| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250904033217.it.414-kees@kernel.org> Date: Wed, 3 Sep 2025 20:46:39 -0700 From: Kees Cook <kees@...nel.org> To: Peter Zijlstra <peterz@...radead.org> Cc: Kees Cook <kees@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Vegard Nossum <vegard.nossum@...cle.com>, Miguel Ojeda <ojeda@...nel.org>, Linus Walleij <linus.walleij@...aro.org>, Jeff Johnson <jeff.johnson@....qualcomm.com>, Randy Dunlap <rdunlap@...radead.org>, David Woodhouse <dwmw2@...radead.org>, "Russell King (Oracle)" <rmk+kernel@...linux.org.uk>, Nick Desaulniers <nick.desaulniers+lkml@...il.com>, Bill Wendling <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>, Marco Elver <elver@...gle.com>, Przemek Kitszel <przemyslaw.kitszel@...el.com>, Ramon de C Valle <rcvalle@...gle.com>, Jonathan Corbet <corbet@....net>, "Paul E. McKenney" <paulmck@...nel.org>, Nicolas Schier <nicolas.schier@...ux.dev>, Masahiro Yamada <masahiroy@...nel.org>, Arnd Bergmann <arnd@...db.de>, Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>, Sami Tolvanen <samitolvanen@...gle.com>, Mark Rutland <mark.rutland@....com>, linux-kernel@...r.kernel.org, llvm@...ts.linux.dev, linux-doc@...r.kernel.org, linux-kbuild@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, x86@...nel.org, linux-hardening@...r.kernel.org Subject: [PATCH v2 0/9] kcfi: Prepare for GCC support v2: - integrate "transitional" Kconfig patch[2] (nathan, randy, miguel) - add arm32 KCFI trap handler - split pr_info changes (nathan) - clean up my broken SoB (peter) - remove Clang from CONFIG_CFI help (jeff) - add r-b (linus) v1: https://lore.kernel.org/all/20250825141316.work.967-kees@kernel.org/ Hi, With KCFI support in GCC coming[1], we need to make some (relatively small) changes in the kernel to deal with it: - move __nocfi out of compilers-clang.h (so GCC can see it too) - add cfi=debug so future Kees can find fineibt breakage easier - remove problematic __noinitretpoline usage - rename CONFIG_CFI_CLANG to CONFIG_CFI (otherwise it is quite confusing) If I can get some Acks, I will carry this in the hardening tree, unless someone else would like to take it (perhaps tip). Thanks! -Kees [1] https://lore.kernel.org/linux-hardening/20250821064202.work.893-kees@kernel.org/ [2] https://lore.kernel.org/all/20250901182334.make.517-kees@kernel.org/ Kees Cook (9): compiler_types.h: Move __nocfi out of compiler-specific header x86/traps: Clarify KCFI instruction layout x86/cfi: Document the "cfi=" bootparam options x86/cfi: Standardize on common "CFI:" prefix for CFI reports x86/cfi: Add "debug" option to "cfi=" bootparam x86/cfi: Remove __noinitretpoline and __noretpoline kconfig: Add transitional symbol attribute for migration support kcfi: Rename CONFIG_CFI_CLANG to CONFIG_CFI ARM: traps: Implement KCFI trap handler for ARM32 arch/Kconfig | 36 ++++--- arch/arm/Kconfig | 2 +- arch/arm64/Kconfig | 4 +- arch/riscv/Kconfig | 6 +- arch/x86/Kconfig | 12 +-- init/Kconfig | 4 +- kernel/module/Kconfig | 2 +- .../kconfig/tests/err_transitional/Kconfig | 52 +++++++++ scripts/kconfig/tests/transitional/Kconfig | 100 +++++++++++++++++ lib/Kconfig.debug | 2 +- Makefile | 2 +- arch/arm/mm/Makefile | 2 +- arch/riscv/kernel/Makefile | 2 +- arch/riscv/purgatory/Makefile | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/purgatory/Makefile | 2 +- kernel/Makefile | 2 +- scripts/kconfig/expr.h | 1 + scripts/kconfig/lexer.l | 1 + scripts/kconfig/parser.y | 47 ++++++++ scripts/kconfig/symbol.c | 16 ++- .../tests/err_transitional/__init__.py | 14 +++ .../tests/err_transitional/expected_stderr | 7 ++ .../kconfig/tests/transitional/__init__.py | 18 ++++ .../tests/transitional/expected_config | 12 +++ .../kconfig/tests/transitional/initial_config | 16 +++ .../admin-guide/kernel-parameters.txt | 18 ++++ Documentation/kbuild/kconfig-language.rst | 32 ++++++ arch/riscv/include/asm/cfi.h | 4 +- arch/x86/include/asm/cfi.h | 4 +- include/asm-generic/vmlinux.lds.h | 2 +- include/linux/cfi.h | 6 +- include/linux/cfi_types.h | 8 +- include/linux/compiler-clang.h | 5 - include/linux/compiler-gcc.h | 4 - include/linux/compiler.h | 2 +- include/linux/compiler_types.h | 4 +- include/linux/init.h | 8 -- tools/include/linux/cfi_types.h | 6 +- tools/perf/util/include/linux/linkage.h | 2 +- arch/arm/mm/cache-fa.S | 2 +- arch/arm/mm/cache-v4.S | 2 +- arch/arm/mm/cache-v4wb.S | 4 +- arch/arm/mm/cache-v4wt.S | 2 +- arch/arm/mm/cache-v6.S | 2 +- arch/arm/mm/cache-v7.S | 2 +- arch/arm/mm/cache-v7m.S | 2 +- arch/arm/mm/proc-arm1020.S | 2 +- arch/arm/mm/proc-arm1020e.S | 2 +- arch/arm/mm/proc-arm1022.S | 2 +- arch/arm/mm/proc-arm1026.S | 2 +- arch/arm/mm/proc-arm920.S | 2 +- arch/arm/mm/proc-arm922.S | 2 +- arch/arm/mm/proc-arm925.S | 2 +- arch/arm/mm/proc-arm926.S | 2 +- arch/arm/mm/proc-arm940.S | 2 +- arch/arm/mm/proc-arm946.S | 2 +- arch/arm/mm/proc-feroceon.S | 2 +- arch/arm/mm/proc-mohawk.S | 2 +- arch/arm/mm/proc-xsc3.S | 2 +- arch/arm/mm/tlb-v4.S | 2 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/traps.c | 102 ++++++++++++++++++ arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/traps.c | 4 +- arch/arm64/kvm/handle_exit.c | 2 +- arch/arm64/net/bpf_jit_comp.c | 2 +- arch/riscv/net/bpf_jit_comp64.c | 4 +- arch/x86/kernel/alternative.c | 44 ++++++-- arch/x86/kernel/cfi.c | 2 +- arch/x86/kernel/kprobes/core.c | 2 +- drivers/misc/lkdtm/cfi.c | 2 +- kernel/module/tree_lookup.c | 2 +- kernel/configs/hardening.config | 2 +- 74 files changed, 569 insertions(+), 118 deletions(-) create mode 100644 scripts/kconfig/tests/err_transitional/Kconfig create mode 100644 scripts/kconfig/tests/transitional/Kconfig create mode 100644 scripts/kconfig/tests/err_transitional/__init__.py create mode 100644 scripts/kconfig/tests/err_transitional/expected_stderr create mode 100644 scripts/kconfig/tests/transitional/__init__.py create mode 100644 scripts/kconfig/tests/transitional/expected_config create mode 100644 scripts/kconfig/tests/transitional/initial_config -- 2.34.1
Powered by blists - more mailing lists