diff mbox series

How to define some additional KBUILD_CFLAGS after building include/generated/asm-offsets.h ?

Message ID e1b65467-7497-5db4-aa93-1ad00d12af3f@c-s.fr (mailing list archive)
State New, archived
Headers show
Series How to define some additional KBUILD_CFLAGS after building include/generated/asm-offsets.h ? | expand

Commit Message

Christophe Leroy Sept. 18, 2018, 11:41 p.m. UTC
I'm trying to implement TLS based stack protector in the Linux Kernel.
For that I need to give to GCC the offset at which it will find the 
canary (register r2 is pointing to the current task struct).

I have been able to do it with the below patch, but it only works when 
include/generated/asm-offsets.h already exists from the start of the build.

Is there a way to evaluate CANARY_OFFSET and add the stack-protector 
flags to KBUILD_FLAGS only after include/generated/asm-offsets.h is built ?

Or another way of add -mstack-protector-guard-offset=offsetof(struct 
task_struct, stack_canary) ?

  LDFLAGS_vmlinux-y := -Bstatic


Thanks
Christophe

Comments

Michael Ellerman Sept. 24, 2018, 12:10 p.m. UTC | #1
Christophe Leroy <christophe.leroy@c-s.fr> writes:

> I'm trying to implement TLS based stack protector in the Linux Kernel.
> For that I need to give to GCC the offset at which it will find the 
> canary (register r2 is pointing to the current task struct).
>
> I have been able to do it with the below patch, but it only works when 
> include/generated/asm-offsets.h already exists from the start of the build.
>
> Is there a way to evaluate CANARY_OFFSET and add the stack-protector 
> flags to KBUILD_FLAGS only after include/generated/asm-offsets.h is built ?
>
> Or another way of add -mstack-protector-guard-offset=offsetof(struct 
> task_struct, stack_canary) ?

This seems to work, at least I see the value in CFLAGS:

diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
index 07d9dce..39ee113 100644
--- a/arch/powerpc/Makefile
+++ b/arch/powerpc/Makefile
@@ -404,6 +394,11 @@ archclean:
 
 archprepare: checkbin
 
+prepare: stack_protector_prepare
+
+stack_protector_prepare: prepare0
+	$(eval KBUILD_CFLAGS += -mstack-protector-guard-offset=$(shell awk '{if ($$2 == "TSK_STACK_CANARY") print $$3;}' include/generated/asm-offsets.h))
+
 # Use the file '.tmp_gas_check' for binutils tests, as gas won't output
 # to stdout and these checks are run even on install targets.
 TOUT	:= .tmp_gas_check


cheers
Christophe Leroy Sept. 24, 2018, 3:26 p.m. UTC | #2
Le 24/09/2018 à 14:10, Michael Ellerman a écrit :
> Christophe Leroy <christophe.leroy@c-s.fr> writes:
> 
>> I'm trying to implement TLS based stack protector in the Linux Kernel.
>> For that I need to give to GCC the offset at which it will find the
>> canary (register r2 is pointing to the current task struct).
>>
>> I have been able to do it with the below patch, but it only works when
>> include/generated/asm-offsets.h already exists from the start of the build.
>>
>> Is there a way to evaluate CANARY_OFFSET and add the stack-protector
>> flags to KBUILD_FLAGS only after include/generated/asm-offsets.h is built ?
>>
>> Or another way of add -mstack-protector-guard-offset=offsetof(struct
>> task_struct, stack_canary) ?
> 
> This seems to work, at least I see the value in CFLAGS:
> 
> diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
> index 07d9dce..39ee113 100644
> --- a/arch/powerpc/Makefile
> +++ b/arch/powerpc/Makefile
> @@ -404,6 +394,11 @@ archclean:
>   
>   archprepare: checkbin
>   
> +prepare: stack_protector_prepare
> +
> +stack_protector_prepare: prepare0
> +	$(eval KBUILD_CFLAGS += -mstack-protector-guard-offset=$(shell awk '{if ($$2 == "TSK_STACK_CANARY") print $$3;}' include/generated/asm-offsets.h))
> +

Great, it works !
Thanks, I have sent v3 of the patches.

