lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <765e1e78-c540-0753-7a19-7d335bcc998b@suse.com>
Date:   Thu, 24 Nov 2022 10:21:33 +0100
From:   Petr Pavlu <petr.pavlu@...e.com>
To:     Borislav Petkov <bp@...en8.de>
Cc:     tglx@...utronix.de, mingo@...hat.com, dave.hansen@...ux.intel.com,
        x86@...nel.org, hpa@...or.com, nicolas@...sle.eu,
        masahiroy@...nel.org, kirill.shutemov@...ux.intel.com,
        tony.luck@...el.com, michael.roth@....com, nathan@...nel.org,
        ndesaulniers@...gle.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] x86: Avoid relocation information in final vmlinux

On 11/23/22 16:54, Borislav Petkov wrote:
> On Wed, Nov 23, 2022 at 04:43:20PM +0100, Petr Pavlu wrote:
>> The only post-link analysis tool in this case should be arch/x86/tools/relocs.
>> It produces a vmlinux.relocs file which is appended to vmlinux.bin. This is
>> all internal to the Linux build. I'm not aware of any external tooling, such
>> as kernel debuggers, that would require this relocation information in
>> vmlinux.
> 
> It would be good to know why --emit-relocs was added in the first place
> - that might give us a hint. Lemme talk to Micha.

My understanding is that option --emit-relocs is needed to provide relocation
data for KASLR support. Produced relocation sections in vmlinux get processed
by arch/x86/tools/relocs which creates vmlinux.relocs with only relocation
data. This file is appended to vmlinux.bin. Upon boot, function
extract_kernel() decompresses the kernel at the target address and relocates
it using the vmlinux.relocs data.

>> The size command used in your example includes only allocatable code, data and
>> bss sections. It does not show size of any relocation sections.
> 
> This:
> 
> 361M vmlinux.before
> 361M vmlinux.after
> 
> is simple ls output.
> 
> Maybe I need something else enabled in my .config which would show this
> significant difference *and* *explain* it.

Option CONFIG_RANDOMIZE_BASE=y needs to be enabled. Switching it on should
automatically select also CONFIG_X86_NEED_RELOCS=y which is what actually
enables use of --emit-relocs in arch/x86/Makefile.

Petr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