[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Minios-devel] [UNIKRAFT PATCH v4 3/4] build: Add option to toggle the stack protection

To: Vlad-Andrei BĂDOIU (78692) <vlad_andrei.badoiu@xxxxxxxxxxxxxxx>, "minios-devel@xxxxxxxxxxxxx" <minios-devel@xxxxxxxxxxxxx>
From: Simon Kuenzer <simon.kuenzer@xxxxxxxxx>
Date: Wed, 18 Mar 2020 14:27:27 +0100
Cc: "felipe.huici@xxxxxxxxx" <felipe.huici@xxxxxxxxx>, "sharan.santhanam@xxxxxxxxx" <sharan.santhanam@xxxxxxxxx>
Delivery-date: Wed, 18 Mar 2020 13:27:49 +0000
List-id: Mini-os development list <minios-devel.lists.xenproject.org>

I think this patch should probably come before patch 2. Unfortunately,due to recent changes it also needs to be updated. The chances toMakefile.uk do not apply any more. Luckily, this patch is gettingeasier. I got it aplpied with the following changes to the currentMakefile.uk:


--- a/Makefile.uk
+++ b/Makefile.uk
@@ -6,9 +6,13 @@

 COMPFLAGS    += -nostdinc -nostdlib
 COMPFLAGS    += -U __linux__ -U __FreeBSD__ -U __sun__
-COMPFLAGS    += -fno-stack-protector -fno-omit-frame-pointer -fno-tree-sra
+COMPFLAGS    += -fno-omit-frame-pointer -fno-tree-sra
 COMPFLAGS    += -Wall -Wextra

+ifneq ($(HAVE_STACKPROTECTOR),y)
+COMPFLAGS    += -fno-stack-protector
+endif
+

# TODO: Remove -fms-extensions if not needed for our code (it wasmoved from Arm64 arch)

 CFLAGS       += -fms-extensions
 ASFLAGS      += -D__ASSEMBLY__

Btw, I think we lost -fno-split-stack which was set to GOFLAGS before.Do you know if we need this? If yes we should set it to COMPFLAGS.


On 04.02.20 15:10, Vlad-Andrei BĂDOIU (78692) wrote:

From: Vlad-Andrei BĂDOIU (78692) <vlad_andrei.badoiu@xxxxxxxxxxxxxxx>

This patch adds build option to select different stack protection
levels.

Signed-off-by: Vlad-Andrei Badoiu <vlad_andrei.badoiu@xxxxxxxxxxxxxxx>
---
  Makefile.uk          | 10 ++++++++--
  lib/Config.uk        |  4 ++++
  lib/uksp/Config.uk   |  1 -
  lib/uksp/Makefile.uk | 16 ++++++++++++++++
  4 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/Makefile.uk b/Makefile.uk
index 67c372e5..177618d7 100644
--- a/Makefile.uk
+++ b/Makefile.uk
@@ -8,12 +8,12 @@ ASFLAGS     += -U __linux__ -U __FreeBSD__ -U __sun__ 
-D__ASSEMBLY__
  ASINCLUDES  += -nostdinc -nostdlib -I$(CONFIG_UK_BASE)/include

CFLAGS += -U __linux__ -U __FreeBSD__ -U __sun__

-CFLAGS      += -fno-stack-protector -fno-omit-frame-pointer -fno-tree-sra
+CFLAGS      += -fno-omit-frame-pointer -fno-tree-sra
  CFLAGS      += -Wall -Wextra
  CINCLUDES   += -nostdinc -nostdlib -I$(CONFIG_UK_BASE)/include

CXXFLAGS += -U __linux__ -U __FreeBSD__ -U __sun__

-CXXFLAGS    += -fno-stack-protector -fno-omit-frame-pointer -fno-tree-sra
+CXXFLAGS    += -fno-omit-frame-pointer -fno-tree-sra
  CXXFLAGS    += -Wall -Wextra
  CXXINCLUDES += -nostdinc -nostdlib -I$(CONFIG_UK_BASE)/include

@@ -28,6 +28,12 @@ GOCINCLUDES += -nostdinc -nostdlib -I$(CONFIG_UK_BASE)/include

  LIBLDFLAGS  += -nostdinc -nostdlib -Wl,--omagic -Wl,-r -Wl,-d 
-Wl,--build-id=none
  LDFLAGS     += -nostdinc -nostdlib -Wl,--omagic -Wl,--build-id=none

+ifneq ($(HAVE_STACKPROTECTOR),y)

