 May 2022 13:55:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=71QHvmVbzbum/E3ZAVgy97tXOS8tK26BfXNggSRktyw=; b=mNBJz/XxKt2KFJk2CFepuhN/xZJ9Uv/rz50WON+4ZRBqQGxaTvzRxuzOr8mgvdSLb1 NPLtvHfakt3e74WR26Z3Hp3lQMac4mwkW+TTeTMhZW7eR4xkAOhBJl89txhv7sIl6ZU3 R/p0OcsGRJ9TZUFVA94bG5hnIYF/Me0VROUlc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=71QHvmVbzbum/E3ZAVgy97tXOS8tK26BfXNggSRktyw=; b=gNwtOWyIjy3QsQ/j1BbmFN7bBJHTMwl4omW/RbXxRuAXoeZ8phcrHDhhsk+syNDUfM revmsK23HC5gvncfZ7uF9IN3Q5LpjIIHSxGc4pU5P4KNVWBjX9L1CS5tW5fbDoZQBKqw w+6vke0sgajxmq+hdo0ez9F4hEaUiK70trWfeP0LHmcZPVR8wYdz1Susr5MBi7CVAZO3 vcn1X2Shva71fcESH6z6nb6ix3X+AlxlRzZVMvw8WOh0apHkGJSzpp4tvAhFAVmfLSjy YZf43fNpERseiU6v0Qhi6IzPLTm/zhAvmDfVlWVLRy2pbpVM759pdfX0+e5VTBnRzkk3 /UHQ== X-Gm-Message-State: AOAM533r4MxoRy1cYaUITuiZtJx+BEtcqv4NhQMF7eIpXPqFUp02tszZ jUwq6RjMj/vaEb5AHsForl29H0d5X4nQvw== X-Google-Smtp-Source: ABdhPJwVWBkyzyFxX6liiB55m10I4fUKnwsv3ihyDoa4NBY+1rzycYUA4hGuRSyZWfG4uHgq2ucCWg== X-Received: by 2002:a17:902:b694:b0:153:1d9a:11a5 with SMTP id c20-20020a170902b69400b001531d9a11a5mr18075548pls.151.1651611311893; Tue, 03 May 2022 13:55:11 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id t7-20020a62ea07000000b0050dc76281f1sm6709358pfh.203.2022.05.03.13.55.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:10 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , linux-hardening@vger.kernel.org, Masahiro Yamada , Nick Desaulniers , David Howells , Jeff Layton , linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 5/6] randstruct: Move seed generation into scripts/basic/ Date: Tue, 3 May 2022 13:55:02 -0700 Message-Id: <20220503205503.3054173-6-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6991; h=from:subject; bh=POSwG5vGM5ePjK+NnCJy7zXZuBYgVkMBrdQajWqSdos=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZamheMTQbFPcgMuGPTOLLAi+SSC63O6IOd2ZB8G s01qn/WJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpgAKCRCJcvTf3G3AJmrYD/ 9/S4SyNCCc6JysEizCShXfywKRGd/VypdZzFIpfGVbMWoWwduoZHcTO2KvS/88sMU72c4E6tNHVTRW JNSdq6HqbNyLDa2c3Dr07Ke9TEO3YZJ/bWwUeEOvEiKdyRNOMFU5picScsWYclKC8xdqB/Nq3wXBbd Syaf1Pdc6CFYgTnv6Ve4xYPoQAl0Pl4SxmPZV7QhdnJlRh0sGZzcRQJHdIn2MKAzEJLjCdPSTPJeqV OympuT/CPrl65t1f3iQN/m62UbI2nL8alWR7RHtr3qQ4HhZYIh+b2JufhOxFBEW/4BGFvEPSA3UsOG Q0SZwl70gwV44QEX/3jgTI86Lyld20sO8Px5z9cwUb0L004gQA+AR9sPwkEfe7QOEqEwDXJfyqtfMP cjy+VOCP7JFHS07booUAPGlUozGNlpzI2aT4rC4QiBQa0lcOEwXEzy8D9RrGj1zD0V/dz0e65UeQrg 2+Ibt4ziS+cHW6V+xUWPVZiQEKR+KyFb4aoHY+KCo3WR4LxiNbBNYWL6rUOXurCrSohkdU5mhkXyMH BmD60mww0e9EASzMySkYpkNIdlzimz0ekp8TAxceKDEb206dnxQOucbY9ntdg07Ffyf3pC5dywOqgy quouzBQoX6hoUJwnW2nDegfzTxW0QgU8tYhLnXP0sZvayjjDxnZhkl0UpOig== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" To enable Clang randstruct support, move the structure layout randomization seed generation out of scripts/gcc-plugins/ into scripts/basic/ so it happens early enough that it can be used by either compiler implementation. The gcc-plugin still builds its own header file, but now does so from the common "randstruct.seed" file. Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook --- Documentation/dontdiff | 1 + Documentation/kbuild/reproducible-builds.rst | 5 +++-- include/linux/vermagic.h | 2 +- scripts/basic/.gitignore | 1 + scripts/basic/Makefile | 11 +++++++++++ scripts/gcc-plugins/Makefile | 15 ++++++++++----- scripts/gcc-plugins/gen-random-seed.sh | 9 --------- scripts/gen-randstruct-seed.sh | 7 +++++++ security/Kconfig.hardening | 9 +++++---- 9 files changed, 39 insertions(+), 21 deletions(-) delete mode 100755 scripts/gcc-plugins/gen-random-seed.sh create mode 100755 scripts/gen-randstruct-seed.sh diff --git a/Documentation/dontdiff b/Documentation/dontdiff index 910b30a2a7d9..352ff53a2306 100644 --- a/Documentation/dontdiff +++ b/Documentation/dontdiff @@ -211,6 +211,7 @@ r200_reg_safe.h r300_reg_safe.h r420_reg_safe.h r600_reg_safe.h +randstruct.seed randomize_layout_hash.h randomize_layout_seed.h recordmcount diff --git a/Documentation/kbuild/reproducible-builds.rst b/Documentation/k= build/reproducible-builds.rst index 81ff30505d35..071f0151a7a4 100644 --- a/Documentation/kbuild/reproducible-builds.rst +++ b/Documentation/kbuild/reproducible-builds.rst @@ -100,8 +100,9 @@ Structure randomisation ----------------------- =20 If you enable ``CONFIG_RANDSTRUCT``, you will need to pre-generate -the random seed in ``scripts/gcc-plugins/randomize_layout_seed.h`` -so the same value is used in rebuilds. +the random seed in ``scripts/basic/randstruct.seed`` so the same +value is used by each build. See ``scripts/gen-randstruct-seed.sh`` +for details. =20 Debug info conflicts -------------------- diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h index efb51a2da599..a54046bf37e5 100644 --- a/include/linux/vermagic.h +++ b/include/linux/vermagic.h @@ -33,7 +33,7 @@ #define MODULE_VERMAGIC_MODVERSIONS "" #endif #ifdef RANDSTRUCT -#include +#include #define MODULE_RANDSTRUCT "RANDSTRUCT_" RANDSTRUCT_HASHED_SEED #else #define MODULE_RANDSTRUCT diff --git a/scripts/basic/.gitignore b/scripts/basic/.gitignore index 961c91c8a884..07c195f605a1 100644 --- a/scripts/basic/.gitignore +++ b/scripts/basic/.gitignore @@ -1,2 +1,3 @@ # SPDX-License-Identifier: GPL-2.0-only /fixdep +/randstruct.seed diff --git a/scripts/basic/Makefile b/scripts/basic/Makefile index eeb6a38c5551..dd289a6725ac 100644 --- a/scripts/basic/Makefile +++ b/scripts/basic/Makefile @@ -3,3 +3,14 @@ # fixdep: used to generate dependency information during build process =20 hostprogs-always-y +=3D fixdep + +# randstruct: the seed is needed before building the gcc-plugin or +# before running a Clang kernel build. +gen-randstruct-seed :=3D $(srctree)/scripts/gen-randstruct-seed.sh +quiet_cmd_create_randstruct_seed =3D GENSEED $@ +cmd_create_randstruct_seed =3D \ + $(CONFIG_SHELL) $(gen-randstruct-seed) \ + $@ $(objtree)/include/generated/randstruct_hash.h +$(obj)/randstruct.seed: $(gen-randstruct-seed) FORCE + $(call