From: "Russell King (Oracle)" <linux@armlinux.org.uk>
To: Jinjie Ruan <ruanjinjie@huawei.com>
Cc: ardb@kernel.org, arnd@arndb.de, afd@ti.com,
akpm@linux-foundation.org, linus.walleij@linaro.org,
eric.devolder@oracle.com, robh@kernel.org, kees@kernel.org,
masahiroy@kernel.org, palmer@rivosinc.com,
samitolvanen@google.com, xiao.w.wang@intel.com,
alexghiti@rivosinc.com, nathan@kernel.org,
jan.kiszka@siemens.com, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org
Subject: Re: [PATCH v2] ARM: Add support for STACKLEAK gcc plugin
Date: Fri, 2 Aug 2024 12:47:00 +0100 [thread overview]
Message-ID: <ZqzHNN27hwms0CB/@shell.armlinux.org.uk> (raw)
In-Reply-To: <b8792d9c-c2a2-6808-f94b-e3b826232f78@huawei.com>
On Mon, Jul 22, 2024 at 10:53:10AM +0800, Jinjie Ruan wrote:
> Gentle ping.
>
> On 2024/6/24 10:36, Jinjie Ruan wrote:
> > Add the STACKLEAK gcc plugin to arm32 by adding the helper used by
> > stackleak common code: on_thread_stack(). It initialize the stack with the
> > poison value before returning from system calls which improves the kernel
> > security. Additionally, this disables the plugin in EFI stub code and
> > decompress code, which are out of scope for the protection.
> >
> > Before the test on Qemu versatilepb board:
> > # echo STACKLEAK_ERASING > /sys/kernel/debug/provoke-crash/DIRECT
> > lkdtm: Performing direct entry STACKLEAK_ERASING
> > lkdtm: XFAIL: stackleak is not supported on this arch (HAVE_ARCH_STACKLEAK=n)
> >
> > After:
> > # echo STACKLEAK_ERASING > /sys/kernel/debug/provoke-crash/DIRECT
> > lkdtm: Performing direct entry STACKLEAK_ERASING
> > lkdtm: stackleak stack usage:
> > high offset: 80 bytes
> > current: 280 bytes
> > lowest: 696 bytes
> > tracked: 696 bytes
> > untracked: 192 bytes
> > poisoned: 7220 bytes
> > low offset: 4 bytes
> > lkdtm: OK: the rest of the thread stack is properly erased
> >
> > Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> > Acked-by: Ard Biesheuvel <ardb@kernel.org>
Is this a feature that you have a use case for?
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
next prev parent reply other threads:[~2024-08-02 11:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-24 2:36 [PATCH v2] ARM: Add support for STACKLEAK gcc plugin Jinjie Ruan
2024-06-24 7:30 ` Linus Walleij
2024-06-27 7:53 ` Jinjie Ruan
2024-06-27 17:02 ` Kees Cook
2024-07-22 2:53 ` Jinjie Ruan
2024-07-29 11:12 ` Russell King (Oracle)
2024-07-29 11:24 ` Jinjie Ruan
2024-08-02 11:47 ` Russell King (Oracle) [this message]
2024-08-05 1:35 ` Jinjie Ruan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZqzHNN27hwms0CB/@shell.armlinux.org.uk \
--to=linux@armlinux.org.uk \
--cc=afd@ti.com \
--cc=akpm@linux-foundation.org \
--cc=alexghiti@rivosinc.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=eric.devolder@oracle.com \
--cc=jan.kiszka@siemens.com \
--cc=kees@kernel.org \
--cc=linus.walleij@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=nathan@kernel.org \
--cc=palmer@rivosinc.com \
--cc=robh@kernel.org \
--cc=ruanjinjie@huawei.com \
--cc=samitolvanen@google.com \
--cc=xiao.w.wang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.