From: Kees Cook <keescook@chromium.org>
To: Alexander Potapenko <glider@google.com>
Cc: "Greg KH" <gregkh@linuxfoundation.org>,
"Masahiro Yamada" <yamada.masahiro@socionext.com>,
"James Morris" <jmorris@namei.org>,
"Maciej Żenczykowski" <maze@google.com>,
"Nick Desaulniers" <ndesaulniers@google.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2] [RFC] security: allow using Clang's zero initialization for stack variables
Date: Tue, 16 Jun 2020 09:18:07 -0700 [thread overview]
Message-ID: <202006160911.BD403B5@keescook> (raw)
In-Reply-To: <CAG_fn=VYN6ynu2bnW96-p-QRi77NstHC6DXS+AN0r0bm5K2j7w@mail.gmail.com>
On Tue, Jun 16, 2020 at 02:15:52PM +0200, Alexander Potapenko wrote:
> > > +KBUILD_CFLAGS += -ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang
> > > +endif
> >
> > Gotta love the name...
>
> This is basically the reason why we've been hesitating to add it to
> the kernel from the very beginning.
>
> > Anyway, if this is enabled, and clang changes the flag or drops it, does
> > the build suddenly break?
>
> My original intention (see v1 of this patch) was to make
> zero-initialization a secondary option of INIT_STACK_ALL, so that
> nothing changes for the existing users.
> But I agree with Kees that these options should be made distinct, as
> people may want to use them for different purposes (think debug vs.
> release builds).
Yeah, and if the flag changes again, we can adapt. But at this point,
it's getting used downstream, so we need to land the config in the
kernel.
> We could make INIT_STACK_ALL_ZERO fall back to INIT_STACK_ALL_PATTERN
> if the compiler flag goes away - does this make sense?
I don't like this idea -- I'm very hesitant to make security options do
something different than what they document. It means the end user can't
reason about how their kernel is built when looking at their CONFIGs.
> > And does gcc have something like this as well, or does that have to come
> > in a compiler plugin?
>
> Kees mentioned someone's plans to implement that in GCC, but I don't
> think they have done it already.
I've had some GCC folks reach about about these features, but I haven't
seen any public discussion yet.
--
Kees Cook
prev parent reply other threads:[~2020-06-16 16:18 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 8:34 [PATCH v2] [RFC] security: allow using Clang's zero initialization for stack variables glider
2020-06-16 8:41 ` Maciej Żenczykowski
2020-06-16 9:08 ` Kees Cook
2020-06-16 10:03 ` Greg KH
2020-06-16 10:19 ` Maciej Żenczykowski
2020-06-16 12:05 ` Alexander Potapenko
2020-06-16 12:15 ` Alexander Potapenko
2020-06-16 12:20 ` Maciej Żenczykowski
2020-06-16 16:18 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202006160911.BD403B5@keescook \
--to=keescook@chromium.org \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=maze@google.com \
--cc=ndesaulniers@google.com \
--cc=yamada.masahiro@socionext.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).