stackleak: Split KSTACK_ERASE_CFLAGS from GCC_PLUGINS_CFLAGS

+2

MAINTAINERS

··· 13094 13094 F: lib/tests/randstruct_kunit.c 13095 13095 F: lib/tests/usercopy_kunit.c 13096 13096 F: mm/usercopy.c 13097 + F: scripts/Makefile.kstack_erase 13098 + F: scripts/Makefile.randstruct 13097 13099 F: security/Kconfig.hardening 13098 13100 K: \b(add|choose)_random_kstack_offset\b 13099 13101 K: \b__check_(object_size|heap_object)\b

+1

Makefile

··· 1086 1086 include-$(CONFIG_UBSAN) += scripts/Makefile.ubsan 1087 1087 include-$(CONFIG_KCOV) += scripts/Makefile.kcov 1088 1088 include-$(CONFIG_RANDSTRUCT) += scripts/Makefile.randstruct 1089 + include-$(CONFIG_KSTACK_ERASE) += scripts/Makefile.kstack_erase 1089 1090 include-$(CONFIG_AUTOFDO_CLANG) += scripts/Makefile.autofdo 1090 1091 include-$(CONFIG_PROPELLER_CLANG) += scripts/Makefile.propeller 1091 1092 include-$(CONFIG_GCC_PLUGINS) += scripts/Makefile.gcc-plugins

+1 -1

arch/arm/vdso/Makefile

··· 26 26 CFLAGS_REMOVE_vdso.o = -pg 27 27 28 28 # Force -O2 to avoid libgcc dependencies 29 - CFLAGS_REMOVE_vgettimeofday.o = -pg -Os $(RANDSTRUCT_CFLAGS) $(GCC_PLUGINS_CFLAGS) 29 + CFLAGS_REMOVE_vgettimeofday.o = -pg -Os $(RANDSTRUCT_CFLAGS) $(KSTACK_ERASE_CFLAGS) $(GCC_PLUGINS_CFLAGS) 30 30 ifeq ($(c-gettimeofday-y),) 31 31 CFLAGS_vgettimeofday.o = -O2 32 32 else

+2 -1

arch/arm64/kernel/vdso/Makefile

··· 36 36 # -Wmissing-prototypes and -Wmissing-declarations are removed from 37 37 # the CFLAGS to make possible to build the kernel with CONFIG_WERROR enabled. 38 38 CC_FLAGS_REMOVE_VDSO := $(CC_FLAGS_FTRACE) -Os $(CC_FLAGS_SCS) \ 39 - $(RANDSTRUCT_CFLAGS) $(GCC_PLUGINS_CFLAGS) \ 39 + $(RANDSTRUCT_CFLAGS) $(KSTACK_ERASE_CFLAGS) \ 40 + $(GCC_PLUGINS_CFLAGS) \ 40 41 $(CC_FLAGS_LTO) $(CC_FLAGS_CFI) \ 41 42 -Wmissing-prototypes -Wmissing-declarations 42 43

+2 -1

arch/sparc/vdso/Makefile

··· 48 48 49 49 SPARC_REG_CFLAGS = -ffixed-g4 -ffixed-g5 $(call cc-option,-fcall-used-g5) $(call cc-option,-fcall-used-g7) 50 50 51 - $(vobjs): KBUILD_CFLAGS := $(filter-out $(RANDSTRUCT_CFLAGS) $(GCC_PLUGINS_CFLAGS) $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) 51 + $(vobjs): KBUILD_CFLAGS := $(filter-out $(RANDSTRUCT_CFLAGS) $(KSTACK_ERASE_CFLAGS) $(GCC_PLUGINS_CFLAGS) $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) 52 52 53 53 # 54 54 # vDSO code runs in userspace and -pg doesn't help with profiling anyway. ··· 79 79 KBUILD_CFLAGS_32 := $(filter-out -mcmodel=medlow,$(KBUILD_CFLAGS_32)) 80 80 KBUILD_CFLAGS_32 := $(filter-out -fno-pic,$(KBUILD_CFLAGS_32)) 81 81 KBUILD_CFLAGS_32 := $(filter-out $(RANDSTRUCT_CFLAGS),$(KBUILD_CFLAGS_32)) 82 + KBUILD_CFLAGS_32 := $(filter-out $(KSTACK_ERASE_CFLAGS),$(KBUILD_CFLAGS_32)) 82 83 KBUILD_CFLAGS_32 := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS_32)) 83 84 KBUILD_CFLAGS_32 := $(filter-out $(SPARC_REG_CFLAGS),$(KBUILD_CFLAGS_32)) 84 85 KBUILD_CFLAGS_32 += -m32 -msoft-float -fpic

