From: Alexander Lobakin <alexandr.lobakin@intel.com>
To: linux-hardening@vger.kernel.org, x86@kernel.org
Cc: Alexander Lobakin <alexandr.lobakin@intel.com>,
Jesse Brandeburg <jesse.brandeburg@intel.com>,
Kristen Carlson Accardi <kristen@linux.intel.com>,
Kees Cook <keescook@chromium.org>,
Miklos Szeredi <miklos@szeredi.hu>,
Ard Biesheuvel <ardb@kernel.org>, Tony Luck <tony.luck@intel.com>,
Bruce Schlobohm <bruce.schlobohm@intel.com>,
Jessica Yu <jeyu@kernel.org>, kernel test robot <lkp@intel.com>,
Miroslav Benes <mbenes@suse.cz>,
Evgenii Shatokhin <eshatokhin@virtuozzo.com>,
Jonathan Corbet <corbet@lwn.net>,
Masahiro Yamada <masahiroy@kernel.org>,
Michal Marek <michal.lkml@markovi.net>,
Nick Desaulniers <ndesaulniers@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Arnd Bergmann <arnd@arndb.de>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Nathan Chancellor <nathan@kernel.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Marios Pomonis <pomonis@google.com>,
Sami Tolvanen <samitolvanen@google.com>,
"H.J. Lu" <hjl.tools@gmail.com>, Nicolas Pitre <nico@fluxnic.net>,
linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org,
linux-arch@vger.kernel.org, live-patching@vger.kernel.org,
llvm@lists.linux.dev
Subject: [PATCH v9 07/15] Makefile: Add build and config option for CONFIG_FG_KASLR
Date: Thu, 23 Dec 2021 01:22:01 +0100 [thread overview]
Message-ID: <20211223002209.1092165-8-alexandr.lobakin@intel.com> (raw)
In-Reply-To: <20211223002209.1092165-1-alexandr.lobakin@intel.com>
From: Kristen Carlson Accardi <kristen@linux.intel.com>
Allow user to select CONFIG_FG_KASLR if dependencies are met. Change
the make file to build with -ffunction-sections if CONFIG_FG_KASLR.
While the only architecture that supports CONFIG_FG_KASLR does not
currently enable HAVE_LD_DEAD_CODE_DATA_ELIMINATION, make sure these
2 features play nicely together for the future by ensuring that if
CONFIG_LD_DEAD_CODE_DATA_ELIMINATION is selected when used with
CONFIG_FG_KASLR the function sections will not be consolidated back
into .text. Thanks to Kees Cook for the dead code elimination changes.
alobakin:
Improve cflags management in the top Makefile: don't turn on
-f{data,function}-sections with ClangLTO as this is a no-op
provoking a full rebuild.
Add ".symtab_shndx" to the list of known sections since we are going
to support it. Otherwise LD will emit a warning when there are more
than 64k sections and CONFIG_LD_ORPHAN_WARN=y.
Turn ".text" LD script wildcard into ".text.__unused__" to make sure
all kernel code will land into our special sections.
Make FG-KASLR depend on `-z unique-symbol`. With every function being
in a separate section (randomly ordered each boot), position-based
search is impossible. This flag is likely to be widely available.
