forked from Minki/linux
randstruct: Move seed generation into scripts/basic/
To enable Clang randstruct support, move the structure layout randomization seed generation out of scripts/gcc-plugins/ into scripts/basic/ so it happens early enough that it can be used by either compiler implementation. The gcc-plugin still builds its own header file, but now does so from the common "randstruct.seed" file. Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220503205503.3054173-6-keescook@chromium.org
This commit is contained in:
parent
613f4b3ed7
commit
be2b34fa9b
@ -211,6 +211,7 @@ r200_reg_safe.h
|
|||||||
r300_reg_safe.h
|
r300_reg_safe.h
|
||||||
r420_reg_safe.h
|
r420_reg_safe.h
|
||||||
r600_reg_safe.h
|
r600_reg_safe.h
|
||||||
|
randstruct.seed
|
||||||
randomize_layout_hash.h
|
randomize_layout_hash.h
|
||||||
randomize_layout_seed.h
|
randomize_layout_seed.h
|
||||||
recordmcount
|
recordmcount
|
||||||
|
@ -100,8 +100,9 @@ Structure randomisation
|
|||||||
-----------------------
|
-----------------------
|
||||||
|
|
||||||
If you enable ``CONFIG_RANDSTRUCT``, you will need to pre-generate
|
If you enable ``CONFIG_RANDSTRUCT``, you will need to pre-generate
|
||||||
the random seed in ``scripts/gcc-plugins/randomize_layout_seed.h``
|
the random seed in ``scripts/basic/randstruct.seed`` so the same
|
||||||
so the same value is used in rebuilds.
|
value is used by each build. See ``scripts/gen-randstruct-seed.sh``
|
||||||
|
for details.
|
||||||
|
|
||||||
Debug info conflicts
|
Debug info conflicts
|
||||||
--------------------
|
--------------------
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
#define MODULE_VERMAGIC_MODVERSIONS ""
|
#define MODULE_VERMAGIC_MODVERSIONS ""