+CFLAGS   += -fno-stack-protector
+CXXFLAGS += -fno-stack-protector
+GOFLAGS  += -fno-stack-protector
+endif
+
  CFLAGS-$(CONFIG_OPTIMIZE_NONE)            += -O0 -fno-optimize-sibling-calls 
-fno-tree-vectorize
  CXXFLAGS-$(CONFIG_OPTIMIZE_NONE)          += -O0 -fno-optimize-sibling-calls 
-fno-tree-vectorize
  GOCFLAGS-$(CONFIG_OPTIMIZE_NONE)          += -O0 -fno-optimize-sibling-calls 
-fno-tree-vectorize
diff --git a/lib/Config.uk b/lib/Config.uk
index e83ed30b..4fb934b1 100644
--- a/lib/Config.uk
+++ b/lib/Config.uk
@@ -28,3 +28,7 @@ config HAVE_NW_STACK
  config HAVE_SYSCALL
         bool
         default n
+
+config HAVE_STACKPROTECTOR
+       bool
+       default n
diff --git a/lib/uksp/Config.uk b/lib/uksp/Config.uk
index 2ec953d4..3791b5ae 100644
--- a/lib/uksp/Config.uk
+++ b/lib/uksp/Config.uk
@@ -48,5 +48,4 @@ config LIBUKSP_VALUE_CONSTANT
        int "Canary value"
        depends on LIBUKSP_VALUE_USECONSTANT
        default 42
-


This white space fix should not be part of this patch, right?

  endif
diff --git a/lib/uksp/Makefile.uk b/lib/uksp/Makefile.uk
index 6c391c9d..bd8bde7f 100644
--- a/lib/uksp/Makefile.uk
+++ b/lib/uksp/Makefile.uk
@@ -3,3 +3,19 @@ $(eval $(call addlib_s,libuksp,$(CONFIG_LIBUKSP)))
  CINCLUDES-y += -I$(LIBUKSP_BASE)/include

LIBUKSP_SRCS-y += $(LIBUKSP_BASE)/ssp.c

+
+CFLAGS-$(CONFIG_STACKPROTECTOR_NONE)           += -fno-stack-protector
+CXXFLAGS-$(CONFIG_STACKPROTECTOR_NONE)         += -fno-stack-protector
+GOFLAGS-$(CONFIG_STACKPROTECTOR_NONE)          += -fno-stack-protector

Remove the option that disables stack protection when uksp is selected.This should be done by the buildsystem already when HAVE_STACKPROTECTORis not set.

+
+CFLAGS-$(CONFIG_STACKPROTECTOR_REGULAR)                += -fstack-protector 
-mstack-protector-guard=global
+CXXFLAGS-$(CONFIG_STACKPROTECTOR_REGULAR)      += -fstack-protector 
-mstack-protector-guard=global
+GOFLAGS-$(CONFIG_STACKPROTECTOR_REGULAR)       += -fstack-protector 
-mstack-protector-guard=global
+
+CFLAGS-$(CONFIG_STACKPROTECTOR_STRONG)         += -fstack-protector-strong 
-mstack-protector-guard=global
+CXXFLAGS-$(CONFIG_STACKPROTECTOR_STRONG)       += -fstack-protector-strong 
-mstack-protector-guard=global
+GOFLAGS-$(CONFIG_STACKPROTECTOR_STRONG)                += 
-fstack-protector-strong -mstack-protector-guard=global
+
+CFLAGS-$(CONFIG_STACKPROTECTOR_ALL)            += -fstack-protector-all 
-mstack-protector-guard=global
+CXXFLAGS-$(CONFIG_STACKPROTECTOR_ALL)          += -fstack-protector-all 
-mstack-protector-guard=global
+GOFLAGS-$(CONFIG_STACKPROTECTOR_ALL)           += -fstack-protector-all 
-mstack-protector-guard=global


I think these options should be included with the current patch 2/4.

Instead of using CFLAGS, CXXFLAGS, GOFLAGS, you should use justCOMPFLAGS now:

COMPFLAGS-$(CONFIG_STACKPROTECTOR_REGULAR) += -fstack-protector-mstack-protector-guard=globalCOMPFLAGS-$(CONFIG_STACKPROTECTOR_STRONG) += -fstack-protector-strong-mstack-protector-guard=globalCOMPFLAGS-$(CONFIG_STACKPROTECTOR_ALL) += -fstack-protector-all-mstack-protector-guard=global


_______________________________________________
Minios-devel mailing list
Minios-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/minios-devel

Prev by Date: Re: [Minios-devel] [UNIKRAFT PATCH v4 0/4] lib/uksp: Introduce uksp library
Next by Date: Re: [Minios-devel] [UNIKRAFT PATCH v4 4/4] lib/ukboot: Initialize the canary value at boot
Previous by thread: Re: [Minios-devel] [UNIKRAFT PATCH v4 0/4] lib/uksp: Introduce uksp library
Next by thread: Re: [Minios-devel] [UNIKRAFT PATCH v4 4/4] lib/ukboot: Initialize the canary value at boot
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.