From patchwork Wed Jun 24 01:49:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 206296 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B972C433E1 for ; Wed, 24 Jun 2020 01:49:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 205432100A for ; Wed, 24 Jun 2020 01:49:52 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="TdJYKQfK" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388536AbgFXBtv (ORCPT ); Tue, 23 Jun 2020 21:49:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46722 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388534AbgFXBtu (ORCPT ); Tue, 23 Jun 2020 21:49:50 -0400 Received: from mail-pl1-x643.google.com (mail-pl1-x643.google.com [IPv6:2607:f8b0:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EDA6AC061755 for ; Tue, 23 Jun 2020 18:49:49 -0700 (PDT) Received: by mail-pl1-x643.google.com with SMTP id y18so337695plr.4 for ; Tue, 23 Jun 2020 18:49:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=1dy932Q1L6bL01oX9ZyNGxMZGfZc9HBFmwG4K7Tai+w=; b=TdJYKQfKuVwGeVGHEDD2vnD1lvuUL7cKVDKIPrO6knxxj6QtsEWzxUWr99rLFOCPfK 9ohQqyEVVZpfo0ViNiWBQ3Ut68BJePEhP9nQaLhMsRG6OBio29yJbdvSaN570AxQ3PxD VtIPRHCizmozN4OWucFCQVq6c7qciUfkrqN+w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1dy932Q1L6bL01oX9ZyNGxMZGfZc9HBFmwG4K7Tai+w=; b=YwKmpvp5g95LR5YtwlaPLEIZLZ4g5t5FjmRILhQmfYDeF0BNgYuK96W16fX430T794 WmyJ4b6Zi30lRScITpwdeVW8lwcv+YpAAZ8CWEwHyUZviifnh7Wz+xwKjEPoRYVIQMnk 4fyc+2XV/JwV57EqIw3k5CdGl9cfaW16NCbPJkc2uJmQJUEymmaeluSAzL8JQynlb9jN 8WYbaORmEHqjpponCtOSBqoeEPWzkh369ZvCl/qidw11ard3tjSV3VWK9f+oU9Lx7f4X 8Fb24cciL4W0zPuMeYCfIf+u5eTkNsfyxYVw5wvjymeEnNbHWWP/S0YjOAVDPni+pN7J OoOQ== X-Gm-Message-State: AOAM532aKrzdHFc7JXRsbS3K9/0eCelOqOUU1nkec15hB/Zk8j594Cnh oT9OzXtKymbWDU8NQukUcuZkJA== X-Google-Smtp-Source: ABdhPJz6GuoF4HjGXS1UVnYm6pgHtPqOwo/XSsJjpo3fuRaU8aGICUridm4hb0FUl1JDIqO0EOq+8Q== X-Received: by 2002:a17:902:9693:: with SMTP id n19mr16693200plp.253.1592963389555; Tue, 23 Jun 2020 18:49:49 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d22sm172748pfd.105.2020.06.23.18.49.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2020 18:49:46 -0700 (PDT) From: Kees Cook To: Will Deacon Cc: Kees Cook , Catalin Marinas , Mark Rutland , Ard Biesheuvel , Peter Collingbourne , James Morse , Borislav Petkov , Thomas Gleixner , Ingo Molnar , Russell King , Masahiro Yamada , Arvind Sankar , Nick Desaulniers , Nathan Chancellor , Arnd Bergmann , x86@kernel.org, clang-built-linux@googlegroups.com, linux-arch@vger.kernel.org, linux-efi@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 4/9] x86/build: Warn on orphan section placement Date: Tue, 23 Jun 2020 18:49:35 -0700 Message-Id: <20200624014940.1204448-5-keescook@chromium.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200624014940.1204448-1-keescook@chromium.org> References: <20200624014940.1204448-1-keescook@chromium.org> MIME-Version: 1.0 Sender: linux-efi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org We don't want to depend on the linker's orphan section placement heuristics as these can vary between linkers, and may change between versions. All sections need to be explicitly named in the linker script. Discards the unused rela, plt, and got sections that are not needed in the final vmlinux, stop emitting kprobe sections without kprobes, and enable orphan section warnings. Signed-off-by: Kees Cook --- arch/x86/Makefile | 4 ++++ arch/x86/include/asm/asm.h | 6 +++++- arch/x86/kernel/vmlinux.lds.S | 6 ++++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/arch/x86/Makefile b/arch/x86/Makefile index 00e378de8bc0..f8a5b2333729 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -51,6 +51,10 @@ ifdef CONFIG_X86_NEED_RELOCS LDFLAGS_vmlinux := --emit-relocs --discard-none endif +# We never want expected sections to be placed heuristically by the +# linker. All sections should be explicitly named in the linker script. +LDFLAGS_vmlinux += --orphan-handling=warn + # # Prevent GCC from generating any FP code by mistake. # diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h index 0f63585edf5f..92feec0f0a12 100644 --- a/arch/x86/include/asm/asm.h +++ b/arch/x86/include/asm/asm.h @@ -138,11 +138,15 @@ # define _ASM_EXTABLE_FAULT(from, to) \ _ASM_EXTABLE_HANDLE(from, to, ex_handler_fault) -# define _ASM_NOKPROBE(entry) \ +# ifdef CONFIG_KPROBES +# define _ASM_NOKPROBE(entry) \ .pushsection "_kprobe_blacklist","aw" ; \ _ASM_ALIGN ; \ _ASM_PTR (entry); \ .popsection +# else +# define _ASM_NOKPROBE(entry) +# endif #else # define _EXPAND_EXTABLE_HANDLE(x) #x diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index 3bfc8dd8a43d..bb085ceeaaad 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -412,6 +412,12 @@ SECTIONS DWARF_DEBUG DISCARDS + /DISCARD/ : { + *(.rela.*) *(.rela_*) + *(.rel.*) *(.rel_*) + *(.got) *(.got.*) + *(.igot.*) *(.iplt) + } }