Signed-off-by: Kristen Carlson Accardi <kristen@linux.intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Tony Luck <tony.luck@intel.com>
Co-developed-by: Alexander Lobakin <alexandr.lobakin@intel.com>
Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
---
Makefile | 17 ++++++++++++++---
arch/Kconfig | 6 +++++-
include/asm-generic/vmlinux.lds.h | 20 ++++++++++++++++++--
include/linux/linkage.h | 3 ++-
init/Kconfig | 18 ++++++++++++++++--
5 files changed, 55 insertions(+), 9 deletions(-)
diff --git a/Makefile b/Makefile
index b921b1fabf70..3346269341d4 100644
--- a/Makefile
+++ b/Makefile
@@ -883,7 +883,7 @@ KBUILD_CFLAGS += -fno-inline-functions-called-once
endif
# Prefer linking with the `-z unique-symbol` if available, this eliminates
-# position-based search
+# position-based search. Also is a requirement for FG-KASLR
ifeq ($(CONFIG_LD_HAS_Z_UNIQUE_SYMBOL)$(CONFIG_LIVEPATCH),yy)
KBUILD_LDFLAGS += -z unique-symbol
endif
@@ -892,7 +892,7 @@ endif
# `include/linux/linkage.h` for explanation. This flag is to enable GAS to
# insert the name of the previous section instead of `%S` inside .pushsection
ifdef CONFIG_HAVE_ASM_FUNCTION_SECTIONS
-ifneq ($(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION)$(CONFIG_LTO_CLANG),)
+ifneq ($(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION)$(CONFIG_LTO_CLANG)$(CONFIG_FG_KASLR),)
SECSUBST_AFLAGS := -Wa,--sectname-subst
KBUILD_AFLAGS_KERNEL += $(SECSUBST_AFLAGS)
KBUILD_CFLAGS_KERNEL += $(SECSUBST_AFLAGS)
@@ -906,8 +906,19 @@ KBUILD_CFLAGS_MODULE += -Wa,--sectname-subst
endif
endif # CONFIG_HAVE_ASM_FUNCTION_SECTIONS
+# ClangLTO implies `-ffunction-sections -fdata-sections`, no need
+# to specify them manually and trigger a pointless full rebuild
+ifndef CONFIG_LTO_CLANG
+ifneq ($(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION)$(CONFIG_FG_KASLR),)
+KBUILD_CFLAGS_KERNEL += -ffunction-sections
+endif
+
+ifdef CONFIG_LD_DEAD_CODE_DATA_ELIMINATION
+KBUILD_CFLAGS_KERNEL += -fdata-sections
+endif
+endif # CONFIG_LTO_CLANG
+
ifdef CONFIG_LD_DEAD_CODE_DATA_ELIMINATION
-KBUILD_CFLAGS_KERNEL += -ffunction-sections -fdata-sections
LDFLAGS_vmlinux += --gc-sections
endif
diff --git a/arch/Kconfig b/arch/Kconfig
index b31a836bc252..01c026d090d4 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -1316,7 +1316,11 @@ config ARCH_SUPPORTS_ASM_FUNCTION_SECTIONS
bool
help
An arch should select this if it can be built and run with its
- ASM functions placed into separate sections to improve DCE and LTO.
+ ASM functions placed into separate sections to improve DCE, LTO
+ and FG-KASLR.
+
+config ARCH_SUPPORTS_FG_KASLR
+ bool
source "kernel/gcov/Kconfig"
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index e7b8a84e0e64..586465b2abb2 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -100,14 +100,12 @@
* sections to be brought in with rodata.
*/
#if defined(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION) || defined(CONFIG_LTO_CLANG)
-#define TEXT_MAIN SECT_WILDCARD(.text)
#define DATA_MAIN SECT_WILDCARD(.data) .data..L* .data..compoundliteral* .data.$__unnamed_* .data.$L*
#define SDATA_MAIN SECT_WILDCARD(.sdata)
#define RODATA_MAIN SECT_WILDCARD(.rodata) .rodata..L*
#define BSS_MAIN SECT_WILDCARD(.bss) .bss..compoundliteral*
#define SBSS_MAIN SECT_WILDCARD(.sbss)
#else
-#define TEXT_MAIN .text
#define DATA_MAIN .data
#define SDATA_MAIN .sdata
#define RODATA_MAIN .rodata
@@ -115,6 +113,23 @@
#define SBSS_MAIN .sbss
#endif
+/*
+ * LTO_CLANG, LD_DEAD_CODE_DATA_ELIMINATION and FG_KASLR options enable
+ * -ffunction-sections, which produces separately named .text sections. In
+ * the case of CONFIG_FG_KASLR, they need to stay distict so they can be
+ * separately randomized. Without CONFIG_FG_KASLR, the separate .text
+ * sections can be collected back into a common section, which makes the
+ * resulting image slightly smaller
+ */
+#if (defined(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION) || \
+ defined(CONFIG_LTO_CLANG)) && !defined(CONFIG_FG_KASLR)
+#define TEXT_MAIN SECT_WILDCARD(.text)
+#elif defined(CONFIG_FG_KASLR)
+#define TEXT_MAIN .text.__unused__
+#else
+#define TEXT_MAIN .text
+#endif
+
/*
* GCC 4.5 and later have a 32 bytes section alignment for structures.
