lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 14 May 2020 10:05:15 +0200
From:   Jiri Olsa <jolsa@...hat.com>
To:     Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc:     Jiri Olsa <jolsa@...nel.org>, Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>, netdev@...r.kernel.org,
        bpf@...r.kernel.org, Yonghong Song <yhs@...com>,
        Martin KaFai Lau <kafai@...com>,
        David Miller <davem@...hat.com>,
        John Fastabend <john.fastabend@...il.com>,
        Jesper Dangaard Brouer <hawk@...nel.org>,
        Wenbo Zhang <ethercflow@...il.com>,
        KP Singh <kpsingh@...omium.org>,
        Andrii Nakryiko <andriin@...com>, bgregg@...flix.com,
        Florent Revest <revest@...omium.org>,
        Al Viro <viro@...iv.linux.org.uk>
Subject: Re: [PATCH 7/9] bpf: Compile the BTF id whitelist data in vmlinux

On Wed, May 13, 2020 at 11:29:40AM -0700, Alexei Starovoitov wrote:

SNIP

> > diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
> > index d09ab4afbda4..dee91c6bf450 100755
> > --- a/scripts/link-vmlinux.sh
> > +++ b/scripts/link-vmlinux.sh
> > @@ -130,16 +130,26 @@ gen_btf()
> >  	info "BTF" ${2}
> >  	LLVM_OBJCOPY=${OBJCOPY} ${PAHOLE} -J ${1}
> >  
> > -	# Create ${2} which contains just .BTF section but no symbols. Add
> > +	# Create object which contains just .BTF section but no symbols. Add
> >  	# SHF_ALLOC because .BTF will be part of the vmlinux image. --strip-all
> >  	# deletes all symbols including __start_BTF and __stop_BTF, which will
> >  	# be redefined in the linker script. Add 2>/dev/null to suppress GNU
> >  	# objcopy warnings: "empty loadable segment detected at ..."
> >  	${OBJCOPY} --only-section=.BTF --set-section-flags .BTF=alloc,readonly \
> > -		--strip-all ${1} ${2} 2>/dev/null
> > -	# Change e_type to ET_REL so that it can be used to link final vmlinux.
> > -	# Unlike GNU ld, lld does not allow an ET_EXEC input.
> > -	printf '\1' | dd of=${2} conv=notrunc bs=1 seek=16 status=none
> > +		--strip-all ${1} 2>/dev/null
> > +
> > +	# Create object that contains just .BTF_whitelist_* sections generated
> > +	# by bpfwl. Same as BTF section, BTF_whitelist_* data will be part of
> > +	# the vmlinux image, hence SHF_ALLOC.
> > +	whitelist=.btf.vmlinux.whitelist
> > +
> > +	${BPFWL} ${1} kernel/bpf/helpers-whitelist > ${whitelist}.c
> > +	${CC} -c -o ${whitelist}.o ${whitelist}.c
> > +	${OBJCOPY} --only-section=.BTF_whitelist* --set-section-flags .BTF=alloc,readonly \
> > +                --strip-all ${whitelist}.o 2>/dev/null
> > +
> > +	# Link BTF and BTF_whitelist objects together
> > +	${LD} -r -o ${2} ${1} ${whitelist}.o
> 
> Thank you for working on it!
> Looks great to me overall. In the next rev please drop RFC tag.
> 
> My only concern is this extra linking step. How many extra seconds does it add?

I did not meassure, but I haven't noticed any noticable delay,
I'll add meassurements to the next post

> 
> Also in patch 3:
> +               func = func__find(str);
> +               if (func)
> +                       func->id = id;
> which means that if somebody mistyped the name or that kernel function
> got renamed there will be no warnings or errors.
> I think it needs to fail the build instead.

it fails later on, when generating the array:

     if (!func->id) {
             fprintf(stderr, "FAILED: '%s' function not found in BTF data\n",
                     func->name);
             return -1;
     }

but it can clearly fail before that.. I'll change that

> 
> If additional linking step takes another 20 seconds it could be a reason
> to move the search to run-time.
> We already have that with struct bpf_func_proto->btf_id[].
> Whitelist could be something similar.
> I think this mechanism will be reused for unstable helpers and other
> func->btf_id mappings, so 'bpfwl' name would change eventually.
> It's not white list specific. It generates a mapping of names to btf_ids.
> Doing it at build time vs run-time is a trade off and it doesn't have
> an obvious answer.

I was thinking of putting the names in __init section and generate the BTF
ids on kernel start, but the build time generation seemed more convenient..
let's see the linking times with 'real size' whitelist and we can reconsider

thanks,
jirka

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