lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250507-emerald-lyrebird-of-advertising-e86beb@l-nschier-aarch64>
Date: Wed, 7 May 2025 14:01:21 +0200
From: Nicolas Schier <nicolas.schier@...ux.dev>
To: Kees Cook <kees@...nel.org>
Cc: Masahiro Yamada <masahiroy@...nel.org>,
	Nathan Chancellor <nathan@...nel.org>,
	linux-hardening@...r.kernel.org, linux-kbuild@...r.kernel.org,
	Petr Pavlu <petr.pavlu@...e.com>,
	Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
	Justin Stitt <justinstitt@...gle.com>,
	Marco Elver <elver@...gle.com>,
	Andrey Konovalov <andreyknvl@...il.com>,
	Andrey Ryabinin <ryabinin.a.a@...il.com>,
	Nick Desaulniers <nick.desaulniers+lkml@...il.com>,
	Bill Wendling <morbo@...gle.com>, linux-kernel@...r.kernel.org,
	kasan-dev@...glegroups.com, llvm@...ts.linux.dev
Subject: Re: [PATCH v3 1/3] gcc-plugins: Force full rebuild when plugins
 change

On Sat, 03 May 2025, Kees Cook wrote:

> There was no dependency between the plugins changing and the rest of the
> kernel being built. This could cause strange behaviors as instrumentation
> could vary between targets depending on when they were built.
> 
> Generate a new header file, gcc-plugins.h, any time the GCC plugins
> change. Include the header file in compiler-version.h when its associated
> feature name, GCC_PLUGINS, is defined. This will be picked up by fixdep
> and force rebuilds where needed.
> 
> Add a generic "touch" kbuild command, which will be used again in
> a following patch. Add a "normalize_path" string helper to make the
> "TOUCH" output less ugly.
> 
> Signed-off-by: Kees Cook <kees@...nel.org>
> ---
> Cc: Masahiro Yamada <masahiroy@...nel.org>
> Cc: Nicolas Schier <nicolas.schier@...ux.dev>
> Cc: Nathan Chancellor <nathan@...nel.org>
> Cc: <linux-hardening@...r.kernel.org>
> Cc: <linux-kbuild@...r.kernel.org>
> ---
>  include/linux/compiler-version.h |  4 ++++
>  scripts/Makefile.gcc-plugins     |  2 +-
>  scripts/Makefile.lib             | 18 ++++++++++++++++++
>  scripts/gcc-plugins/Makefile     |  4 ++++
>  4 files changed, 27 insertions(+), 1 deletion(-)
> 
> diff --git a/include/linux/compiler-version.h b/include/linux/compiler-version.h
> index 573fa85b6c0c..74ea11563ce3 100644
> --- a/include/linux/compiler-version.h
> +++ b/include/linux/compiler-version.h
> @@ -12,3 +12,7 @@
>   * and add dependency on include/config/CC_VERSION_TEXT, which is touched
>   * by Kconfig when the version string from the compiler changes.
>   */
> +
> +#ifdef GCC_PLUGINS

Out of curiousity:  Why can't we use CONFIG_GCC_PLUGINS here?

> +#include <generated/gcc-plugins.h>
> +#endif
> diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins
> index 5b8a8378ca8a..e50dc931be49 100644
> --- a/scripts/Makefile.gcc-plugins
> +++ b/scripts/Makefile.gcc-plugins
> @@ -38,7 +38,7 @@ export DISABLE_STACKLEAK_PLUGIN
>  
>  # All the plugin CFLAGS are collected here in case a build target needs to
>  # filter them out of the KBUILD_CFLAGS.
> -GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y))
> +GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y)) -DGCC_PLUGINS
>  export GCC_PLUGINS_CFLAGS
>  
>  # Add the flags to the build!
> diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
> index 2fe73cda0bdd..6fc2a82ee3bb 100644
> --- a/scripts/Makefile.lib
> +++ b/scripts/Makefile.lib
> @@ -296,6 +296,19 @@ $(foreach m, $1, \
>  	$(addprefix $(obj)/, $(call suffix-search, $(patsubst $(obj)/%,%,$m), $2, $3))))
>  endef
>  
> +# Remove ".." and "." from a path, without using "realpath"
> +# Usage:
> +#   $(call normalize_path,path/to/../file)
> +define normalize_path
> +$(strip $(eval elements :=) \
> +$(foreach elem,$(subst /, ,$1), \
> +	$(if $(filter-out .,$(elem)), \
> +	     $(if $(filter ..,$(elem)), \
> +		  $(eval elements := $(wordlist 2,$(words $(elements)),x $(elements))), \
> +		  $(eval elements := $(elements) $(elem))))) \
> +$(subst $(space),/,$(elements)))
> +endef

Nice :)

> +
>  # Build commands
>  # ===========================================================================
>  # These are shared by some Makefile.* files.
> @@ -343,6 +356,11 @@ quiet_cmd_copy = COPY    $@
>  $(obj)/%: $(src)/%_shipped
>  	$(call cmd,copy)
>  
> +# Touch a file
> +# ===========================================================================
> +quiet_cmd_touch = TOUCH   $(call normalize_path,$@)
> +      cmd_touch = touch $@
> +
>  # Commands useful for building a boot image
>  # ===========================================================================
>  #
> diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile
> index 320afd3cf8e8..05b14aba41ef 100644
> --- a/scripts/gcc-plugins/Makefile
> +++ b/scripts/gcc-plugins/Makefile
> @@ -66,3 +66,7 @@ quiet_cmd_plugin_cxx_o_c = HOSTCXX $@
>  
>  $(plugin-objs): $(obj)/%.o: $(src)/%.c FORCE
>  	$(call if_changed_dep,plugin_cxx_o_c)
> +
> +$(obj)/../../include/generated/gcc-plugins.h: $(plugin-single) $(plugin-multi) FORCE
> +	$(call if_changed,touch)
> +always-y += ../../include/generated/gcc-plugins.h
> -- 
> 2.34.1
> 

Tested-by: Nicolas Schier <n.schier@....de>
Reviewed-by: Nicolas Schier <n.schier@....de>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