lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 17 Dec 2020 20:29:35 +0100
From:   Ard Biesheuvel <ardb@...nel.org>
To:     Nick Desaulniers <ndesaulniers@...gle.com>
Cc:     Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will@...nel.org>,
        kernel-team <kernel-team@...roid.com>,
        Peter Smith <Peter.Smith@....com>,
        clang-built-linux <clang-built-linux@...glegroups.com>,
        stable <stable@...r.kernel.org>,
        Fāng-ruì Sòng <maskray@...gle.com>,
        Quentin Perret <qperret@...gle.com>,
        Alan Modra <amodra@...il.com>,
        "kernelci . org bot" <bot@...nelci.org>,
        Linux ARM <linux-arm-kernel@...ts.infradead.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] arm64: link with -z norelro for LLD or aarch64-elf

On Thu, 17 Dec 2020 at 01:41, Nick Desaulniers <ndesaulniers@...gle.com> wrote:
>
> With newer GNU binutils, linking with BFD produces warnings for vmlinux:
> aarch64-linux-gnu-ld: warning: -z norelro ignored
>
> BFD can produce this warning when the target emulation mode does not
> support RELRO relocation types, and -z relro or -z norelro is passed.
>

RELRO is not a relocation type, it is a type of program header which
we might simply ignore, if it weren't for the fact that it can only be
emitted if the layout of the sections adheres to certain rules (and
ours doesn't), and we get an error otherwise.

It amounts to implicit __ro_after_init annotations for statically
initialized const pointers, but given that we don't compile with
-fpie, those const pointers reside in .rodata already, so RELRO adds
no value for us.

> Alan Modra clarifies:
>   The default linker emulation for an aarch64-linux ld.bfd is
>   -maarch64linux, the default for an aarch64-elf linker is
>   -maarch64elf.  They are not equivalent.  If you choose -maarch64elf
>   you get an emulation that doesn't support -z relro.
>
> The ARCH=arm64 kernel prefers -maarch64elf, but may fall back to
> -maarch64linux based on the toolchain configuration.
>
> LLD will always create RELRO relocation types regardless of target
> emulation.
>

RELRO program header

> To avoid the above warning when linking with BFD, pass -z norelro only
> when linking with LLD or with -maarch64linux.
>
> Cc: Alan Modra <amodra@...il.com>
> Cc: Ard Biesheuvel <ardb@...nel.org>
> Cc: Fāng-ruì Sòng <maskray@...gle.com>
> Fixes: 3b92fa7485eb ("arm64: link with -z norelro regardless of CONFIG_RELOCATABLE")
> Reported-by: kernelci.org bot <bot@...nelci.org>
> Reported-by: Quentin Perret <qperret@...gle.com>
> Signed-off-by: Nick Desaulniers <ndesaulniers@...gle.com>

With mentions of 'RELRO relocation types' fixed:

Acked-by: Ard Biesheuvel <ardb@...nel.org>



> ---
>  arch/arm64/Makefile | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index 6be9b3750250..90309208bb28 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -10,7 +10,7 @@
>  #
>  # Copyright (C) 1995-2001 by Russell King
>
> -LDFLAGS_vmlinux        :=--no-undefined -X -z norelro
> +LDFLAGS_vmlinux        :=--no-undefined -X
>
>  ifeq ($(CONFIG_RELOCATABLE), y)
>  # Pass --no-apply-dynamic-relocs to restore pre-binutils-2.27 behaviour
> @@ -115,16 +115,20 @@ KBUILD_CPPFLAGS   += -mbig-endian
>  CHECKFLAGS     += -D__AARCH64EB__
>  # Prefer the baremetal ELF build target, but not all toolchains include
>  # it so fall back to the standard linux version if needed.
> -KBUILD_LDFLAGS += -EB $(call ld-option, -maarch64elfb, -maarch64linuxb)
> +KBUILD_LDFLAGS += -EB $(call ld-option, -maarch64elfb, -maarch64linuxb -z norelro)
>  UTS_MACHINE    := aarch64_be
>  else
>  KBUILD_CPPFLAGS        += -mlittle-endian
>  CHECKFLAGS     += -D__AARCH64EL__
>  # Same as above, prefer ELF but fall back to linux target if needed.
> -KBUILD_LDFLAGS += -EL $(call ld-option, -maarch64elf, -maarch64linux)
> +KBUILD_LDFLAGS += -EL $(call ld-option, -maarch64elf, -maarch64linux -z norelro)
>  UTS_MACHINE    := aarch64
>  endif
>
> +ifeq ($(CONFIG_LD_IS_LLD), y)
> +KBUILD_LDFLAGS += -z norelro
> +endif
> +
>  CHECKFLAGS     += -D__aarch64__
>
>  ifeq ($(CONFIG_DYNAMIC_FTRACE_WITH_REGS),y)
> --
> 2.29.2.684.gfbc64c5ab5-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