From: Thomas Garnier via Virtualization <virtualization@lists.linux-foundation.org>
To: Herbert Xu <herbert@gondor.apana.org.au>,
"David S . Miller" <davem@davemloft.net>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Thomas Garnier <thgarnie@google.com>,
Arnd Bergmann <arnd@arndb.de>, Kees Cook <keescook@chromium.org>,
Matthias Kaehlcke <mka@chromium.org>,
Tom Lendacky <thomas.lendacky@amd.com>,
Andy Lutomirski <luto@kernel.org>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
Borislav Petkov <bp@suse.de>,
"Rafael J . Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
Juergen Gross <jgross@suse.com>,
Chris Wright <chrisw@sous-sol.org>,
Alok Kataria <akataria@vmware.com>,
Rusty Russell <rusty@rustcorp.com.au>, Tejun Heo <tj@kernel.org>,
Christoph Lameter <cl@linux.com>Bor
Cc: linux-arch@vger.kernel.org, kvm@vger.kernel.org,
linux-pm@vger.kernel.org, x86@kernel.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
virtualization@lists.linux-foundation.org,
linux-sparse@vger.kernel.org, linux-crypto@vger.kernel.org,
kernel-hardening@lists.openwall.com,
xen-devel@lists.xenproject.org
Subject: [RFC v3 25/27] x86/pie: Add option to build the kernel as PIE
Date: Wed, 4 Oct 2017 14:20:01 -0700 [thread overview]
Message-ID: <20171004212003.28296-26-thgarnie__36813.8131373145$1509079994$gmane$org@google.com> (raw)
In-Reply-To: <20171004212003.28296-1-thgarnie@google.com>
Add the CONFIG_X86_PIE option which builds the kernel as a Position
Independent Executable (PIE). The kernel is currently build with the
mcmodel=kernel option which forces it to stay on the top 2G of the
virtual address space. With PIE, the kernel will be able to move below
the current limit.
The --emit-relocs linker option was kept instead of using -pie to limit
the impact on mapped sections. Any incompatible relocation will be
catch by the arch/x86/tools/relocs binary at compile time.
Performance/Size impact:
Size of vmlinux (Default configuration):
File size:
- PIE disabled: +0.000031%
- PIE enabled: -3.210% (less relocations)
.text section:
- PIE disabled: +0.000644%
- PIE enabled: +0.837%
Size of vmlinux (Ubuntu configuration):
File size:
- PIE disabled: -0.201%
- PIE enabled: -0.082%
.text section:
- PIE disabled: same
- PIE enabled: +1.319%
Size of vmlinux (Default configuration + ORC):
File size:
- PIE enabled: -3.167%
.text section:
- PIE enabled: +0.814%
Size of vmlinux (Ubuntu configuration + ORC):
File size:
- PIE enabled: -3.167%
.text section:
- PIE enabled: +1.26%
The size increase is mainly due to not having access to the 32-bit signed
relocation that can be used with mcmodel=kernel. A small part is due to reduced
optimization for PIE code. This bug [1] was opened with gcc to provide a better
code generation for kernel PIE.
Hackbench (50% and 1600% on thread/process for pipe/sockets):
- PIE disabled: no significant change (avg +0.1% on latest test).
- PIE enabled: between -0.50% to +0.86% in average (default and Ubuntu config).
slab_test (average of 10 runs):
- PIE disabled: no significant change (-2% on latest run, likely noise).
- PIE enabled: between -1% and +0.8% on latest runs.
Kernbench (average of 10 Half and Optimal runs):
Elapsed Time:
- PIE disabled: no significant change (avg -0.239%)
- PIE enabled: average +0.07%
System Time:
- PIE disabled: no significant change (avg -0.277%)
- PIE enabled: average +0.7%
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82303
Signed-off-by: Thomas Garnier <thgarnie@google.com>
---
arch/x86/Kconfig | 8 ++++++++
arch/x86/Makefile | 1 +
2 files changed, 9 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 1e4b399c64e5..b92f96923712 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2141,6 +2141,14 @@ config X86_GLOBAL_STACKPROTECTOR
bool
depends on CC_STACKPROTECTOR
+config X86_PIE
+ bool
+ depends on X86_64
+ select DEFAULT_HIDDEN
+ select DYNAMIC_MODULE_BASE
+ select MODULE_REL_CRCS if MODVERSIONS
+ select X86_GLOBAL_STACKPROTECTOR if CC_STACKPROTECTOR
+
config HOTPLUG_CPU
bool "Support for hot-pluggable CPUs"
depends on SMP
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 42774185a58a..c49855b4b1be 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -144,6 +144,7 @@ else
KBUILD_CFLAGS += -mno-red-zone
ifdef CONFIG_X86_PIE
+ KBUILD_CFLAGS += -fPIC
KBUILD_LDFLAGS_MODULE += -T $(srctree)/arch/x86/kernel/module.lds
else
KBUILD_CFLAGS += -mcmodel=kernel
--
2.14.2.920.gcf0c67979c-goog
next prev parent reply other threads:[~2017-10-04 21:20 UTC|newest]
Thread overview: 127+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-04 21:19 x86: PIE support and option to extend KASLR randomization Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 01/27] x86/crypto: Adapt assembly for PIE support Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 02/27] x86: Use symbol name on bug table " Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier via Virtualization
