lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 13 Apr 2022 18:40:21 -0700 (PDT)
From:   Palmer Dabbelt <palmer@...osinc.com>
To:     Arnd Bergmann <arnd@...db.de>
CC:     Arnd Bergmann <arnd@...db.de>,
        Paul Walmsley <paul.walmsley@...ive.com>,
        aou@...s.berkeley.edu, linux-riscv@...ts.infradead.org,
        linux-kernel@...r.kernel.org
Subject:     Re: [PATCH] RISC-V: Add CONFIG_{NON,}PORTABLE

On Thu, 10 Mar 2022 10:59:42 PST (-0800), Arnd Bergmann wrote:
> On Thu, Mar 10, 2022 at 6:08 PM Palmer Dabbelt <palmer@...osinc.com> wrote:
>>
>> From: Palmer Dabbelt <palmer@...osinc.com>
>>
>> The RISC-V port has collected a handful of options that are
>> fundamentally non-portable.  To prevent users from shooting themselves
>> in the foot, hide them all behind a config entry that explicitly calls
>> out that non-portable binaries may be produced.
>>
>> Signed-off-by: Palmer Dabbelt <palmer@...osinc.com>
>>
>> ---
>> This came up in the context of the no-M patch:
>> https://lore.kernel.org/lkml/CAK8P3a3mzax-OiaxBcxM_RgKNsd6N8HW0odRmw38u2jKE5aYaQ@mail.gmail.com/
>>
>> I'm not sure I strictly need both PORTABLE and NONPORTABLE, but it's the
>> only way I could come up with to force things like EFI.  I'll poke
>> around Kconfig a bit more, but I figured this is going to lead to a
>> discussion so it'd be better to just send this crusty version so we at
>> least have something concrete to talk about.
>>
>> I've only given this a smoke test (ie, defconfig looks OK).  I'll go
>> through all the configs if folks think this is the right way to go -- I
>> figure it's better to have the discussion on a more focused patch than
>> on that M patch, as this is really an orthogonal issue.
>>
>> I'm not really sure what the right option is here: I'm not selecting
>> things like errata and basic drivers, but I could buy the argument that
>> disabling those results in non-portable systems.  I am selecting EFI,
>> that might not be strictly required now but it's the direction we're
>> going so I figure we might as well start now.  I've also hidden 32BIT
>> behind this, I could see that going either way but my guess is that
>> users of 32-bit systems won't care about portable binaries.
>
> These are all things I would have suggested as well, sounds good.
>
>>  I'm also
>> not sure if this should be tied to something like EMBEDDED or EXPERT.
>
> CONFIG_EMBEDDED is weird, it's better to avoid interacting with
> it, because it tends to not do what one expects. Hiding it behind
> CONFIG_EXPERT would make sense, but it's also a rather strong
> guard, so it's probably better to leave it the way you have it.
>
>> My biggest worry with this is that users might get the feeling that
>> current kernels will be compatible with new hardware, that's just not
>> how RISC-V works.  I tried to write the help text indicating that, I'm
>> not sure I like how it reads so I'll almost certainly take another shot
>> at it (though suggestions are, of course, welcome).
>>
>> I'm also a bit worried that vendors might get the feeling we're not
>> going to support systems that need modifications to these portablity
>> requirements.  That's also not the case, as there's really no way for
>> vendors to make sure their systems continue to run portable kernels
>> aside from just releasing them publicly so we can test them.
>> ---
>>  arch/riscv/Kconfig | 28 ++++++++++++++++++++++++++--
>>  1 file changed, 26 insertions(+), 2 deletions(-)
>>
>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> index 5adcbd9b5e88..de0916d7aca7 100644
>> --- a/arch/riscv/Kconfig
>> +++ b/arch/riscv/Kconfig
>> @@ -9,6 +9,7 @@ config 64BIT
>>
>>  config 32BIT
>>         bool
>> +       depends on NONPORTABLE
>
> This 'depends on is in the wrong place, you need to move it below
> ARCH_RV32I, or possibly rework that "Base ISA" choice statement
> into something else.
>
>>  config RISCV
>>         def_bool y
>> @@ -485,6 +486,7 @@ config STACKPROTECTOR_PER_TASK
>>
>>  config PHYS_RAM_BASE_FIXED
>>         bool "Explicitly specified physical RAM address"
>> +       depends on NONPORTABLE
>>         default n
>>
>>  config PHYS_RAM_BASE
>> @@ -498,7 +500,7 @@ config PHYS_RAM_BASE
>>
>>  config XIP_KERNEL
>>         bool "Kernel Execute-In-Place from ROM"
>> -       depends on MMU && SPARSEMEM
>> +       depends on MMU && SPARSEMEM && NONPORTABLE
>>         # This prevents XIP from being enabled by all{yes,mod}config, which
>>         # fail to build since XIP doesn't support large kernels.
>>         depends on !COMPILE_TEST
>> @@ -538,9 +540,31 @@ endmenu
>>
>>  config BUILTIN_DTB
>>         bool
>> -       depends on OF
>> +       depends on OF && NONPORTABLE
>>         default y if XIP_KERNEL
>>
>> +config NONPORTABLE
>> +       bool "Allow configurations that result in non-portable kernels"
>> +       help
>> +         RISC-V kernel binaries are compatibile between all known systems
>
> typo: compatible
>
>> +         whenever possible, but there are some use cases that can only be
>> +         satisfied by configurations that result in kernel binaries that are
>> +         not portable between systems.
>> +
>> +         Selecting N does not guarntee kernels will be portable to all knows
>
> typo: guarantee
>
>> +         systems.  Selecting any of the options guarded by NONPORTABLE will
>> +         result in kernel binaries that are unlikely to be portable between
>> +         systems.
>> +
>> +         If unsure, say N.
>> +
>> +config PORTABLE
>> +       bool
>> +       default !NONPORTABLE
>> +       select EFI
>> +       select OF
>> +       select MMU
>
> A nice trick I would use here is to make PORTABLE/NONPORTABLE
> into a 'choice' statement that defaults to PORTABLE. That way, both
> allnoconfig and allmodconfig/allyesconfig end up testing the portable case.
>
> Ideally both allnoconfig and allmodconfig would be able to boot the
> same (virtual) machine, but getting to that point likely requires addressing
> further issues.
>
> If someone can come up with a better naming system, the
> portable/nonportable choice could even be integrated into the
> "Base ISA" choice, giving the user a list of the possible targets,
> like:

That's a really nice trick to know.  We're a lot farther from this than 
making an allnoconfig build, at least some of that is the Kconfig.socs 
brokenness.  IMO that's sort of just its own problem, and while it 
should get fixed if I try to roll it up into this one we're going to get 
the simple thing stuck on a bigger thing.

> choice
>       prompt "System type"
>       default ARCH_RV64I
>
> config ARCH_RV64I
>        bool "Generic portable RV64GC system"
>        select 64BIT
>        select EFI
>        select OF
>        select MMU
>
> config ARCH_RV64I_NONPORTABLE
>         bool "Custom RV64I machine, nonportable"
>         select 64BIT
>         select MMU
>
> config ARCH_RV32I_NONPORTABLE
>         bool "Custom RV64I machine, nonportable"
>         select 64BIT
>         select MMU
>
> config ARCH_RV64_NOMMU
>         bool "Custom RV64I machine without MMU"
>         select 64BIT
>
> endchoice
>
> Not sure if that is more or less confusing than what you have
> here, just putting it out there as another way to handle the
> top-level platform selection.
>
>          Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