1. Patchew
  2. linux
  3. [PATCH 0/3] Detect changed compiler dependencies for full rebuild
  4. View patch

[PATCH 2/3] randstruct: Force full rebuild when seed changes

Kees Cook posted 3 patches 9 months, 2 weeks ago
There is a newer version of this series
[PATCH 2/3] randstruct: Force full rebuild when seed changes
Posted by Kees Cook 9 months, 2 weeks ago 
While the randstruct GCC plugin was being rebuilt if the randstruct
seed changed, Clangs build did not notice the change. Include the hash
header directly so that it becomes a universal build dependency and full
rebuilds will happen if it changes.

Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nicolas Schier <nicolas.schier@linux.dev>
Cc: Petr Pavlu <petr.pavlu@suse.com>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: <linux-kbuild@vger.kernel.org>
---
 include/linux/vermagic.h    |  1 -
 scripts/Makefile.randstruct |  3 ++-
 scripts/basic/Makefile      | 11 ++++++-----
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
index 939ceabcaf06..335c360d4f9b 100644
--- a/include/linux/vermagic.h
+++ b/include/linux/vermagic.h
@@ -33,7 +33,6 @@
 #define MODULE_VERMAGIC_MODVERSIONS ""
 #endif
 #ifdef RANDSTRUCT
-#include <generated/randstruct_hash.h>
 #define MODULE_RANDSTRUCT "RANDSTRUCT_" RANDSTRUCT_HASHED_SEED
 #else
 #define MODULE_RANDSTRUCT
diff --git a/scripts/Makefile.randstruct b/scripts/Makefile.randstruct
index 24e283e89893..ab87219c6149 100644
--- a/scripts/Makefile.randstruct
+++ b/scripts/Makefile.randstruct
@@ -12,6 +12,7 @@ randstruct-cflags-y	\
 	+= -frandomize-layout-seed-file=$(objtree)/scripts/basic/randstruct.seed
 endif
 
-export RANDSTRUCT_CFLAGS := $(randstruct-cflags-y)
+export RANDSTRUCT_CFLAGS := $(randstruct-cflags-y) \
+			    -include $(objtree)/scripts/basic/randstruct_hash.h
 
 KBUILD_CFLAGS	+= $(RANDSTRUCT_CFLAGS)
diff --git a/scripts/basic/Makefile b/scripts/basic/Makefile
index dd289a6725ac..31637ce4dc5c 100644
--- a/scripts/basic/Makefile
+++ b/scripts/basic/Makefile
@@ -8,9 +8,10 @@ hostprogs-always-y	+= fixdep
 # before running a Clang kernel build.
 gen-randstruct-seed	:= $(srctree)/scripts/gen-randstruct-seed.sh
 quiet_cmd_create_randstruct_seed = GENSEED $@
-cmd_create_randstruct_seed = \
-	$(CONFIG_SHELL) $(gen-randstruct-seed) \
-		$@ $(objtree)/include/generated/randstruct_hash.h
-$(obj)/randstruct.seed: $(gen-randstruct-seed) FORCE
+      cmd_create_randstruct_seed = $(CONFIG_SHELL) $(gen-randstruct-seed) \
+		$(obj)/randstruct.seed $(obj)/randstruct_hash.h
+
+$(obj)/randstruct_hash.h $(obj)/randstruct.seed: $(gen-randstruct-seed) FORCE
 	$(call if_changed,create_randstruct_seed)
-always-$(CONFIG_RANDSTRUCT) += randstruct.seed
+
+always-$(CONFIG_RANDSTRUCT) += randstruct.seed randstruct_hash.h
-- 
2.34.1
Re: [PATCH 2/3] randstruct: Force full rebuild when seed changes
Posted by Nathan Chancellor 9 months, 2 weeks ago 
Hi Kees,

On Thu, May 01, 2025 at 12:48:17PM -0700, Kees Cook wrote:
> While the randstruct GCC plugin was being rebuilt if the randstruct
> seed changed, Clangs build did not notice the change. Include the hash
> header directly so that it becomes a universal build dependency and full
> rebuilds will happen if it changes.
> 
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Masahiro Yamada <masahiroy@kernel.org>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nicolas Schier <nicolas.schier@linux.dev>
> Cc: Petr Pavlu <petr.pavlu@suse.com>
> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
> Cc: <linux-kbuild@vger.kernel.org>
> ---
>  include/linux/vermagic.h    |  1 -
>  scripts/Makefile.randstruct |  3 ++-
>  scripts/basic/Makefile      | 11 ++++++-----
>  3 files changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
> index 939ceabcaf06..335c360d4f9b 100644
> --- a/include/linux/vermagic.h
> +++ b/include/linux/vermagic.h
> @@ -33,7 +33,6 @@
>  #define MODULE_VERMAGIC_MODVERSIONS ""
>  #endif
>  #ifdef RANDSTRUCT
> -#include <generated/randstruct_hash.h>
>  #define MODULE_RANDSTRUCT "RANDSTRUCT_" RANDSTRUCT_HASHED_SEED
>  #else
>  #define MODULE_RANDSTRUCT
> diff --git a/scripts/Makefile.randstruct b/scripts/Makefile.randstruct
> index 24e283e89893..ab87219c6149 100644
> --- a/scripts/Makefile.randstruct
> +++ b/scripts/Makefile.randstruct
> @@ -12,6 +12,7 @@ randstruct-cflags-y	\
>  	+= -frandomize-layout-seed-file=$(objtree)/scripts/basic/randstruct.seed
>  endif
>  
> -export RANDSTRUCT_CFLAGS := $(randstruct-cflags-y)
> +export RANDSTRUCT_CFLAGS := $(randstruct-cflags-y) \
> +			    -include $(objtree)/scripts/basic/randstruct_hash.h

As the kernel test robot points out (on a report that you weren't
included on for some reason...), this breaks the build in several
places on next-20250502.

https://lore.kernel.org/202505021409.yC9C70lH-lkp@intel.com/

  $ make -skj"$(nproc)" ARCH=arm LLVM=1 clean allmodconfig arch/arm/vdso/vgettimeofday.o
  clang: error: cannot specify -o when generating multiple output files

There are places in the kernel that filter out RANDSTRUCT_CFLAGS and
this appears to cause other '-include' flags to be filtered out as well,
such as the one in the efistub that includes hidden.h.