Christophe

>   # Use the file '.tmp_gas_check' for binutils tests, as gas won't output
>   # to stdout and these checks are run even on install targets.
>   TOUT	:= .tmp_gas_check
> 
> 
> cheers
>
Michael Ellerman Sept. 25, 2018, 1:16 a.m. UTC | #3
Christophe LEROY <christophe.leroy@c-s.fr> writes:

> Le 24/09/2018 à 14:10, Michael Ellerman a écrit :
>> Christophe Leroy <christophe.leroy@c-s.fr> writes:
>> 
>>> I'm trying to implement TLS based stack protector in the Linux Kernel.
>>> For that I need to give to GCC the offset at which it will find the
>>> canary (register r2 is pointing to the current task struct).
>>>
>>> I have been able to do it with the below patch, but it only works when
>>> include/generated/asm-offsets.h already exists from the start of the build.
>>>
>>> Is there a way to evaluate CANARY_OFFSET and add the stack-protector
>>> flags to KBUILD_FLAGS only after include/generated/asm-offsets.h is built ?
>>>
>>> Or another way of add -mstack-protector-guard-offset=offsetof(struct
>>> task_struct, stack_canary) ?
>> 
>> This seems to work, at least I see the value in CFLAGS:
>> 
>> diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
>> index 07d9dce..39ee113 100644
>> --- a/arch/powerpc/Makefile
>> +++ b/arch/powerpc/Makefile
>> @@ -404,6 +394,11 @@ archclean:
>>   
>>   archprepare: checkbin
>>   
>> +prepare: stack_protector_prepare
>> +
>> +stack_protector_prepare: prepare0
>> +	$(eval KBUILD_CFLAGS += -mstack-protector-guard-offset=$(shell awk '{if ($$2 == "TSK_STACK_CANARY") print $$3;}' include/generated/asm-offsets.h))
>> +
>
> Great, it works !
> Thanks, I have sent v3 of the patches.

Cool.

It would be good to here from someone who knows Kbuild better than me if
this is acceptable or just a gross hack :)

cheers
Michael Ellerman Sept. 25, 2018, 12:39 p.m. UTC | #4
Michael Ellerman <mpe@ellerman.id.au> writes:
> Christophe LEROY <christophe.leroy@c-s.fr> writes:
>> Le 24/09/2018 à 14:10, Michael Ellerman a écrit :
>>> Christophe Leroy <christophe.leroy@c-s.fr> writes:
>>>> I'm trying to implement TLS based stack protector in the Linux Kernel.
>>>> For that I need to give to GCC the offset at which it will find the
>>>> canary (register r2 is pointing to the current task struct).
>>>>
>>>> I have been able to do it with the below patch, but it only works when
>>>> include/generated/asm-offsets.h already exists from the start of the build.
>>>>
>>>> Is there a way to evaluate CANARY_OFFSET and add the stack-protector
>>>> flags to KBUILD_FLAGS only after include/generated/asm-offsets.h is built ?
>>>>
>>>> Or another way of add -mstack-protector-guard-offset=offsetof(struct
>>>> task_struct, stack_canary) ?
>>> 
>>> This seems to work, at least I see the value in CFLAGS:
>>> 
>>> diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
>>> index 07d9dce..39ee113 100644
>>> --- a/arch/powerpc/Makefile
>>> +++ b/arch/powerpc/Makefile
>>> @@ -404,6 +394,11 @@ archclean:
>>>   
>>>   archprepare: checkbin
>>>   
>>> +prepare: stack_protector_prepare
>>> +
>>> +stack_protector_prepare: prepare0
>>> +	$(eval KBUILD_CFLAGS += -mstack-protector-guard-offset=$(shell awk '{if ($$2 == "TSK_STACK_CANARY") print $$3;}' include/generated/asm-offsets.h))
>>> +
>>
>> Great, it works !
>> Thanks, I have sent v3 of the patches.
>
> Cool.
>
> It would be good to here from someone who knows Kbuild better than me if
                      ^
                      hear

Still learning English.

cheers
Masahiro Yamada Sept. 27, 2018, 5:24 a.m. UTC | #5
Hi.

2018-09-25 10:16 GMT+09:00 Michael Ellerman <mpe@ellerman.id.au>:
> Christophe LEROY <christophe.leroy@c-s.fr> writes:
>
>> Le 24/09/2018 à 14:10, Michael Ellerman a écrit :
>>> Christophe Leroy <christophe.leroy@c-s.fr> writes:
>>>
>>>> I'm trying to implement TLS based stack protector in the Linux Kernel.
>>>> For that I need to give to GCC the offset at which it will find the
>>>> canary (register r2 is pointing to the current task struct).
>>>>
>>>> I have been able to do it with the below patch, but it only works when
>>>> include/generated/asm-offsets.h already exists from the start of the build.
>>>>
>>>> Is there a way to evaluate CANARY_OFFSET and add the stack-protector
>>>> flags to KBUILD_FLAGS only after include/generated/asm-offsets.h is built ?
>>>>
>>>> Or another way of add -mstack-protector-guard-offset=offsetof(struct
>>>> task_struct, stack_canary) ?
>>>
>>> This seems to work, at least I see the value in CFLAGS:
>>>
>>> diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
>>> index 07d9dce..39ee113 100644
>>> --- a/arch/powerpc/Makefile
>>> +++ b/arch/powerpc/Makefile
>>> @@ -404,6 +394,11 @@ archclean:
>>>
>>>   archprepare: checkbin
>>>
>>> +prepare: stack_protector_prepare
>>> +
>>> +stack_protector_prepare: prepare0
>>> +    $(eval KBUILD_CFLAGS += -mstack-protector-guard-offset=$(shell awk '{if ($$2 == "TSK_STACK_CANARY") print $$3;}' include/generated/asm-offsets.h))
>>> +
>>
>> Great, it works !
>> Thanks, I have sent v3 of the patches.
>
> Cool.
>
> It would be good to here from someone who knows Kbuild better than me if
> this is acceptable or just a gross hack :)


I am fine with this solution.