|
||||||
#endif
|
#endif
|
||||||
#ifdef RANDSTRUCT
|
#ifdef RANDSTRUCT
|
||||||
#include <generated/randomize_layout_hash.h>
|
#include <generated/randstruct_hash.h>
|
||||||
#define MODULE_RANDSTRUCT "RANDSTRUCT_" RANDSTRUCT_HASHED_SEED
|
#define MODULE_RANDSTRUCT "RANDSTRUCT_" RANDSTRUCT_HASHED_SEED
|
||||||
#else
|
#else
|
||||||
#define MODULE_RANDSTRUCT
|
#define MODULE_RANDSTRUCT
|
||||||
|
1
scripts/basic/.gitignore
vendored
1
scripts/basic/.gitignore
vendored
@ -1,2 +1,3 @@
|
|||||||
# SPDX-License-Identifier: GPL-2.0-only
|
# SPDX-License-Identifier: GPL-2.0-only
|
||||||
/fixdep
|
/fixdep
|
||||||
|
/randstruct.seed
|
||||||
|
@ -3,3 +3,14 @@
|
|||||||
# fixdep: used to generate dependency information during build process
|
# fixdep: used to generate dependency information during build process
|
||||||
|
|
||||||
hostprogs-always-y += fixdep
|
hostprogs-always-y += fixdep
|
||||||
|
|
||||||
|
# randstruct: the seed is needed before building the gcc-plugin or
|
||||||
|
# before running a Clang kernel build.
|
||||||
|
gen-randstruct-seed := $(srctree)/scripts/gen-randstruct-seed.sh
|
||||||
|
quiet_cmd_create_randstruct_seed = GENSEED $@
|
||||||
|
cmd_create_randstruct_seed = \
|
||||||
|
$(CONFIG_SHELL) $(gen-randstruct-seed) \
|
||||||
|
$@ $(objtree)/include/generated/randstruct_hash.h
|
||||||
|
$(obj)/randstruct.seed: $(gen-randstruct-seed) FORCE
|
||||||
|
$(call if_changed,create_randstruct_seed)
|
||||||
|
always-$(CONFIG_RANDSTRUCT) += randstruct.seed
|
||||||
|
@ -1,12 +1,17 @@
|
|||||||
# SPDX-License-Identifier: GPL-2.0
|
# SPDX-License-Identifier: GPL-2.0
|
||||||
|
|
||||||
$(obj)/randomize_layout_plugin.so: $(objtree)/$(obj)/randomize_layout_seed.h
|
$(obj)/randomize_layout_plugin.so: $(obj)/randomize_layout_seed.h
|
||||||
quiet_cmd_create_randomize_layout_seed = GENSEED $@
|
quiet_cmd_create_randomize_layout_seed = SEEDHDR $@
|
||||||
cmd_create_randomize_layout_seed = \
|
cmd_create_randomize_layout_seed = \
|
||||||
$(CONFIG_SHELL) $(srctree)/$(src)/gen-random-seed.sh $@ $(objtree)/include/generated/randomize_layout_hash.h
|
SEED=$$(cat $(filter-out FORCE,$^) </dev/null); \
|
||||||
$(objtree)/$(obj)/randomize_layout_seed.h: FORCE
|
echo '/*' > $@; \
|
||||||
|
echo ' * This file is automatically generated. Keep it private.' >> $@; \
|
||||||
|
echo ' * Exposing this value will expose the layout of randomized structures.' >> $@; \
|
||||||
|
echo ' */' >> $@; \
|
||||||
|
echo "const char *randstruct_seed = \"$$SEED\";" >> $@
|
||||||
|
$(obj)/randomize_layout_seed.h: $(objtree)/scripts/basic/randstruct.seed FORCE
|
||||||
$(call if_changed,create_randomize_layout_seed)
|
$(call if_changed,create_randomize_layout_seed)
|
||||||
targets += randomize_layout_seed.h randomize_layout_hash.h
|
targets += randomize_layout_seed.h
|
||||||
|
|
||||||
# Build rules for plugins
|
# Build rules for plugins
|
||||||
#
|
#
|
||||||
|
@ -1,9 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# SPDX-License-Identifier: GPL-2.0
|
|
||||||
|
|
||||||
if [ ! -f "$1" ]; then
|
|
||||||
SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
|
|
||||||
echo "const char *randstruct_seed = \"$SEED\";" > "$1"
|
|
||||||
HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'`
|
|
||||||
echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"
|
|
||||||
fi
|
|
7
scripts/gen-randstruct-seed.sh
Executable file
7
scripts/gen-randstruct-seed.sh
Executable file
@ -0,0 +1,7 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# SPDX-License-Identifier: GPL-2.0
|
||||||
|
|
||||||
|
SEED=$(od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n')
|
||||||
|
echo "$SEED" > "$1"
|
||||||
|
HASH=$(echo -n "$SEED" | sha256sum | cut -d" " -f1)
|
||||||
|
echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"
|
@ -284,10 +284,11 @@ choice
|
|||||||
tools like Volatility against the system (unless the kernel
|
tools like Volatility against the system (unless the kernel
|
||||||
source tree isn't cleaned after kernel installation).
|
source tree isn't cleaned after kernel installation).
|
||||||
|
|
||||||
The seed used for compilation is located at
|
The seed used for compilation is in scripts/basic/randomize.seed.
|
||||||
scripts/randomize_layout_seed.h. It remains after a "make clean"
|
It remains after a "make clean" to allow for external modules to
|
||||||
to allow for external modules to be compiled with the existing
|
be compiled with the existing seed and will be removed by a
|
||||||
seed and will be removed by a "make mrproper" or "make distclean".
|
"make mrproper" or "make distclean". This file should not be made
|
||||||
|
public, or the structure layout can be determined.
|
||||||
|
|
||||||
config RANDSTRUCT_NONE
|
config RANDSTRUCT_NONE
|
||||||
bool "Disable structure layout randomization"
|
bool "Disable structure layout randomization"
|
||||||
|
Loading…
Reference in New Issue
Block a user