objtool: Update documentation · tjh.dev/kernel@a8e35fe

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

objtool: Update documentation

The objtool documentation is very stack validation centric. Broaden the
documentation and describe all the features objtool supports.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Miroslav Benes <mbenes@suse.cz>
Link: https://lkml.kernel.org/r/b6a84d301d9f73ec6725752654097f4e31fa1b69.1650300597.git.jpoimboe@redhat.com

authored by

Josh Poimboeuf and committed by

Peter Zijlstra 4 years ago a8e35fec 753da417

+102 -20

1 changed file

expand all

tools

objtool

Documentation

objtool.txt

+102 -20

tools/objtool/Documentation/stack-validation.txt tools/objtool/Documentation/objtool.txt

··· 1 - Compile-time stack metadata validation 2 - ====================================== 1 + Objtool 2 + ======= 3 + 4 + The kernel CONFIG_OBJTOOL option enables a host tool named 'objtool' 5 + which runs at compile time. It can do various validations and 6 + transformations on .o files. 7 + 8 + Objtool has become an integral part of the x86-64 kernel toolchain. The 9 + kernel depends on it for a variety of security and performance features 10 + (and other types of features as well). 3 11 4 12 5 - Overview 13 + Features 6 14 -------- 7 15 8 - The kernel CONFIG_STACK_VALIDATION option enables a host tool named 9 - objtool which runs at compile time. It has a "check" subcommand which 10 - analyzes every .o file and ensures the validity of its stack metadata. 11 - It enforces a set of rules on asm code and C inline assembly code so 12 - that stack traces can be reliable. 16 + Objtool has the following features: 17 + 18 + - Stack unwinding metadata validation -- useful for helping to ensure 19 + stack traces are reliable for live patching 20 + 21 + - ORC unwinder metadata generation -- a faster and more precise 22 + alternative to frame pointer based unwinding 23 + 24 + - Retpoline validation -- ensures that all indirect calls go through 25 + retpoline thunks, for Spectre v2 mitigations 26 + 27 + - Retpoline call site annotation -- annotates all retpoline thunk call 28 + sites, enabling the kernel to patch them inline, to prevent "thunk 29 + funneling" for both security and performance reasons 30 + 31 + - Non-instrumentation validation -- validates non-instrumentable 32 + ("noinstr") code rules, preventing instrumentation in low-level C 33 + entry code 34 + 35 + - Static call annotation -- annotates static call sites, enabling the 36 + kernel to implement inline static calls, a faster alternative to some 37 + indirect branches 38 + 39 + - Uaccess validation -- validates uaccess rules for a proper 40 + implementation of Supervisor Mode Access Protection (SMAP) 41 + 42 + - Straight Line Speculation validation -- validates certain SLS 43 + mitigations 44 + 45 + - Indirect Branch Tracking validation -- validates Intel CET IBT rules 46 + to ensure that all functions referenced by function pointers have 47 + corresponding ENDBR instructions 48 + 49 + - Indirect Branch Tracking annotation -- annotates unused ENDBR 50 + instruction sites, enabling the kernel to "seal" them (replace them 51 + with NOPs) to further harden IBT 52 + 53 + - Function entry annotation -- annotates function entries, enabling 54 + kernel function tracing 55 + 56 + - Other toolchain hacks which will go unmentioned at this time... 57 + 58 + Each feature can be enabled individually or in combination using the 59 + objtool cmdline. 60 + 61 + 62 + Objects 63 + ------- 64 + 65 + Typically, objtool runs on every translation unit (TU, aka ".o file") in 66 + the kernel. If a TU is part of a kernel module, the '--module' option 67 + is added. 68 + 69 + However: 70 + 71 + - If noinstr validation is enabled, it also runs on vmlinux.o, with all 72 + options removed and '--noinstr' added. 73 + 74 + - If IBT or LTO is enabled, it doesn't run on TUs at all. Instead it 75 + runs on vmlinux.o and linked modules, with all options. 76 + 77 + In summary: 78 + 79 + A) Legacy mode: 80 + TU: objtool [--module] <options> 81 + vmlinux: N/A 82 + module: N/A 83 + 84 + B) CONFIG_NOINSTR_VALIDATION=y && !(CONFIG_X86_KERNEL_IBT=y || CONFIG_LTO=y): 85 + TU: objtool [--module] <options> // no --noinstr 86 + vmlinux: objtool --noinstr // other options removed 87 + module: N/A 88 + 89 + C) CONFIG_X86_KERNEL_IBT=y || CONFIG_LTO=y: 90 + TU: N/A 91 + vmlinux: objtool --noinstr <options> 92 + module: objtool --module --noinstr <options> 93 + 94 + 95 + Stack validation 96 + ---------------- 97 + 98 + Objtool's stack validation feature analyzes every .o file and ensures 99 + the validity of its stack metadata. It enforces a set of rules on asm 100 + code and C inline assembly code so that stack traces can be reliable. 13 101 14 102 For each function, it recursively follows all possible code paths and 15 103 validates the correct frame pointer state at each instruction. ··· 107 19 alternative execution paths to a given instruction (or set of 108 20 instructions). Similarly, it knows how to follow switch statements, for 109 21 which gcc sometimes uses jump tables. 110 - 111 - (Objtool also has an 'orc generate' subcommand which generates debuginfo 112 - for the ORC unwinder. See Documentation/x86/orc-unwinder.rst in the 113 - kernel tree for more details.) 114 - 115 - 116 - Why do we need stack metadata validation? 117 - ----------------------------------------- 118 22 119 23 Here are some of the benefits of validating stack metadata: 120 24 ··· 193 113 For more details, see the livepatch documentation in the Linux kernel 194 114 source tree at Documentation/livepatch/livepatch.rst. 195 115 196 - Rules 197 - ----- 198 - 199 116 To achieve the validation, objtool enforces the following rules: 200 117 201 118 1. Each callable function must be annotated as such with the ELF ··· 254 177 -fno-omit-frame-pointer or adds -fomit-frame-pointer to the gcc options. 255 178 256 179 Here are some examples of common warnings reported by objtool, what 257 - they mean, and suggestions for how to fix them. 180 + they mean, and suggestions for how to fix them. When in doubt, ping 181 + the objtool maintainers. 258 182 259 183 260 184 1. file.o: warning: objtool: func()+0x128: call without frame pointer save/setup ··· 436 358 OBJECT_FILES_NON_STANDARD := y 437 359 438 360 to the Makefile. 361 + 362 + NOTE: OBJECT_FILES_NON_STANDARD doesn't work for link time validation of 363 + vmlinux.o or a linked module. So it should only be used for files which 364 + aren't linked into vmlinux or a module.