* Except GCC 4.9, that feels the need to align on 64 bytes.
@@ -843,6 +858,7 @@
#define ELF_DETAILS \
.comment 0 : { *(.comment) } \
.symtab 0 : { *(.symtab) } \
+ .symtab_shndx 0 : { *(.symtab_shndx) } \
.strtab 0 : { *(.strtab) } \
.shstrtab 0 : { *(.shstrtab) }
diff --git a/include/linux/linkage.h b/include/linux/linkage.h
index 0c0ddf4429dc..f3c96fb6a534 100644
--- a/include/linux/linkage.h
+++ b/include/linux/linkage.h
@@ -75,10 +75,11 @@
/*
* Allow ASM symbols to have their own unique sections if they are being
- * generated by the compiler for C functions (DCE, LTO).
+ * generated by the compiler for C functions (DCE, FG-KASLR, LTO).
*/
#if defined(CONFIG_HAVE_ASM_FUNCTION_SECTIONS) && \
((defined(CONFIG_LD_DEAD_CODE_DATA_ELIMINATION) && !defined(MODULE)) || \
+ (defined(CONFIG_FG_KASLR) && !defined(MODULE)) || \
(defined(CONFIG_LTO_CLANG)))
#define SYM_PUSH_SECTION(name) \
diff --git a/init/Kconfig b/init/Kconfig
index 3babc0aeac61..a74b3c3acb49 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1394,8 +1394,8 @@ config HAVE_ASM_FUNCTION_SECTIONS
This enables ASM function sections if both architecture
and toolchain supports that. It allows creating a separate
.text section for each ASM function in order to improve
- DCE and LTO (works the same way as -ffunction-sections for
- C code).
+ DCE, LTO and FG-KASLR (works the same way as -ffunction-sections
+ for C code).
config HAVE_LD_DEAD_CODE_DATA_ELIMINATION
bool
@@ -2065,6 +2065,20 @@ config PROFILING
config TRACEPOINTS
bool
+config FG_KASLR
+ bool "Function Granular Kernel Address Space Layout Randomization"
+ depends on ARCH_SUPPORTS_FG_KASLR
+ depends on $(cc-option,-ffunction-sections)
+ depends on LD_HAS_Z_UNIQUE_SYMBOL || !LIVEPATCH
+ help
+ This option improves the randomness of the kernel text
+ over basic Kernel Address Space Layout Randomization (KASLR)
+ by reordering the kernel text at boot time. This feature
+ uses information generated at compile time to re-layout the
+ kernel text section at boot time at function level granularity.
+
+ If unsure, say N.
+
endmenu # General setup
source "arch/Kconfig"
--
2.33.1
next prev parent reply other threads:[~2021-12-23 0:23 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-23 0:21 [PATCH v9 00/15] Function Granular KASLR Alexander Lobakin
2021-12-23 0:21 ` [PATCH v9 01/15] modpost: fix removing numeric suffixes Alexander Lobakin
2021-12-23 16:19 ` Borislav Petkov
2021-12-27 18:22 ` Alexander Lobakin
2021-12-27 21:26 ` Borislav Petkov
2021-12-28 17:03 ` Alexander Lobakin
2022-01-03 13:07 ` Miroslav Benes
2021-12-23 0:21 ` [PATCH v9 02/15] livepatch: use `-z unique-symbol` if available to nuke pos-based search Alexander Lobakin
2021-12-30 11:10 ` Borislav Petkov
2021-12-30 18:31 ` Fāng-ruì Sòng
2022-01-03 13:55 ` Miroslav Benes
2022-01-03 16:06 ` Alexander Lobakin
2022-01-05 3:24 ` Fāng-ruì Sòng
2022-01-03 16:29 ` Alexander Lobakin
2022-01-03 13:44 ` Miroslav Benes
2021-12-23 0:21 ` [PATCH v9 03/15] kallsyms: Hide layout Alexander Lobakin
2021-12-30 22:36 ` Borislav Petkov
2022-01-03 15:40 ` Alexander Lobakin
2022-01-03 16:59 ` Borislav Petkov
2022-01-05 18:46 ` Borislav Petkov
2021-12-23 0:21 ` [PATCH v9 04/15] arch: introduce ASM function sections Alexander Lobakin
2022-01-17 21:08 ` Borislav Petkov
2022-01-17 21:38 ` Nicolas Pitre
2022-01-17 21:55 ` Borislav Petkov
2021-12-23 0:21 ` [PATCH v9 05/15] x86: support " Alexander Lobakin
2022-01-21 15:08 ` Borislav Petkov
2022-01-26 14:49 ` Alexander Lobakin
2021-12-23 0:22 ` [PATCH v9 06/15] x86: decouple ORC table sorting into a separate file Alexander Lobakin
2021-12-23 0:22 ` Alexander Lobakin [this message]
2021-12-23 0:22 ` [PATCH v9 08/15] x86/tools: Add relative relocs for randomized functions Alexander Lobakin
2021-12-23 0:22 ` [PATCH v9 09/15] x86: Add support for function granular KASLR Alexander Lobakin
2021-12-23 0:22 ` [PATCH v9 10/15] FG-KASLR: use a scripted approach to handle .text.* sections Alexander Lobakin
2021-12-23 0:22 ` [PATCH v9 11/15] x86/boot: allow FG-KASLR to be selected Alexander Lobakin
2021-12-23 0:22 ` [PATCH v9 12/15] module: Reorder functions Alexander Lobakin
2021-12-23 0:22 ` [PATCH v9 13/15] module: use a scripted approach for FG-KASLR Alexander Lobakin
2021-12-23 0:22 ` [PATCH v9 14/15] Documentation: add documentation " Alexander Lobakin
2021-12-23 0:22 ` [PATCH v9 15/15] maintainers: add MAINTAINERS entry " Alexander Lobakin
2021-12-23 15:15 ` [PATCH v9 00/15] Function Granular KASLR Alexander Lobakin
2021-12-23 15:40 ` Peter Zijlstra
2021-12-24 6:38 ` Christoph Hellwig
2021-12-27 18:33 ` Alexander Lobakin
2021-12-30 9:00 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211223002209.1092165-8-alexandr.lobakin@intel.com \
--to=alexandr.lobakin@intel.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=bruce.schlobohm@intel.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=eshatokhin@virtuozzo.com \
--cc=herbert@gondor.apana.org.au \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=jesse.brandeburg@intel.com \
--cc=jeyu@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kristen@linux.intel.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=lkp@intel.com \
--cc=llvm@lists.linux.dev \
--cc=luto@kernel.org \
--cc=masahiroy@kernel.org \
--cc=mbenes@suse.cz \
--cc=mhiramat@kernel.org \
--cc=michal.lkml@markovi.net \
--cc=miklos@szeredi.hu \
--cc=mingo@redhat.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=nico@fluxnic.net \
--cc=peterz@infradead.org \
--cc=pomonis@google.com \
--cc=samitolvanen@google.com \
--cc=tglx@linutronix.de \
--cc=tony.luck@intel.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).