From 1b8667812b3a1304f3db736ac4905d6ad77d721e Mon Sep 17 00:00:00 2001 From: Nathan Chancellor Date: Fri, 17 Jun 2022 11:08:46 -0700 Subject: [PATCH 1/4] x86/Kconfig: Fix CONFIG_CC_HAS_SANE_STACKPROTECTOR when cross compiling with clang Chimera Linux notes that CONFIG_CC_HAS_SANE_STACKPROTECTOR cannot be enabled when cross compiling an x86_64 kernel with clang, even though it does work when natively compiling. When building on aarch64: $ make -sj"$(nproc)" ARCH=x86_64 LLVM=1 defconfig $ grep STACKPROTECTOR .config When building on x86_64: $ make -sj"$(nproc)" ARCH=x86_64 LLVM=1 defconfig $ grep STACKPROTECTOR .config CONFIG_CC_HAS_SANE_STACKPROTECTOR=y CONFIG_HAVE_STACKPROTECTOR=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y When clang is invoked without a '--target' flag, code is generated for the default target, which is usually the host (it is configurable via cmake). As a result, the has-stack-protector scripts will generate code for the default target but check for x86 specific segment registers, which cannot succeed if the default target is not x86. $(CLANG_FLAGS) contains an explicit '--target' flag so pass that variable along to the has-stack-protector scripts so that the stack protector can be enabled when cross compiling with clang. The 32-bit stack protector cannot currently be enabled with clang, as it does not support '-mstack-protector-guard-symbol', so this results in no functional change for ARCH=i386 when cross compiling. Signed-off-by: Nathan Chancellor Signed-off-by: Dave Hansen Signed-off-by: Borislav Petkov Link: https://github.com/chimera-linux/cports/commit/0fb7e506d5f83fdf2104feb22cdac34934561226 Link: https://github.com/llvm/llvm-project/issues/48553 Link: https://lkml.kernel.org/r/20220617180845.2788442-1-nathan@kernel.org --- arch/x86/Kconfig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index be0b95e51df6..076adde7ead9 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -391,8 +391,8 @@ config PGTABLE_LEVELS config CC_HAS_SANE_STACKPROTECTOR bool - default $(success,$(srctree)/scripts/gcc-x86_64-has-stack-protector.sh $(CC)) if 64BIT - default $(success,$(srctree)/scripts/gcc-x86_32-has-stack-protector.sh $(CC)) + default $(success,$(srctree)/scripts/gcc-x86_64-has-stack-protector.sh $(CC) $(CLANG_FLAGS)) if 64BIT + default $(success,$(srctree)/scripts/gcc-x86_32-has-stack-protector.sh $(CC) $(CLANG_FLAGS)) help We have to make sure stack protector is unconditionally disabled if the compiler produces broken code or if it does not let us control From 8b979924b9f9e945a095a2f622b39b9fd9f65acb Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Mon, 11 Jul 2022 13:12:47 +0900 Subject: [PATCH 2/4] x86/build: Remove unused OBJECT_FILES_NON_STANDARD_test_nx.o Commit 3ad38ceb2769 ("x86/mm: Remove CONFIG_DEBUG_NX_TEST") removed arch/x86/kernel/test_nx.c Signed-off-by: Masahiro Yamada Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20220711041247.119357-1-masahiroy@kernel.org --- arch/x86/kernel/Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index 4c8b6ae802ac..a20a5ebfacd7 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile @@ -34,8 +34,6 @@ KASAN_SANITIZE_sev.o := n # by several compilation units. To be safe, disable all instrumentation. KCSAN_SANITIZE := n -OBJECT_FILES_NON_STANDARD_test_nx.o := y - # If instrumentation of this dir is enabled, boot hangs during first second. # Probably could be more selective here, but note that files related to irqs, # boot, dumpstack/stacktrace, etc are either non-interesting or can lead to From 61922d3fa686733e08387a8a4e11b02b4af6d43c Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Mon, 25 Jul 2022 11:08:11 +0900 Subject: [PATCH 3/4] x86/purgatory: Hard-code