[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20240624135921.GC8616@willie-the-truck>
Date: Mon, 24 Jun 2024 14:59:21 +0100
From: Will Deacon <will@...nel.org>
To: Alice Ryhl <aliceryhl@...gle.com>
Cc: Jamie.Cunliffe@....com, a.hindborg@...sung.com, alex.gaynor@...il.com,
ardb@...nel.org, benno.lossin@...ton.me, bjorn3_gh@...tonmail.com,
boqun.feng@...il.com, broonie@...nel.org, catalin.marinas@....com,
gary@...yguo.net, keescook@...omium.org, kernel@...entinobst.de,
linux-arm-kernel@...ts.infradead.org, linux-kbuild@...r.kernel.org,
linux-kernel@...r.kernel.org, mark.rutland@....com,
masahiroy@...nel.org, maz@...nel.org,
miguel.ojeda.sandonis@...il.com, nathan@...nel.org,
ndesaulniers@...gle.com, nicolas@...sle.eu, ojeda@...nel.org,
rust-for-linux@...r.kernel.org, samitolvanen@...gle.com,
wedsonaf@...il.com
Subject: Re: [PATCH v2] rust: add flags for shadow call stack sanitizer
Hi Alice,
On Tue, Jun 04, 2024 at 04:53:16PM +0200, Alice Ryhl wrote:
> On Tue, Jun 4, 2024 at 4:29 PM Will Deacon <will@...nel.org> wrote:
> > On Tue, Apr 30, 2024 at 11:09:25AM +0000, Alice Ryhl wrote:
> > > Will Deacon <will@...nel.org> wrote:
> > > > On Tue, Mar 05, 2024 at 01:14:19PM +0100, Miguel Ojeda wrote:
> > > >> Otherwise partially reverting to the `target.json` approach sounds good too.
> > > >>
> > > >> I added the `-Zuse-sync-unwind=n` to the list at
> > > >> https://github.com/Rust-for-Linux/linux/issues/2. Given the default is
> > > >> what we want, I have put it in the "Good to have" section.
> > > >
> > > > I think we have time to do this properly, like we did for the clang
> > > > enablement a few years ago. In hindsight, avoiding hacks for the early
> > > > toolchains back then was a really good idea because it meant we could
> > > > rely on a solid baseline set of compiler features from the start.
> > > >
> > > > So, please can we fix this in rustc and just have SCS dependent on that?
> > >
> > > Just to keep you in the loop, I've posted a PR to make rustc recognize
> > > the reserve-x18 target feature, so that the -Ctarget-feature=+reserve-x18
> > > flag stops emitting a warning.
> > >
> > > This should be sufficient for adding support for CONFIG_DYNAMIC_SCS.
> > >
> > > You can find it here:
> > > https://github.com/rust-lang/rust/pull/124323
> > >
> > > As for non-dynamic SCS, I plan to tackle that after the PR is merged.
> > > See the "Future possibilities" section in the linked PR for more info on
> > > that.
> >
> > Thanks for persevering with this, Alice. I read the pull request above,
> > but it looks like you went with:
> >
> > https://github.com/rust-lang/rust/pull/124655
> >
> > instead, which was merged (hurrah!). Do we need anything else?
>
> Yeah, it took a while, but I've managed to get a -Zfixed-x18 flag in.
> It will be available starting with Rust 1.80, which will be released
> on the 25th of July.
Great, thank you!
> A few things:
>
> 1. The -Zsanitizer=shadow-call-stack flag still doesn't work because
> the compiler thinks that the target doesn't support it. I'll fix this
> eventually, but at least CONFIG_DYNAMIC_SCS works now.
>
> 2. I haven't convinced the Rust maintainers that -Zfixed-x18 is the
> way to go long term (flags starting with -Z are unstable and may
> change). Some of the maintainers want to instead add a x18-available
> target feature (that is, the inverse of the current reserve-x18 target
> feature), that you can disable with -Ctarget-feature=-x18-available.
>
> And a few questions for you:
>
> By the time support for 1.80 goes in, we are probably supporting more
> than one Rust compiler. For pre-1.80 compilers, should we fall back to
> -Ctarget-feature=+reserve-x18 (which emits a warning, but works), or
> fail compilation?
I think we should just prevent the Kconfig option from being enabled if
the toolchain doesn't give us what we need. So there's no need to fail
compilation, but SCS =n. See how e.g. CONFIG_ARM64_BTI_KERNEL depends on
CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI.
> Similarly, we should probably submit a fix to the stable branches so
> that SCS+Rust doesn't silently break in a hard-to-debug way. Do you
> prefer a backport with -Ctarget-feature=+reserve-x18 or one that fails
> compilation?
As above, I think we should disable the feature in those cases.
Make sense?
Will
Powered by blists - more mailing lists