Thanks.
Michael Ellerman Sept. 27, 2018, 6:31 a.m. UTC | #6
Masahiro Yamada <yamada.masahiro@socionext.com> writes:
> 2018-09-25 10:16 GMT+09:00 Michael Ellerman <mpe@ellerman.id.au>:
>> Christophe LEROY <christophe.leroy@c-s.fr> writes:
>>
>>> Le 24/09/2018 à 14:10, Michael Ellerman a écrit :
>>>> Christophe Leroy <christophe.leroy@c-s.fr> writes:
>>>>
>>>>> I'm trying to implement TLS based stack protector in the Linux Kernel.
>>>>> For that I need to give to GCC the offset at which it will find the
>>>>> canary (register r2 is pointing to the current task struct).
>>>>>
>>>>> I have been able to do it with the below patch, but it only works when
>>>>> include/generated/asm-offsets.h already exists from the start of the build.
>>>>>
>>>>> Is there a way to evaluate CANARY_OFFSET and add the stack-protector
>>>>> flags to KBUILD_FLAGS only after include/generated/asm-offsets.h is built ?
>>>>>
>>>>> Or another way of add -mstack-protector-guard-offset=offsetof(struct
>>>>> task_struct, stack_canary) ?
>>>>
>>>> This seems to work, at least I see the value in CFLAGS:
>>>>
>>>> diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
>>>> index 07d9dce..39ee113 100644
>>>> --- a/arch/powerpc/Makefile
>>>> +++ b/arch/powerpc/Makefile
>>>> @@ -404,6 +394,11 @@ archclean:
>>>>
>>>>   archprepare: checkbin
>>>>
>>>> +prepare: stack_protector_prepare
>>>> +
>>>> +stack_protector_prepare: prepare0
>>>> +    $(eval KBUILD_CFLAGS += -mstack-protector-guard-offset=$(shell awk '{if ($$2 == "TSK_STACK_CANARY") print $$3;}' include/generated/asm-offsets.h))
>>>> +
>>>
>>> Great, it works !
>>> Thanks, I have sent v3 of the patches.
>>
>> Cool.
>>
>> It would be good to here from someone who knows Kbuild better than me if
>> this is acceptable or just a gross hack :)
>
> I am fine with this solution.

Thanks.

cheers
diff mbox series

Patch

diff --git a/arch/powerpc/kernel/asm-offsets.c 
b/arch/powerpc/kernel/asm-offsets.c
index 89cf15566c4e..b25483946921 100644
--- a/arch/powerpc/kernel/asm-offsets.c
+++ b/arch/powerpc/kernel/asm-offsets.c
@@ -89,6 +89,9 @@  int main(void)
         DEFINE(THREAD_INFO_GAP, _ALIGN_UP(sizeof(struct thread_info), 16));
         OFFSET(KSP_LIMIT, thread_struct, ksp_limit);
  #endif /* CONFIG_PPC64 */
+#ifdef CONFIG_STACKPROTECTOR
+       DEFINE(TSK_STACK_CANARY, offsetof(struct task_struct, 
stack_canary));
+#endif

  #ifdef CONFIG_LIVEPATCH
         OFFSET(TI_livepatch_sp, thread_info, livepatch_sp);
diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S
index e58c3f467db5..051b907b5c02 100644
[root@pc16082vm linux-powerpc]# git diff
diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
index 748e34e81a03..7b5a23a8afe8 100644
--- a/arch/powerpc/Makefile
+++ b/arch/powerpc/Makefile
@@ -113,7 +113,8 @@  KBUILD_ARFLAGS      += --target=elf$(BITS)-$(GNUTARGET)
  endif

  ifdef CONFIG_STACKPROTECTOR
-KBUILD_CFLAGS  += -mstack-protector-guard=global
+CANARY_OFFSET := $(shell awk '{if ($$2 == "TSK_STACK_CANARY") print 
$$3;}' include/generated/asm-offsets.h)
+KBUILD_CFLAGS  += -mstack-protector-guard=tls 
-mstack-protector-guard-reg=r2 
-mstack-protector-guard-offset=$(CANARY_OFFSET)
  endif