if_changed,create_randstruct_seed) +always-$(CONFIG_RANDSTRUCT) +=3D randstruct.seed diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile index 1952d3bb80c6..148f4639cf09 100644 --- a/scripts/gcc-plugins/Makefile +++ b/scripts/gcc-plugins/Makefile @@ -1,12 +1,17 @@ # SPDX-License-Identifier: GPL-2.0 =20 -$(obj)/randomize_layout_plugin.so: $(objtree)/$(obj)/randomize_layout_seed= .h -quiet_cmd_create_randomize_layout_seed =3D GENSEED $@ +$(obj)/randomize_layout_plugin.so: $(obj)/randomize_layout_seed.h +quiet_cmd_create_randomize_layout_seed =3D SEEDHDR $@ cmd_create_randomize_layout_seed =3D \ - $(CONFIG_SHELL) $(srctree)/$(src)/gen-random-seed.sh $@ $(objtree)/inclu= de/generated/randomize_layout_hash.h -$(objtree)/$(obj)/randomize_layout_seed.h: FORCE + SEED=3D$$(cat $(filter-out FORCE,$^) $@; \ + echo ' * This file is automatically generated. Keep it private.' >> $@; \ + echo ' * Exposing this value will expose the layout of randomized structu= res.' >> $@; \ + echo ' */' >> $@; \ + echo "const char *randstruct_seed =3D \"$$SEED\";" >> $@ +$(obj)/randomize_layout_seed.h: $(objtree)/scripts/basic/randstruct.seed F= ORCE $(call if_changed,create_randomize_layout_seed) -targets +=3D randomize_layout_seed.h randomize_layout_hash.h +targets +=3D randomize_layout_seed.h =20 # Build rules for plugins # diff --git a/scripts/gcc-plugins/gen-random-seed.sh b/scripts/gcc-plugins/g= en-random-seed.sh deleted file mode 100755 index 68af5cc20a64..000000000000 --- a/scripts/gcc-plugins/gen-random-seed.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: GPL-2.0 - -if [ ! -f "$1" ]; then - SEED=3D`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` - echo "const char *randstruct_seed =3D \"$SEED\";" > "$1" - HASH=3D`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'` - echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2" -fi diff --git a/scripts/gen-randstruct-seed.sh b/scripts/gen-randstruct-seed.sh new file mode 100755 index 000000000000..61017b36c464 --- /dev/null +++ b/scripts/gen-randstruct-seed.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +SEED=3D$(od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n') +echo "$SEED" > "$1" +HASH=3D$(echo -n "$SEED" | sha256sum | cut -d" " -f1) +echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2" diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index 364e3f8c6eea..0277ba578779 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -284,10 +284,11 @@ choice tools like Volatility against the system (unless the kernel source tree isn't cleaned after kernel installation). =20 - The seed used for compilation is located at - scripts/randomize_layout_seed.h. It remains after a "make clean" - to allow for external modules to be compiled with the existing - seed and will be removed by a "make mrproper" or "make distclean". + The seed used for compilation is in scripts/basic/randomize.seed. + It remains after a "make clean" to allow for external modules to + be compiled with the existing