From patchwork Tue Nov 7 17:38:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10047073 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id F3E7F6032D for ; Tue, 7 Nov 2017 17:39:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DBA8728A06 for ; Tue, 7 Nov 2017 17:39:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CDFB128AFA; Tue, 7 Nov 2017 17:39:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4361728A06 for ; Tue, 7 Nov 2017 17:39:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752305AbdKGRjm (ORCPT ); Tue, 7 Nov 2017 12:39:42 -0500 Received: from mail-pf0-f195.google.com ([209.85.192.195]:49407 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752251AbdKGRi4 (ORCPT ); Tue, 7 Nov 2017 12:38:56 -0500 Received: by mail-pf0-f195.google.com with SMTP id i5so10835112pfe.6 for ; Tue, 07 Nov 2017 09:38:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=qiMw0x7u1tQQY6P00RizAjMOmIEgVaAAjH2Q4G1+fmA=; b=YGH6RhpT5YSdx73EVEAsqT4QefSE5q072bCk7noXcgCPiVVHMleJzrFoew/oYrDB67 tZOflg8HOVZLlqXbetsWAN1FQL1hX+VzBHNx2KRmosjoRtlwuGARP8HYb0sAeCZgPV0r 1OU2EicXztw9+Mt8bTNLF7wg0vrDBL7Hm+LgM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=qiMw0x7u1tQQY6P00RizAjMOmIEgVaAAjH2Q4G1+fmA=; b=lDvXCk6IgIZEQhiasG5tQp7E/tOnWGfcnmqyYDMXG7gftDW6pCNRhjSz0EFeQu+iaR TOLxXj6jUgyQXyenhTAQMj9axg+SqeaM98YvfyCD8LnUyLIQEPYRuTiEMnglhfXDum6M BVtQbz2etWPISPcSfJBLHhAym4J8eCz1qYFKZ3/rk8kKXmqqYUC5mwEHvvhhvXLKlnMK sdGcVXX8sJLkHrKO8EqkI+c2IYH4hh1pgEuEYHPOU2AtZK5FjuC3Xg/aNaRalfxnvN3B yar/i1jM9G7A+bYcdnRS/gz3RBE3iYNv3vucpPW8llyRgv/uEKmDZlAvDxD338yKFSux om7g== X-Gm-Message-State: AMCzsaVNS7vCmlJZRxWpHlXXwrpLF6W57JkkJyYJa8K2f1YLQ+Z2NzGX h7ghsKxYh6WLrs9LUMo7uCA0zw== X-Google-Smtp-Source: ABhQp+QI4eKlLFA8X5AahtVezb6+FbtzowzXzYk9K0TcLcfybztaynWXFyPFBGBUn9GkGb16KdQwrg== X-Received: by 10.99.97.67 with SMTP id v64mr19199280pgb.89.1510076336210; Tue, 07 Nov 2017 09:38:56 -0800 (PST) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id l191sm4663726pfc.180.2017.11.07.09.38.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Nov 2017 09:38:52 -0800 (PST) From: Kees Cook To: Andrew Morton Cc: Kees Cook , Masahiro Yamada , Arnd Bergmann , linux-kbuild@vger.kernel.org, Josh Triplett , Nicholas Piggin , Laura Abbott , linux-kernel@vger.kernel.org Subject: [PATCH v2 2/3] Makefile: Move stack-protector availability out of Kconfig Date: Tue, 7 Nov 2017 09:38:39 -0800 Message-Id: <1510076320-69931-3-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510076320-69931-1-git-send-email-keescook@chromium.org> References: <1510076320-69931-1-git-send-email-keescook@chromium.org> Sender: linux-kbuild-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kbuild@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Various portions of the kernel, especially per-architecture pieces, need to know if the compiler is building with the stack protector. This was done in the arch/Kconfig with 'select', but this doesn't allow a way to do auto-detected compiler support. In preparation for creating an on-if-available default, move the logic for the definition of CONFIG_CC_STACKPROTECTOR into the Makefile. Cc: Masahiro Yamada Cc: Arnd Bergmann Cc: linux-kbuild@vger.kernel.org Signed-off-by: Kees Cook --- Makefile | 6 +++++- arch/Kconfig | 8 -------- arch/x86/Kconfig | 2 +- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/Makefile b/Makefile index caa3f7e6f524..b486c0271866 100644 --- a/Makefile +++ b/Makefile @@ -689,7 +689,7 @@ else endif endif # Find arch-specific stack protector compiler sanity-checking script. -ifdef CONFIG_CC_STACKPROTECTOR +ifdef stackp-name stackp-path := $(srctree)/scripts/gcc-$(SRCARCH)_$(BITS)-has-stack-protector.sh stackp-check := $(wildcard $(stackp-path)) # If the wildcard test matches a test script, run it to check functionality. @@ -698,6 +698,10 @@ ifdef CONFIG_CC_STACKPROTECTOR stackp-broken := y endif endif + ifndef stackp-broken + # If the stack protector is functional, enable code that depends on it. + KBUILD_CPPFLAGS += -DCONFIG_CC_STACKPROTECTOR + endif endif KBUILD_CFLAGS += $(stackp-flag) diff --git a/arch/Kconfig b/arch/Kconfig index 1aafb4efbb51..7007c1bfa79c 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -523,12 +523,6 @@ config HAVE_CC_STACKPROTECTOR - its compiler supports the -fstack-protector option - it has implemented a stack canary (e.g. __stack_chk_guard) -config CC_STACKPROTECTOR - def_bool n - help - Set when a stack-protector mode is enabled, so that the build - can enable kernel-side support for the GCC feature. - choice prompt "Stack Protector buffer overflow detection" depends on HAVE_CC_STACKPROTECTOR @@ -549,7 +543,6 @@ config CC_STACKPROTECTOR_NONE config CC_STACKPROTECTOR_REGULAR bool "Regular" - select CC_STACKPROTECTOR help Functions will have the stack-protector canary logic added if they have an 8-byte or larger character array on the stack. @@ -563,7 +556,6 @@ config CC_STACKPROTECTOR_REGULAR config CC_STACKPROTECTOR_STRONG bool "Strong" - select CC_STACKPROTECTOR help Functions will have the stack-protector canary logic added in any of the following conditions: diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 971feac13506..8d3847071707 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -319,7 +319,7 @@ config X86_64_SMP config X86_32_LAZY_GS def_bool y - depends on X86_32 && !CC_STACKPROTECTOR + depends on X86_32 && CC_STACKPROTECTOR_NONE config ARCH_SUPPORTS_UPROBES def_bool y