>  KBUILD_CFLAGS	+= $(RANDSTRUCT_CFLAGS)
> diff --git a/scripts/basic/Makefile b/scripts/basic/Makefile
> index dd289a6725ac..31637ce4dc5c 100644
> --- a/scripts/basic/Makefile
> +++ b/scripts/basic/Makefile
> @@ -8,9 +8,10 @@ hostprogs-always-y	+= fixdep
>  # before running a Clang kernel build.
>  gen-randstruct-seed	:= $(srctree)/scripts/gen-randstruct-seed.sh
>  quiet_cmd_create_randstruct_seed = GENSEED $@
> -cmd_create_randstruct_seed = \
> -	$(CONFIG_SHELL) $(gen-randstruct-seed) \
> -		$@ $(objtree)/include/generated/randstruct_hash.h
> -$(obj)/randstruct.seed: $(gen-randstruct-seed) FORCE
> +      cmd_create_randstruct_seed = $(CONFIG_SHELL) $(gen-randstruct-seed) \
> +		$(obj)/randstruct.seed $(obj)/randstruct_hash.h
> +
> +$(obj)/randstruct_hash.h $(obj)/randstruct.seed: $(gen-randstruct-seed) FORCE
>  	$(call if_changed,create_randstruct_seed)
> -always-$(CONFIG_RANDSTRUCT) += randstruct.seed
> +
> +always-$(CONFIG_RANDSTRUCT) += randstruct.seed randstruct_hash.h
> -- 
> 2.34.1
>
Re: [PATCH 2/3] randstruct: Force full rebuild when seed changes
Posted by Kees Cook 9 months, 2 weeks ago 
On Fri, May 02, 2025 at 09:12:09AM -0700, Nathan Chancellor wrote:
> Hi Kees,
> 
> On Thu, May 01, 2025 at 12:48:17PM -0700, Kees Cook wrote:
> > While the randstruct GCC plugin was being rebuilt if the randstruct
> > seed changed, Clangs build did not notice the change. Include the hash
> > header directly so that it becomes a universal build dependency and full
> > rebuilds will happen if it changes.
> > 
> > Signed-off-by: Kees Cook <kees@kernel.org>
> > ---
> > Cc: Masahiro Yamada <masahiroy@kernel.org>
> > Cc: Nathan Chancellor <nathan@kernel.org>
> > Cc: Nicolas Schier <nicolas.schier@linux.dev>
> > Cc: Petr Pavlu <petr.pavlu@suse.com>
> > Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
> > Cc: <linux-kbuild@vger.kernel.org>
> > ---
> >  include/linux/vermagic.h    |  1 -
> >  scripts/Makefile.randstruct |  3 ++-
> >  scripts/basic/Makefile      | 11 ++++++-----
> >  3 files changed, 8 insertions(+), 7 deletions(-)
> > 
> > diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
> > index 939ceabcaf06..335c360d4f9b 100644
> > --- a/include/linux/vermagic.h
> > +++ b/include/linux/vermagic.h
> > @@ -33,7 +33,6 @@
> >  #define MODULE_VERMAGIC_MODVERSIONS ""
> >  #endif
> >  #ifdef RANDSTRUCT
> > -#include <generated/randstruct_hash.h>
> >  #define MODULE_RANDSTRUCT "RANDSTRUCT_" RANDSTRUCT_HASHED_SEED
> >  #else
> >  #define MODULE_RANDSTRUCT
> > diff --git a/scripts/Makefile.randstruct b/scripts/Makefile.randstruct
> > index 24e283e89893..ab87219c6149 100644
> > --- a/scripts/Makefile.randstruct
> > +++ b/scripts/Makefile.randstruct
> > @@ -12,6 +12,7 @@ randstruct-cflags-y	\
> >  	+= -frandomize-layout-seed-file=$(objtree)/scripts/basic/randstruct.seed
> >  endif
> >  
> > -export RANDSTRUCT_CFLAGS := $(randstruct-cflags-y)
> > +export RANDSTRUCT_CFLAGS := $(randstruct-cflags-y) \
> > +			    -include $(objtree)/scripts/basic/randstruct_hash.h
> 
> As the kernel test robot points out (on a report that you weren't
> included on for some reason...), this breaks the build in several
> places on next-20250502.
> 
> https://lore.kernel.org/202505021409.yC9C70lH-lkp@intel.com/
> 
>   $ make -skj"$(nproc)" ARCH=arm LLVM=1 clean allmodconfig arch/arm/vdso/vgettimeofday.o
>   clang: error: cannot specify -o when generating multiple output files
> 
> There are places in the kernel that filter out RANDSTRUCT_CFLAGS and
> this appears to cause other '-include' flags to be filtered out as well,
> such as the one in the efistub that includes hidden.h.

Thanks! Yeah, I have been poking at it for most of today. 😭

I think I have a viable solution, that I actually end up liking a bit
better, which I just sent out:
https://lore.kernel.org/lkml/20250502224512.it.706-kees@kernel.org/

-- 
Kees Cook

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.