seed and will be removed by a + "make mrproper" or "make distclean". This file should not be made + public, or the structure layout can be determined. =20 config RANDSTRUCT_NONE bool "Disable structure layout randomization" --=20 2.32.0 From nobody Sun May 10 12:55:16 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DEC07C433EF for ; Tue, 3 May 2022 20:55:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242479AbiECU7U (ORCPT ); Tue, 3 May 2022 16:59:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32990 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242203AbiECU6o (ORCPT ); Tue, 3 May 2022 16:58:44 -0400 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D6AD3DDC9 for ; Tue, 3 May 2022 13:55:11 -0700 (PDT) Received: by mail-pj1-x102e.google.com with SMTP id cx11-20020a17090afd8b00b001d9fe5965b3so3368380pjb.3 for ; Tue, 03 May 2022 13:55:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=G7gjgj4/4LSK9c/JAyPIXqGgMKHVguykDn2bHyT8voA=; b=lPFLR0C5AR5qKEBPAIWTWtzBk+9lgyDMXniJNA7VZybl5Svtynw7Q/xjEYdb832RxY jR+mmBUtRcDesMD4DEG7CNWGz0KtJaT50b3NMMS76x0LFx22QrYMECu2xX38hf/AwNb7 MMJL5gT3MvziRSysXThA4xSGWJAbkPXC9dKQU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=G7gjgj4/4LSK9c/JAyPIXqGgMKHVguykDn2bHyT8voA=; b=DSi1AHFywA6m7B/ZS7pl93mZbecW7ta5b2quKCLoyFLhpdRWHNj+X+bI66Ii3ezC8G AL8RprGeV4O+uPG8iIP+lPxk9bLVlwVFTIg1qzqsfFYAzqo2BxsR1c3iVvFPBWBK8BxJ bCk6PKtF22esZiZxLR75T9XeS1E+S7MPFbBih3rkub5J4uAMgFww5r8dVKvBFivgfEca ToWLePzSfIAxZEmUQy4bspm1Kzlbo5qrH9c/9pIi/p/NYDASWpOvCrDg/v/Elv5+VLuH JiIHRJBpqbf1mdXVHGIUXjwXFw+jvUsZfcxNE4TSSaFMyB0frZiDF+gNCKTJORrc3jBQ MUxA== X-Gm-Message-State: AOAM530LAZkucjGlCqK8SoftytNKMhsX2eZ3TEebe+3Y6+K5l9zs/lkK pd5m/oyM/CDbKXtFsQbeIoqTvw== X-Google-Smtp-Source: ABdhPJzlRQDlCCwN12p3T2iXLOmaoOKLrPyOTgiWQ5BWcgjSqfBDOLgzhdNXlPBULmM7f+FaLlbpCA== X-Received: by 2002:a17:902:bb90:b0:158:a031:2ff2 with SMTP id m16-20020a170902bb9000b00158a0312ff2mr18429818pls.117.1651611311296; Tue, 03 May 2022 13:55:11 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s10-20020a63450a000000b003c14af50607sm13111823pga.31.2022.05.03.13.55.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 May 2022 13:55:10 -0700 (PDT) From: Kees Cook To: Bill Wendling Cc: Kees Cook , Masahiro Yamada , linux-kbuild@vger.kernel.org, Nick Desaulniers , David Howells , Jeff Layton , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH 6/6] randstruct: Enable Clang support Date: Tue, 3 May 2022 13:55:03 -0700 Message-Id: <20220503205503.3054173-7-keescook@chromium.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220503205503.3054173-1-keescook@chromium.org> References: <20220503205503.3054173-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2492; h=from:subject; bh=70QhakHoqRBTF2BhS4yZEwFNAa1mWnEa/ie6xwzJGBY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBicZamZGgPTMDtkz2lAP6v2msQMzZKulCSX+KAGB5j E1bmlEqJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYnGWpgAKCRCJcvTf3G3AJlU5D/ 