lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202308251123.D87F05DC@keescook>
Date:   Fri, 25 Aug 2023 11:33:44 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Michael Ellerman <mpe@...erman.id.au>
Cc:     Masahiro Yamada <masahiroy@...nel.org>, x86@...nel.org,
        linux-arm-kernel@...ts.infradead.org,
        linuxppc-dev@...ts.ozlabs.org, linux-riscv@...ts.infradead.org,
        linux-s390@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-kbuild@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] kbuild: Show Kconfig fragments in "help"

On Fri, Aug 25, 2023 at 04:11:58PM +1000, Michael Ellerman wrote:
> Kees Cook <keescook@...omium.org> writes:
> > Doing a "make help" would show only hard-coded Kconfig targets and
> > depended on the archhelp target to include ".config" targets. There was
> > nothing showing global kernel/configs/ targets. Solve this by walking
> > the wildcard list and include them in the output, using the first comment
> > line as the help text.
> >
> > Update all Kconfig fragments to include help text and adjust archhelp
> > targets to avoid redundancy.
> >
> > Adds the following section to "help" target output:
> >
> > Configuration fragment targets (for enabling various Kconfig items):
> >   debug.config         - Debugging for CI systems and finding regressions
> >   kvm_guest.config     - Bootable as a KVM guest
> >   nopm.config          - Disable Power Management
> >   rust.config          - Enable Rust
> >   tiny-base.config     - Minimal options for tiny systems
> >   tiny.config          - Smallest possible kernel image
> >   x86_debug.config     - Debugging options for tip tree testing
> >   xen.config           - Bootable as a Xen guest
> >   tiny.config          - x86-specific options for a small kernel image
> >   xen.config           - x86-specific options for a Xen virtualization guest
> 
> I think we need a way to opt some files out.
> 
> It's a bit ugly on powerpc because there are so many fragments:
> 
> Configuration fragment targets (for enabling various Kconfig items):
>   debug.config         - Debugging for CI systems and finding regressions
>   kvm_guest.config     - Bootable as a KVM guest
>   nopm.config          - Disable Power Management
>   rust.config          - Enable Rust
>   tiny-base.config     - Minimal options for tiny systems
>   tiny.config          - Smallest possible kernel image
>   x86_debug.config     - Debugging options for tip tree testing
>   xen.config           - Bootable as a Xen guest
>   32-bit.config        - Build a 32-bit image
>   64-bit.config        - Build a 64-bit image
>   85xx-32bit.config    - Build a 32-bit 85xx image
>   85xx-64bit.config    - Build a 64-bit 85xx image
>   85xx-hw.config       - Base hardware support for 86xx
>   85xx-smp.config      - Enable SMP on 85xx
>   86xx-hw.config       - Base hardware support for 86xx
>   86xx-smp.config      - Enable SMP on 86xx
>   altivec.config       - Enable Altivec support
>   be.config            - Enable Big Endian mode
>   book3s_32.config     - Base support for Book3s
>   corenet_base.config  - Base support for corenet
>   debug.config         - Enable PowerPC specific debug options
>   disable-werror.config - Disable -Werror
>   dpaa.config          - Base suppot for DPPA
>   fsl-emb-nonhw.config - Non-hardware options common to 85xx and corenet
>   guest.config         - PowerPC specific virtualization guest options
>   kvm_guest.config     - Bootable as a KVM guest
>   le.config            - Enable Little Endian mode
>   mpc85xx_base.config  - Base mpc85xxx support
>   mpc86xx_base.config  - Base mpc85xxx support
>   ppc64le.config       - Enable ppc64le mode
>   security.config      - Common security options for PowerPC builds
> 
> And some of those are not intended for use with "make foo.config",
> they're used internally for generating our "normal" defconfigs and they
> don't necessarily work on their own.
> 
> Also I'd like to add more fragments in future, to the point where nearly
> all our configs are generated by them.
> 
> Can we have some way to differentiate fragments that are intended to be
> used with "make foo.config" vs just being used internally to generate
> other configs.
> 
> The obvious thing would be to use a different suffix, eg. "foo.fragment"
> for internal use fragments. That would require changing
> merge_into_defconfig and merge_into_defconfig_override to not assume the
> .config suffix, and update the users in arm, arm64 and powerpc.
> 
> The other option would be to ignore .config files starting with eg. "_".
> 
> +       @$(foreach c, $(filter-out $(call configfiles,_*.config),$(call configfiles,*.config)), \
> +               printf "  %-20s - %s\\n" \
> +                       $(shell basename $(c)) \
> +                       "$(subst # ,,$(shell grep -m1 '^# ' $(c)))";)
> 
> Not sure which is preferable.

Yeah, I wasn't too happy about some of these results. There seems to be
three cases a fragment:

- user-visible make target
- used internally
- arch-specific settings for a user-visible make target (redundant)

Only the first should be visible. The trouble is that some user-visible
targets are arch-specific.

I think I like your idea of having both .config and .fragment... I'll
give that a try and see how it looks.

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