From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 44968C4345F for ; Tue, 30 Apr 2024 15:13:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=jUUxzGxcUX/PdUxQQwup3G9KbSjiufO5CbNAl5faX8w=; b=ySNpl7ihcF07Cv b1hyjx5hn9G0FiY2XFVCutYSr4Y8gGByxeXgpAkgvItuVvk2zwq2C1mLlABGfw1A/Mjdf7uCemUoN Vrift+PoMSBWuLJccUkzma1aNYYx4Koqsq9yOOwipbPkH2YwwewU2NDl3muuF/S/Vz5Gn0F1UGfwo j0XR722g7Qu8mRBkQ8ozzenq3zrJz2eI4zsPIvPdkj+VG1EhjjasVsC6lHEHUtuc9Y4ScCtEvAm24 3rXIb58PEFZdzI0Xm7PgaiU5QnpDtVwf8NdzNm0hurLMlA73J2pZKNqiemivOZATEy4b5BnhNxMPe hdeb9/A3lUSR6wwOeoEA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1s1pAI-000000070LK-1V6V; Tue, 30 Apr 2024 15:13:06 +0000 Received: from sin.source.kernel.org ([2604:1380:40e1:4800::1]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1s1pAE-000000070Kj-2sLo for linux-arm-kernel@lists.infradead.org; Tue, 30 Apr 2024 15:13:04 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 67041CE10A8; Tue, 30 Apr 2024 15:13:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 92CD1C2BBFC; Tue, 30 Apr 2024 15:12:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1714489979; bh=0ylOZDQHC7yOPGXzY28yXwxGB6oYY62WRnpPvHL+x7I=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=alu9ZDqBE6hKNEUy+qO6QNXCO8b73Tddm/aI+siMKv/KVZq/71e2XA9nCj+WCPgg3 iTT3M581SC+LxMQyjbw4PN96h3ROb9uktvtw6Ww7BNSX8svJY1flJrf60+ugOu1DhA JdZ86ukLGdPOROgeb31SZ6T7ODYrfloz2113EdsXmYZSib6mAA1dXtmzpAAxUz8fHn HztG8m8zNsXd1hLutfMO5Sssjh7P0vdwaCEsnwDv3bz26eqxOK0e2bJQ5bA/th+D1Q qBZ3JkHvaW86cx3mjFsigjgWY51d3tMT8J3EA/qaW+XJDGH2h6KCeT/3nQfPvHnyMV STc+1q9pfrr1g== Date: Tue, 30 Apr 2024 08:12:56 -0700 From: Nathan Chancellor To: Kees Cook Cc: "Gustavo A. R. Silva" , Catalin Marinas , Will Deacon , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Nick Desaulniers , Bill Wendling , Justin Stitt , linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev, linux-kernel@vger.kernel.org Subject: Re: [PATCH] hardening: Refresh KCFI options, add some more Message-ID: <20240430151256.GA1012249@dev-arch.thelio-3990X> References: <20240426222940.work.884-kees@kernel.org> <20240429221650.GA3666021@dev-arch.thelio-3990X> <202404292233.9A98A7C@keescook> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <202404292233.9A98A7C@keescook> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240430_081302_912771_4C00516C X-CRM114-Status: GOOD ( 14.67 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Mon, Apr 29, 2024 at 10:35:03PM -0700, Kees Cook wrote: > On Mon, Apr 29, 2024 at 03:16:50PM -0700, Nathan Chancellor wrote: > > On Fri, Apr 26, 2024 at 03:29:44PM -0700, Kees Cook wrote: > > [...] > > > +# Enable Kernel Control Flow Integrity (currently Clang only). > > > +CONFIG_CFI_CLANG=y > > > +# CONFIG_CFI_PERMISSIVE is not set > > > > Should this be a part of kernel/configs/hardening.config because RISC-V > > supports it (and 32-bit ARM will soon too)? > > Probably yes. I was worried it might be "noisy" for archs that don't > support it, but frankly if someone is using "make hardening.config" they > probably want to know about unsupported options. :) It would be potentially noisy as it is currently written since someone building with GCC for arm64 or x86_64 could merge hardening.config into their configuration and they would see CONFIG_CFI_CLANG get enabled by merge_config.sh but on oldconfig or olddefconfig, it would get flipped off again because the toolchain dependencies are not met. Might as well make it architecture agnostic at that point :) Cheers, Nathan _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel