[v2b] rust: cfi: add support for CFI_CLANG with Rust

Message ID	20240801-kcfi-v2b-2-c93caed3d121@google.com (mailing list archive)
State	New, archived
Headers	show Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C9B814A62E for <linux-kbuild@vger.kernel.org>; Mon, 19 Aug 2024 07:55:24 +0000 (UTC) Date: Mon, 19 Aug 2024 07:55:18 +0000 In-Reply-To: <20240801-kcfi-v2-2-c93caed3d121@google.com> Precedence: bulk Mime-Version: 1.0 References: <20240801-kcfi-v2-2-c93caed3d121@google.com> Message-ID: <20240801-kcfi-v2b-2-c93caed3d121@google.com> Subject: [PATCH v2b] rust: cfi: add support for CFI_CLANG with Rust From: Alice Ryhl <aliceryhl@google.com> To: aliceryhl@google.com Cc: a.hindborg@samsung.com, alex.gaynor@gmail.com, benno.lossin@proton.me, bjorn3_gh@protonmail.com, boqun.feng@gmail.com, gary@garyguo.net, kees@kernel.org, linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, masahiroy@kernel.org, mmaurer@google.com, nathan@kernel.org, nicolas@fjasle.eu, ojeda@kernel.org, peterz@infradead.org, rust-for-linux@vger.kernel.org, samitolvanen@google.com, wedsonaf@gmail.com Content-Type: text/plain; charset="UTF-8"
Series	[v2b] rust: cfi: add support for CFI_CLANG with Rust \| expand [v2b] rust: cfi: add support for CFI_CLANG with Rust

Message ID

20240801-kcfi-v2b-2-c93caed3d121@google.com (mailing list archive)

State

New, archived

Headers

Date: Mon, 19 Aug 2024 07:55:18 +0000
In-Reply-To: <20240801-kcfi-v2-2-c93caed3d121@google.com>
Precedence: bulk
Mime-Version: 1.0
References: <20240801-kcfi-v2-2-c93caed3d121@google.com>
Message-ID: <20240801-kcfi-v2b-2-c93caed3d121@google.com>
Subject: [PATCH v2b] rust: cfi: add support for CFI_CLANG with Rust
From: Alice Ryhl <aliceryhl@google.com>
To: aliceryhl@google.com
Cc: a.hindborg@samsung.com, alex.gaynor@gmail.com, benno.lossin@proton.me,
	bjorn3_gh@protonmail.com, boqun.feng@gmail.com, gary@garyguo.net,
	kees@kernel.org, linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
	masahiroy@kernel.org, mmaurer@google.com, nathan@kernel.org,
	nicolas@fjasle.eu, ojeda@kernel.org, peterz@infradead.org,
	rust-for-linux@vger.kernel.org, samitolvanen@google.com, wedsonaf@gmail.com
Content-Type: text/plain; charset="UTF-8"

Series

[v2b] rust: cfi: add support for CFI_CLANG with Rust | expand

Commit Message

Alice Ryhl Aug. 19, 2024, 7:55 a.m. UTC

From: Matthew Maurer <mmaurer@google.com>

Make it possible to use the Control Flow Integrity (CFI) sanitizer when
Rust is enabled. Enabling CFI with Rust requires that CFI is configured
to normalize integer types so that all integer types of the same size
and signedness are compatible under CFI.

Rust and C use the same LLVM backend for code generation, so Rust KCFI
is compatible with the KCFI used in the kernel for C. In the case of
FineIBT, CFI also depends on -Zpatchable-function-entry for rewriting
the function prolouge, so we set that flag for Rust as well. The flag
for FineIBT requires rustc 1.80.0 or later, so include a Kconfig
requirement for that.

Enabling Rust will select CFI_ICALL_NORMALIZE_INTEGERS because the flag
is required to use Rust with CFI. Using select rather than `depends on`
avoids the case where Rust is not visible in menuconfig due to
CFI_ICALL_NORMALIZE_INTEGERS not being enabled. One disadvantage of
select is that RUST must `depends on` all of the things that
CFI_ICALL_NORMALIZE_INTEGERS depends on to avoid invalid configurations.

Alice has been using KCFI on her phone for several months, so it is
reasonably well tested on arm64.

Signed-off-by: Matthew Maurer <mmaurer@google.com>
Co-developed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
This is an alternate version that shows how to resolve the conflict with
the "rust: fix export of bss symbols" patch [1].

As for the conflict with the KASAN patchset [2], it should be resolved
by adding both strings to the supported-sanitizers list in sorted order.

[1]: https://lore.kernel.org/r/20240815074519.2684107-2-nmi@metaspace.dk
[2]: https://lore.kernel.org/r/20240812232910.2026387-1-mmaurer@google.com

 Makefile                        | 7 +++++++
 arch/x86/Makefile               | 4 ++++
 init/Kconfig                    | 4 +++-
 rust/Makefile                   | 2 +-
 scripts/generate_rust_target.rs | 1 +
 5 files changed, 16 insertions(+), 2 deletions(-)

Comments

Miguel Ojeda Sept. 16, 2024, 2:07 p.m. UTC | #1

On Mon, Aug 19, 2024 at 9:55 AM Alice Ryhl <aliceryhl@google.com> wrote:
>
> +PADDING_RUSTFLAGS := -Zpatchable-function-entry=$(CONFIG_FUNCTION_PADDING_BYTES),$(CONFIG_FUNCTION_PADDING_BYTES)
> +KBUILD_RUSTFLAGS += $(PADDING_RUSTFLAGS)
> +export PADDING_RUSTFLAGS

It is possible to have CALL_PADDING && !FINEIBT, which means one can
trigger a build error if the compiler is not recent enough. Should we
test for CALL_PADDING here?

> +       depends on !FINEIBT || RUSTC_VERSION >= 108000

Cheers,
Miguel

Miguel Ojeda Sept. 16, 2024, 4:14 p.m. UTC | #2

On Mon, Sep 16, 2024 at 4:07 PM Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
>
> It is possible to have CALL_PADDING && !FINEIBT, which means one can
> trigger a build error if the compiler is not recent enough. Should we
> test for CALL_PADDING here?

Alice confirmed offline that she agrees, so I just changed the
requirement in `rust-next`.

    [ Replaced `!FINEIBT` requirement with `!CALL_PADDING` to prevent
      a build error on older Rust compilers. Fixed typo. - Miguel ]

Cheers,
Miguel

Miguel Ojeda Sept. 18, 2024, 5:14 p.m. UTC | #3

On Mon, Sep 16, 2024 at 6:14 PM Miguel Ojeda
<miguel.ojeda.sandonis@gmail.com> wrote:
>
>     [ Replaced `!FINEIBT` requirement with `!CALL_PADDING` to prevent
>       a build error on older Rust compilers. Fixed typo. - Miguel ]

I also noticed we need Rust 1.81.0 for the flag rather than 1.80.0 --
I will send a patch later and/or rebase.

Cheers,
Miguel

diff --git a/Makefile b/Makefile
index 484c6900337e..2dc39a23005d 100644
--- a/Makefile
+++ b/Makefile
@@ -955,6 +955,13 @@  CC_FLAGS_CFI	:= -fsanitize=kcfi
 ifdef CONFIG_CFI_ICALL_NORMALIZE_INTEGERS
 	CC_FLAGS_CFI	+= -fsanitize-cfi-icall-experimental-normalize-integers
 endif
+ifdef CONFIG_RUST
+	# Always pass -Zsanitizer-cfi-normalize-integers as CONFIG_RUST selects
+	# CONFIG_CFI_ICALL_NORMALIZE_INTEGERS.
+	RUSTC_FLAGS_CFI   := -Zsanitizer=kcfi -Zsanitizer-cfi-normalize-integers
+	KBUILD_RUSTFLAGS += $(RUSTC_FLAGS_CFI)
+	export RUSTC_FLAGS_CFI
+endif
 KBUILD_CFLAGS	+= $(CC_FLAGS_CFI)
 export CC_FLAGS_CFI
 endif
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 801fd85c3ef6..e9b2ee3c8a71 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -237,6 +237,10 @@  ifdef CONFIG_CALL_PADDING
 PADDING_CFLAGS := -fpatchable-function-entry=$(CONFIG_FUNCTION_PADDING_BYTES),$(CONFIG_FUNCTION_PADDING_BYTES)
 KBUILD_CFLAGS += $(PADDING_CFLAGS)
 export PADDING_CFLAGS
+
+PADDING_RUSTFLAGS := -Zpatchable-function-entry=$(CONFIG_FUNCTION_PADDING_BYTES),$(CONFIG_FUNCTION_PADDING_BYTES)
+KBUILD_RUSTFLAGS += $(PADDING_RUSTFLAGS)
+export PADDING_RUSTFLAGS
 endif
 
 KBUILD_LDFLAGS += -m elf_$(UTS_MACHINE)
diff --git a/init/Kconfig b/init/Kconfig
index b0238c4b6e79..306af56a22df 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1905,11 +1905,13 @@  config RUST
 	bool "Rust support"
 	depends on HAVE_RUST
 	depends on RUST_IS_AVAILABLE
-	depends on !CFI_CLANG
 	depends on !MODVERSIONS
 	depends on !GCC_PLUGINS
 	depends on !RANDSTRUCT
 	depends on !DEBUG_INFO_BTF || PAHOLE_HAS_LANG_EXCLUDE
+	depends on !CFI_CLANG || RUSTC_VERSION >= 107900 && $(cc-option,-fsanitize=kcfi -fsanitize-cfi-icall-experimental-normalize-integers)
+	select CFI_ICALL_NORMALIZE_INTEGERS if CFI_CLANG
+	depends on !FINEIBT || RUSTC_VERSION >= 108000
 	help
 	  Enables Rust support in the kernel.
 
diff --git a/rust/Makefile b/rust/Makefile
index 26b16c036fe3..53a17d22f5cd 100644
--- a/rust/Makefile
+++ b/rust/Makefile
@@ -305,7 +305,7 @@  $(obj)/bindings/bindings_helpers_generated.rs: $(src)/helpers.c FORCE
 quiet_cmd_exports = EXPORTS $@
       cmd_exports = \
 	$(NM) -p --defined-only $< \
-		| awk '/ (T|R|D|B) / {printf "EXPORT_SYMBOL_RUST_GPL(%s);\n",$$3}' > $@
+		| awk '$$2~/(T|R|D|B)/ && $$3!~/__cfi/ {printf "EXPORT_SYMBOL_RUST_GPL(%s);\n",$$3}' > $@
 
 $(obj)/exports_core_generated.h: $(obj)/core.o FORCE
 	$(call if_changed,exports)
diff --git a/scripts/generate_rust_target.rs b/scripts/generate_rust_target.rs
index c31657380bf9..9b184099278a 100644
--- a/scripts/generate_rust_target.rs
+++ b/scripts/generate_rust_target.rs
@@ -192,6 +192,7 @@  fn main() {
         }
         ts.push("features", features);
         ts.push("llvm-target", "x86_64-linux-gnu");
+        ts.push("supported-sanitizers", ["kcfi"]);
         ts.push("target-pointer-width", "64");
     } else if cfg.has("X86_32") {
         // This only works on UML, as i386 otherwise needs regparm support in rustc

[v2b] rust: cfi: add support for CFI_CLANG with Rust

Commit Message

Comments

Patch