2017-10-04 21:19 ` [RFC v3 03/27] x86: Use symbol name in jump " Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 04/27] x86: Add macro to get symbol address " Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 05/27] x86: relocate_kernel - Adapt assembly " Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 06/27] x86/entry/64: " Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier via Virtualization
2017-10-04 21:19 ` [RFC v3 07/27] x86: pm-trace - " Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier via Virtualization
2017-10-04 21:19 ` [RFC v3 08/27] x86/CPU: " Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 09/27] x86/acpi: " Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 10/27] x86/boot/64: " Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier via Virtualization
2017-10-04 21:19 ` [RFC v3 11/27] x86/power/64: " Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier via Virtualization
2017-10-04 21:19 ` [RFC v3 12/27] x86/paravirt: " Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 13/27] x86/boot/64: Use _text in a global " Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier via Virtualization
2017-10-04 21:19 ` [RFC v3 14/27] x86/percpu: Adapt percpu " Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 15/27] compiler: Option to default to hidden symbols Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 16/27] x86/relocs: Handle PIE relocations Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier via Virtualization
2017-10-04 21:19 ` [RFC v3 17/27] xen: Adapt assembly for PIE support Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 18/27] kvm: " Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier via Virtualization
2017-10-04 21:19 ` [RFC v3 19/27] x86: Support global stack cookie Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier via Virtualization
2017-10-04 21:19 ` [RFC v3 20/27] x86/ftrace: Adapt function tracing for PIE support Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-05 13:06 ` Steven Rostedt
2017-10-05 13:06 ` Steven Rostedt
2017-10-05 13:06 ` [kernel-hardening] " Steven Rostedt
2017-10-05 16:01 ` Thomas Garnier
2017-10-05 16:01 ` Thomas Garnier via Virtualization
2017-10-05 16:01 ` Thomas Garnier
2017-10-05 16:01 ` [kernel-hardening] " Thomas Garnier
2017-10-05 16:01 ` Thomas Garnier
2017-10-05 16:11 ` Steven Rostedt
2017-10-05 16:11 ` Steven Rostedt
2017-10-05 16:11 ` [kernel-hardening] " Steven Rostedt
2017-10-05 16:14 ` Thomas Garnier via Virtualization
2017-10-05 16:14 ` Thomas Garnier
2017-10-05 16:14 ` Thomas Garnier
2017-10-05 16:14 ` [kernel-hardening] " Thomas Garnier
2017-10-05 16:14 ` Thomas Garnier
2017-10-04 21:19 ` [RFC v3 21/27] x86/mm/dump_pagetables: Fix address markers index on x86_64 Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier via Virtualization
2017-10-04 21:19 ` [RFC v3 22/27] x86/modules: Add option to start module section after kernel Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier via Virtualization
2017-10-04 21:19 ` [RFC v3 23/27] x86/modules: Adapt module loading for PIE support Thomas Garnier via Virtualization
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:19 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:19 ` Thomas Garnier
2017-10-04 21:20 ` [RFC v3 24/27] x86/mm: Make the x86 GOT read-only Thomas Garnier via Virtualization
2017-10-04 21:20 ` Thomas Garnier
2017-10-04 21:20 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:20 ` Thomas Garnier
2017-10-04 21:20 ` Thomas Garnier via Virtualization [this message]
2017-10-04 21:20 ` [RFC v3 25/27] x86/pie: Add option to build the kernel as PIE Thomas Garnier
2017-10-04 21:20 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:20 ` Thomas Garnier
2017-10-04 21:20 ` [RFC v3 26/27] x86/relocs: Add option to generate 64-bit relocations Thomas Garnier via Virtualization
2017-10-04 21:20 ` Thomas Garnier
2017-10-04 21:20 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:20 ` Thomas Garnier
2017-10-04 21:20 ` [RFC v3 27/27] x86/kaslr: Add option to extend KASLR range from 1GB to 3GB Thomas Garnier
2017-10-04 21:20 ` [kernel-hardening] " Thomas Garnier
2017-10-04 21:20 ` Thomas Garnier
2017-10-04 21:20 ` Thomas Garnier via Virtualization
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='20171004212003.28296-26-thgarnie__36813.8131373145$1509079994$gmane$org@google.com' \
--to=virtualization@lists.linux-foundation.org \
--cc=akataria@vmware.com \
--cc=arnd@arndb.de \
--cc=bp@suse.de \
--cc=chrisw@sous-sol.org \
--cc=cl@linux.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=len.brown@intel.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-sparse@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=mka@chromium.org \
--cc=pavel@ucw.cz \
--cc=peterz@infradead.org \
--cc=rjw@rjwysocki.net \
--cc=rusty@rustcorp.com.au \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
--cc=thomas.lendacky@amd.com \
--cc=tj@kernel.org \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.