+2 -1

arch/x86/entry/vdso/Makefile

··· 62 62 endif 63 63 endif 64 64 65 - $(vobjs): KBUILD_CFLAGS := $(filter-out $(PADDING_CFLAGS) $(CC_FLAGS_LTO) $(CC_FLAGS_CFI) $(RANDSTRUCT_CFLAGS) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) 65 + $(vobjs): KBUILD_CFLAGS := $(filter-out $(PADDING_CFLAGS) $(CC_FLAGS_LTO) $(CC_FLAGS_CFI) $(RANDSTRUCT_CFLAGS) $(KSTACK_ERASE_CFLAGS) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL) 66 66 $(vobjs): KBUILD_AFLAGS += -DBUILD_VDSO 67 67 68 68 # ··· 123 123 KBUILD_CFLAGS_32 := $(filter-out -fno-pic,$(KBUILD_CFLAGS_32)) 124 124 KBUILD_CFLAGS_32 := $(filter-out -mfentry,$(KBUILD_CFLAGS_32)) 125 125 KBUILD_CFLAGS_32 := $(filter-out $(RANDSTRUCT_CFLAGS),$(KBUILD_CFLAGS_32)) 126 + KBUILD_CFLAGS_32 := $(filter-out $(KSTACK_ERASE_CFLAGS),$(KBUILD_CFLAGS_32)) 126 127 KBUILD_CFLAGS_32 := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS_32)) 127 128 KBUILD_CFLAGS_32 := $(filter-out $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS_32)) 128 129 KBUILD_CFLAGS_32 := $(filter-out $(CC_FLAGS_LTO),$(KBUILD_CFLAGS_32))

+2 -14

scripts/Makefile.gcc-plugins

··· 8 8 endif 9 9 export DISABLE_LATENT_ENTROPY_PLUGIN 10 10 11 - gcc-plugin-$(CONFIG_GCC_PLUGIN_STACKLEAK) += stackleak_plugin.so 12 - gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ 13 - += -DSTACKLEAK_PLUGIN 14 - gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ 15 - += -fplugin-arg-stackleak_plugin-track-min-size=$(CONFIG_KSTACK_ERASE_TRACK_MIN_SIZE) 16 - gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ 17 - += -fplugin-arg-stackleak_plugin-arch=$(SRCARCH) 18 - gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE) \ 19 - += -fplugin-arg-stackleak_plugin-verbose 20 - ifdef CONFIG_GCC_PLUGIN_STACKLEAK 21 - DISABLE_KSTACK_ERASE += -fplugin-arg-stackleak_plugin-disable 22 - endif 23 - export DISABLE_KSTACK_ERASE 24 - 25 11 # All the plugin CFLAGS are collected here in case a build target needs to 26 12 # filter them out of the KBUILD_CFLAGS. 27 13 GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y)) -DGCC_PLUGINS ··· 20 34 # be included in GCC_PLUGIN so they can get built. 21 35 gcc-plugin-external-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \ 22 36 += randomize_layout_plugin.so 37 + gcc-plugin-external-$(CONFIG_GCC_PLUGIN_STACKLEAK) \ 38 + += stackleak_plugin.so 23 39 24 40 # All enabled GCC plugins are collected here for building in 25 41 # scripts/gcc-scripts/Makefile.

+15

scripts/Makefile.kstack_erase

··· 1 + # SPDX-License-Identifier: GPL-2.0 2 + 3 + ifdef CONFIG_GCC_PLUGIN_STACKLEAK 4 + kstack-erase-cflags-y += -fplugin=$(objtree)/scripts/gcc-plugins/stackleak_plugin.so 5 + kstack-erase-cflags-y += -fplugin-arg-stackleak_plugin-track-min-size=$(CONFIG_KSTACK_ERASE_TRACK_MIN_SIZE) 6 + kstack-erase-cflags-y += -fplugin-arg-stackleak_plugin-arch=$(SRCARCH) 7 + kstack-erase-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE) += -fplugin-arg-stackleak_plugin-verbose 8 + DISABLE_KSTACK_ERASE := -fplugin-arg-stackleak_plugin-disable 9 + endif 10 + 11 + KSTACK_ERASE_CFLAGS := $(kstack-erase-cflags-y) 12 + 13 + export STACKLEAK_CFLAGS DISABLE_KSTACK_ERASE 14 + 15 + KBUILD_CFLAGS += $(KSTACK_ERASE_CFLAGS)