| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210212051500.943179-1-jiancai@google.com>
Date: Thu, 11 Feb 2021 21:14:58 -0800
From: Jian Cai <jiancai@...gle.com>
To: unlisted-recipients:; (no To-header on input)
Cc: ndesaulniers@...gle.com, manojgupta@...gle.com, llozano@...gle.com,
clang-built-linux@...glegroups.com, Jian Cai <jiancai@...gle.com>,
Russell King <linux@...linux.org.uk>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Nathan Chancellor <nathan@...nel.org>,
Arnd Bergmann <arnd@...db.de>,
Masahiro Yamada <masahiroy@...nel.org>,
Kees Cook <keescook@...omium.org>,
Ard Biesheuvel <ardb@...nel.org>,
Daniel Palmer <daniel@...f.com>,
"Andreas Färber" <afaerber@...e.de>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: [PATCH] ARM: Implement Clang's SLS mitigation
This patch adds a config CONFIG_HARDEN_SLS_ALL that can be used to turn
on -mharden-sls=all, which mitigates the straight-line speculation
vulnerability, or more commonly known as Spectre, Meldown.
Notice -mharden-sls= has other options as below, and this config turns
on the strongest option.
all: enable all mitigations against Straight Line Speculation that are implemented.
none: disable all mitigations against Straight Line Speculation.
retbr: enable the mitigation against Straight Line Speculation for RET and BR instructions.
blr: enable the mitigation against Straight Line Speculation for BLR instructions.
Link: https://reviews.llvm.org/D93221
Link: https://reviews.llvm.org/D81404
Link: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation
Link: https://crbug.com/1171521
Suggested-by: Manoj Gupta <manojgupta@...gle.com>
Signed-off-by: Jian Cai <jiancai@...gle.com>
---
arch/arm/Makefile | 4 ++++
arch/arm64/Makefile | 5 +++++
security/Kconfig.hardening | 11 +++++++++++
3 files changed, 20 insertions(+)
diff --git a/arch/arm/Makefile b/arch/arm/Makefile
index 4aaec9599e8a..11d89ef32da9 100644
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@@ -48,6 +48,10 @@ CHECKFLAGS += -D__ARMEL__
KBUILD_LDFLAGS += -EL
endif
+ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
+KBUILD_CFLAGS += -mharden-sls=all
+endif
+
#
# The Scalar Replacement of Aggregates (SRA) optimization pass in GCC 4.9 and
# later may result in code being generated that handles signed short and signed
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index 90309208bb28..8fd0ccd87eca 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -34,6 +34,11 @@ $(warning LSE atomics not supported by binutils)
endif
endif
+ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
+KBUILD_CFLAGS += -mharden-sls=all
+endif
+
+
cc_has_k_constraint := $(call try-run,echo \
'int main(void) { \
asm volatile("and w0, w0, %w0" :: "K" (4294967295)); \
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 269967c4fc1b..d83c406c81a3 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -121,6 +121,17 @@ choice
endchoice
+
+config CC_HAS_HARDEN_SLS_ALL
+ def_bool $(cc-option,-mharden-sls=all)
+
+ config HARDEN_SLS_ALL
+ bool "enable SLS vulnerability hardening"
+ depends on CC_HAS_HARDEN_SLS_ALL
+ help
+ Enables straight-line speculation vulnerability hardening
+ at highest level.
+
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
bool "Report forcefully initialized variables"
depends on GCC_PLUGIN_STRUCTLEAK
--
2.30.0.478.g8a0d178c01-goog
Powered by blists - more mailing lists