| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Feb 2022 10:32:28 -0800
From: Josh Poimboeuf <jpoimboe@...hat.com>
To: Peter Zijlstra <peterz@...radead.org>
Cc: x86@...nel.org, joao@...rdrivepizza.com, hjl.tools@...il.com,
andrew.cooper3@...rix.com, linux-kernel@...r.kernel.org,
ndesaulniers@...gle.com, keescook@...omium.org,
samitolvanen@...gle.com, mark.rutland@....com,
alyssa.milburn@...el.com
Subject: Re: [PATCH 21/29] objtool: Rename --duplicate to --lto
On Mon, Feb 28, 2022 at 12:05:06PM +0100, Peter Zijlstra wrote:
> > It just dawned on me that "--noinstr" already exists. But I'm
> > scratching my head trying to figure out the difference between
> > "--noinstr" and omitting "--lto".
>
> If you run: "objtool check --vmlinux --noinstr vmlinux.o", it'll only do
> the shallow .noinstr.text/.entry.text checks. If OTOH you do: "objtool
> check --vmlinux --noinstr --lto vmlinux.o" it'll do everything
> (including noinstr).
I think I got all that. But what does "--vmlinux" do by itself?
> Similarlt, "--module --lto" will come to mean whole module (which is
> currently not distinguishable from a regular module part run).
>
> (barring the possible 's/--lto/--whole-archive/' rename proposed up top)
Thanks for the explanations. To summarize, we have:
A) legacy mode:
translation unit: objtool check [--module]
vmlinux.o: N/A
module: N/A
B) CONFIG_VMLINUX_VALIDATION=y && !(CONFIG_X86_KERNEL_IBT=y || CONFIG_LTO=y)
translation unit: objtool check [--module]
vmlinux: objtool check --vmlinux --noinstr
module: objtool check --module --noinstr
C) CONFIG_X86_KERNEL_IBT=y || CONFIG_LTO=y:
translation unit: N/A
vmlinux: objtool check --vmlinux --noinstr --lto
module: objtool check --module --noinstr --lto
Right?
I think I get it, but it's mental gymnastics for me to remember how the
options interact. It still seems counterintuitive, because whatever
"objtool check" does to a translation unit, I'd expect "objtool check
--vmlinux" to do the same things.
I suppose it makes sense if I can remember that --vmlinux is a magical
option which disables all that other stuff. And it's counteracted by
--lto, which removes the magic. But that's all hard to remember and
just seems weird.
There are a variety of ways to run objtool against vmlinux. The "lto"
approach is going to be less of an exception and may end up being the
default someday. So making --vmlinux do weird stuff is going to be even
less intuitive as we go forward. Let's make the default sane and
consistent with other file types.
So how about we just get rid of the magical --vmlinux and --lto options
altogether, and make --noinstr additive, like all the other options?
A) legacy mode:
.o files: objtool check [--module]
vmlinux: N/A
module: N/A
B) CONFIG_NOINSTR_VALIDATION=y && !(CONFIG_X86_KERNEL_IBT=y || CONFIG_LTO=y):
.o files: objtool check [--module]
vmlinux: objtool check --noinstr-only
module: objtool check --module --noinstr-only
C) CONFIG_X86_KERNEL_IBT=y || CONFIG_LTO=y:
.o files: N/A
vmlinux: objtool check --noinstr
module: objtool check --module --noinstr
(notice I renamed VMLINUX_VALIDATION to NOINSTR_VALIDATION)
Isn't that much more logical and intuitive?
a) objtool has sane defaults, regardless of object type
b) no magic options, other than --noinstr-only, but that's
communicated in its name
c) --vmlinux is no longer needed -- fewer options to juggle
--
Josh
Powered by blists - more mailing lists