9Xyd51aYNqszUUL7SvvNyC19VjSU0o+jEEkpPilQKRN1uRHK9nWVWsrPw3aFhoMz4iTS5XBzAGpYfE DZEIcZQKS7f0MQGz6vgp5cG+EgrB5CcQ4ePyGGRn7IdfAg53lo+OIxP2oilAbt8NP58LUyzfd4EjYV kt5olI/+81/6ht6froYHo+0Qv+4W3GPz9sGufyfAEbFQyXjsEcy9Ro2qAdyOxtoCS8aDDznVpsbfQL 9z41A3ZD5ml0/L04Rk485Bom22yCPUP/1gkISFHvDq23I4slmV8kNHcqAFOPhTq4bc4MJ8+3dUZqmD VvFFb5wmyDS0grBSDnO9ihBplIWn5/Aq5sH2CcmQKp7DKALkQPjHNdED2ABfy/jQdoGogxCHAyuP9F zW7FjuKazB8lTmSMZKxUakxyGS0ANjJR32zyrofE+RdyI7hElnpEzP7vnVTb3vnK8zo+Vk6KYGGEzZ 4yZIbE1lnLdCkvvS3GxZubDQI7e/adQqf/kcL2bKQ9RXvw4IAWaBA4onxJpmaRDtEBar+YGUT9jS3E hcT67gCbpkmG3Vccv5IlmGAI/6hpgM986H4ODejuZbIJymhKClI/n8pqWJdg9ZBGccPsezfwigdKIu oPS4Fo4Cf2D4ZToRh8wuX98q/HcA7kcOkiuSlaUmKQWv49ct43TIINfIBBkQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Clang 15 will support randstruct via the -frandomize-layout-seed-file=3D... option. Update the Kconfig and Makefile to recognize this feature. Cc: Masahiro Yamada Cc: linux-kbuild@vger.kernel.org Signed-off-by: Kees Cook --- scripts/Makefile.randstruct | 3 +++ security/Kconfig.hardening | 14 ++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/scripts/Makefile.randstruct b/scripts/Makefile.randstruct index 4d741e6db554..24e283e89893 100644 --- a/scripts/Makefile.randstruct +++ b/scripts/Makefile.randstruct @@ -7,6 +7,9 @@ randstruct-cflags-y \ +=3D -fplugin=3D$(objtree)/scripts/gcc-plugins/randomize_layout_plugin.so randstruct-cflags-$(CONFIG_RANDSTRUCT_PERFORMANCE) \ +=3D -fplugin-arg-randomize_layout_plugin-performance-mode +else +randstruct-cflags-y \ + +=3D -frandomize-layout-seed-file=3D$(objtree)/scripts/basic/randstruct.s= eed endif =20 export RANDSTRUCT_CFLAGS :=3D $(randstruct-cflags-y) diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index 0277ba578779..bd2aabb2c60f 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -266,9 +266,12 @@ config ZERO_CALL_USED_REGS =20 endmenu =20 +config CC_HAS_RANDSTRUCT + def_bool $(cc-option,-frandomize-layout-seed-file=3D/dev/null) + choice prompt "Randomize layout of sensitive kernel structures" - default RANDSTRUCT_FULL if COMPILE_TEST && GCC_PLUGINS + default RANDSTRUCT_FULL if COMPILE_TEST && (GCC_PLUGINS || CC_HAS_RANDSTR= UCT) default RANDSTRUCT_NONE help If you enable this, the layouts of structures that are entirely @@ -297,13 +300,20 @@ choice =20 config RANDSTRUCT_FULL bool "Fully randomize structure layout" - depends on GCC_PLUGINS + depends on CC_HAS_RANDSTRUCT || GCC_PLUGINS select MODVERSIONS if MODULES help Fully randomize the member layout of sensitive structures as much as possible, which may have both a memory size and performance impact. =20 + One difference between the Clang and GCC plugin + implementations is the handling of bitfields. The GCC + plugin treats them as fully separate variables, + introducing sometimes significant padding. Clang tries + to keep adjacent bitfields together, but with their bit + ordering randomized. + config RANDSTRUCT_PERFORMANCE bool "Limit randomization of structure layout to cache-lines" depends on GCC_PLUGINS --=20 2.32.0