| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Feb 2021 11:52:53 -0800
From: Jian Cai <jiancai@...gle.com>
To: unlisted-recipients:; (no To-header on input)
Cc: ndesaulniers@...gle.com, manojgupta@...gle.com, llozano@...gle.com,
clang-built-linux@...glegroups.com, Jian Cai <jiancai@...gle.com>,
Nathan Chancellor <nathan@...nel.org>,
David Laight <David.Laight@...lab.com>,
Russell King <linux@...linux.org.uk>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Arnd Bergmann <arnd@...db.de>,
Masahiro Yamada <masahiroy@...nel.org>,
Kees Cook <keescook@...omium.org>,
Krzysztof Kozlowski <krzk@...nel.org>,
Ard Biesheuvel <ardb@...nel.org>,
"Andreas Färber" <afaerber@...e.de>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: [PATCH v2] ARM: Implement Clang's SLS mitigation
This patch adds CONFIG_HARDEN_SLS_ALL that can be used to turn on
-mharden-sls=all, which mitigates the straight-line speculation
vulnerability, speculative execution of the instruction following some
unconditional jumps. Notice -mharden-sls= has other options as below,
and this config turns on the strongest option.
all: enable all mitigations against Straight Line Speculation that are implemented.
none: disable all mitigations against Straight Line Speculation.
retbr: enable the mitigation against Straight Line Speculation for RET and BR instructions.
blr: enable the mitigation against Straight Line Speculation for BLR instructions.
Link: https://reviews.llvm.org/D93221
Link: https://reviews.llvm.org/D81404
Link: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#SLS2
Suggested-by: Manoj Gupta <manojgupta@...gle.com>
Suggested-by: Nathan Chancellor <nathan@...nel.org>
Suggested-by: David Laight <David.Laight@...lab.com>
Signed-off-by: Jian Cai <jiancai@...gle.com>
---
Changes v1 -> v2:
Update the description and patch based on Nathan and David's comments.
arch/arm/Makefile | 4 ++++
arch/arm64/Makefile | 4 ++++
security/Kconfig.hardening | 7 +++++++
3 files changed, 15 insertions(+)
diff --git a/arch/arm/Makefile b/arch/arm/Makefile
index 4aaec9599e8a..11d89ef32da9 100644
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@@ -48,6 +48,10 @@ CHECKFLAGS += -D__ARMEL__
KBUILD_LDFLAGS += -EL
endif
+ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
+KBUILD_CFLAGS += -mharden-sls=all
+endif
+
#
# The Scalar Replacement of Aggregates (SRA) optimization pass in GCC 4.9 and
# later may result in code being generated that handles signed short and signed
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index 90309208bb28..ca7299b356a9 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -34,6 +34,10 @@ $(warning LSE atomics not supported by binutils)
endif
endif
+ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
+KBUILD_CFLAGS += -mharden-sls=all
+endif
+
cc_has_k_constraint := $(call try-run,echo \
'int main(void) { \
asm volatile("and w0, w0, %w0" :: "K" (4294967295)); \
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 269967c4fc1b..9266d8d1f78f 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -121,6 +121,13 @@ choice
endchoice
+config HARDEN_SLS_ALL
+ bool "enable SLS vulnerability hardening"
+ def_bool $(cc-option,-mharden-sls=all)
+ help
+ Enables straight-line speculation vulnerability hardening
+ at highest level.
+
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
bool "Report forcefully initialized variables"
depends on GCC_PLUGIN_STRUCTLEAK
--
2.30.0.478.g8a0d178c01-goog
Powered by blists - more mailing lists