obj-y in Makefile arch/x86/Kbuild guards the entire purgatory/ directory, and CONFIG_KEXEC_FILE is bool type. $(CONFIG_KEXEC_FILE) is always 'y' when this directory is being built. Signed-off-by: Masahiro Yamada Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20220725020812.622255-1-masahiroy@kernel.org --- arch/x86/purgatory/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile index ae53d54d7959..248b009c4061 100644 --- a/arch/x86/purgatory/Makefile +++ b/arch/x86/purgatory/Makefile @@ -81,4 +81,4 @@ quiet_cmd_bin2c = BIN2C $@ $(obj)/kexec-purgatory.c: $(obj)/purgatory.ro $(obj)/purgatory.chk FORCE $(call if_changed,bin2c) -obj-$(CONFIG_KEXEC_FILE) += kexec-purgatory.o +obj-y += kexec-purgatory.o From 2d17bd24b0169d3fdbf003dfd55af600e9a30553 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Mon, 25 Jul 2022 11:08:12 +0900 Subject: [PATCH 4/4] x86/purgatory: Omit use of bin2c The .incbin assembler directive is much faster than bin2c + $(CC). Do similar refactoring as in 4c0f032d4963 ("s390/purgatory: Omit use of bin2c"). Please note the .quad directive matches to size_t in C (both 8 byte) because the purgatory is compiled only for the 64-bit kernel. (KEXEC_FILE depends on X86_64). Signed-off-by: Masahiro Yamada Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20220725020812.622255-2-masahiroy@kernel.org --- arch/x86/.gitignore | 2 -- arch/x86/Kconfig | 1 - arch/x86/purgatory/Makefile | 8 +------- arch/x86/purgatory/kexec-purgatory.S | 14 ++++++++++++++ scripts/remove-stale-files | 2 ++ 5 files changed, 17 insertions(+), 10 deletions(-) create mode 100644 arch/x86/purgatory/kexec-purgatory.S diff --git a/arch/x86/.gitignore b/arch/x86/.gitignore index 677111acbaa3..f2e1d6c347fb 100644 --- a/arch/x86/.gitignore +++ b/arch/x86/.gitignore @@ -3,6 +3,4 @@ boot/compressed/vmlinux tools/test_get_len tools/insn_sanity tools/insn_decoder_test -purgatory/kexec-purgatory.c purgatory/purgatory.ro - diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 076adde7ead9..901cb59d3a90 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2032,7 +2032,6 @@ config KEXEC config KEXEC_FILE bool "kexec file based system call" select KEXEC_CORE - select BUILD_BIN2C depends on X86_64 depends on CRYPTO=y depends on CRYPTO_SHA256=y diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile index 248b009c4061..31c634a22818 100644 --- a/arch/x86/purgatory/Makefile +++ b/arch/x86/purgatory/Makefile @@ -73,12 +73,6 @@ $(obj)/purgatory.ro: $(PURGATORY_OBJS) FORCE $(obj)/purgatory.chk: $(obj)/purgatory.ro FORCE $(call if_changed,ld) -targets += kexec-purgatory.c - -quiet_cmd_bin2c = BIN2C $@ - cmd_bin2c = $(objtree)/scripts/bin2c kexec_purgatory < $< > $@ - -$(obj)/kexec-purgatory.c: $(obj)/purgatory.ro $(obj)/purgatory.chk FORCE - $(call if_changed,bin2c) +$(obj)/kexec-purgatory.o: $(obj)/purgatory.ro $(obj)/purgatory.chk obj-y += kexec-purgatory.o diff --git a/arch/x86/purgatory/kexec-purgatory.S b/arch/x86/purgatory/kexec-purgatory.S new file mode 100644 index 000000000000..8530fe93b718 --- /dev/null +++ b/arch/x86/purgatory/kexec-purgatory.S @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + + .section .rodata, "a" + + .align 8 +kexec_purgatory: + .globl kexec_purgatory + .incbin "arch/x86/purgatory/purgatory.ro" +.Lkexec_purgatory_end: + + .align 8 +kexec_purgatory_size: + .globl kexec_purgatory_size + .quad .Lkexec_purgatory_end - kexec_purgatory diff --git a/scripts/remove-stale-files b/scripts/remove-stale-files index 7adab4618035..379e86c71bed 100755 --- a/scripts/remove-stale-files +++ b/scripts/remove-stale-files @@ -41,3 +41,5 @@ if [ -n "${building_out_of_srctree}" ]; then fi rm -f scripts/extract-cert + +rm -f arch/x86/purgatory/kexec-purgatory.c