[PATCH v2 0/2] hardening: Enable i386 FORTIFY

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2 0/2] hardening: Enable i386 FORTIFY_SOURCE on Clang 16+
@ 2025-03-08  4:29 Kees Cook
  2025-03-08  4:29 ` [PATCH v2 1/2] x86/build: Remove -ffreestanding on i386 with GCC Kees Cook
  2025-03-08  4:29 ` [PATCH v2 2/2] hardening: Enable i386 FORTIFY_SOURCE on Clang 16+ Kees Cook
  0 siblings, 2 replies; 7+ messages in thread
From: Kees Cook @ 2025-03-08  4:29 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: Kees Cook, Nick Desaulniers, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, Dave Hansen, H. Peter Anvin, Gustavo A. R. Silva,
	Paul Moore, James Morris, Serge E. Hallyn, Nick Desaulniers,
	Bill Wendling, Justin Stitt, linux-kernel, x86, linux-hardening,
	linux-security-module, llvm

Hi,

This drops -ffreestanding for i386 unconditionally for GCC, and on
Clang version 16 and later. FORTIFY_SOURCE depends on the libcall
optimizations made without -ffreestanding on Clang. On GCC, there is no
expected differences. With that done, it's possible to gain Clang
FORTIFY_SOURCE coverage on i386 again, though only for Clang 16+.

-Kees


 v1: https://lore.kernel.org/lkml/20250303214929.work.499-kees@kernel.org/
 v2: drop -ffreestanding (Nathan)

Kees Cook (2):
  x86/build: Remove -ffreestanding on i386 with GCC
  hardening: Enable i386 FORTIFY_SOURCE on Clang 16+

 arch/x86/Makefile          | 2 ++
 security/Kconfig.hardening | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

-- 
2.34.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v2 1/2] x86/build: Remove -ffreestanding on i386 with GCC
  2025-03-08  4:29 [PATCH v2 0/2] hardening: Enable i386 FORTIFY_SOURCE on Clang 16+ Kees Cook
@ 2025-03-08  4:29 ` Kees Cook
  2025-03-08  8:26   ` Ingo Molnar
  2025-03-08  9:17   ` Nathan Chancellor
  2025-03-08  4:29 ` [PATCH v2 2/2] hardening: Enable i386 FORTIFY_SOURCE on Clang 16+ Kees Cook
  1 sibling, 2 replies; 7+ messages in thread
From: Kees Cook @ 2025-03-08  4:29 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: Kees Cook, Nick Desaulniers, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, Dave Hansen, x86, H. Peter Anvin,
	Gustavo A. R. Silva, Paul Moore, James Morris, Serge E. Hallyn,
	Nick Desaulniers, Bill Wendling, Justin Stitt, linux-kernel,
	linux-hardening, linux-security-module, llvm

The use of -ffreestanding is a leftover that is only needed for certain
versions of Clang. Adjust this to be Clang-only. A later patch will make
this a versioned check.

Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
---
 arch/x86/Makefile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 5b773b34768d..d25ed25fb7d9 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -137,8 +137,10 @@ ifeq ($(CONFIG_X86_32),y)
         include $(srctree)/arch/x86/Makefile_32.cpu
         KBUILD_CFLAGS += $(cflags-y)
 
+    ifeq ($(CONFIG_CC_IS_CLANG),y)
         # temporary until string.h is fixed
         KBUILD_CFLAGS += -ffreestanding
+    endif
 
     ifeq ($(CONFIG_STACKPROTECTOR),y)
         ifeq ($(CONFIG_SMP),y)
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 1/2] x86/build: Remove -ffreestanding on i386 with GCC
  2025-03-08  4:29 ` [PATCH v2 1/2] x86/build: Remove -ffreestanding on i386 with GCC Kees Cook
@ 2025-03-08  8:26   ` Ingo Molnar
  2025-03-08  9:17   ` Nathan Chancellor
  1 sibling, 0 replies; 7+ messages in thread
From: Ingo Molnar @ 2025-03-08  8:26 UTC (permalink / raw)
  To: Kees Cook
  Cc: Nathan Chancellor, Nick Desaulniers, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, Dave Hansen, x86, H. Peter Anvin,
	Gustavo A. R. Silva, Paul Moore, James Morris, Serge E. Hallyn,
	Nick Desaulniers, Bill Wendling, Justin Stitt, linux-kernel,
	linux-hardening, linux-security-module, llvm


* Kees Cook <kees@kernel.org> wrote:

> The use of -ffreestanding is a leftover that is only needed for certain
> versions of Clang. Adjust this to be Clang-only. A later patch will make
> this a versioned check.
> 
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: Borislav Petkov <bp@alien8.de>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: x86@kernel.org
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> ---
>  arch/x86/Makefile | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/arch/x86/Makefile b/arch/x86/Makefile
> index 5b773b34768d..d25ed25fb7d9 100644
> --- a/arch/x86/Makefile
> +++ b/arch/x86/Makefile
> @@ -137,8 +137,10 @@ ifeq ($(CONFIG_X86_32),y)
>          include $(srctree)/arch/x86/Makefile_32.cpu
>          KBUILD_CFLAGS += $(cflags-y)
>  
> +    ifeq ($(CONFIG_CC_IS_CLANG),y)
>          # temporary until string.h is fixed
>          KBUILD_CFLAGS += -ffreestanding
> +    endif

Acked-by: Ingo Molnar <mingo@kernel.org>

	Ingo

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 1/2] x86/build: Remove -ffreestanding on i386 with GCC
  2025-03-08  4:29 ` [PATCH v2 1/2] x86/build: Remove -ffreestanding on i386 with GCC Kees Cook
  2025-03-08  8:26   ` Ingo Molnar
@ 2025-03-08  9:17   ` Nathan Chancellor
  2025-03-08 17:23     ` Kees Cook
  1 sibling, 1 reply; 7+ messages in thread
From: Nathan Chancellor @ 2025-03-08  9:17 UTC (permalink / raw)
  To: Kees Cook
  Cc: Nick Desaulniers, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	Dave Hansen, x86, H. Peter Anvin, Gustavo A. R. Silva, Paul Moore,
	James Morris, Serge E. Hallyn, Nick Desaulniers, Bill Wendling,
	Justin Stitt, linux-kernel, linux-hardening,
	linux-security-module, llvm

On Fri, Mar 07, 2025 at 08:29:25PM -0800, Kees Cook wrote:
> The use of -ffreestanding is a leftover that is only needed for certain
> versions of Clang. Adjust this to be Clang-only. A later patch will make
> this a versioned check.
> 
> Signed-off-by: Kees Cook <kees@kernel.org>

This could also adjust the comment but it is probably not that big of a
deal since the "temporary" is already pretty stale.

Reviewed-by: Nathan Chancellor <nathan@kernel.org>

> ---
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Nick Desaulniers <nick.desaulniers+lkml@gmail.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: Borislav Petkov <bp@alien8.de>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: x86@kernel.org
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> ---
>  arch/x86/Makefile | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/arch/x86/Makefile b/arch/x86/Makefile
> index 5b773b34768d..d25ed25fb7d9 100644
> --- a/arch/x86/Makefile
> +++ b/arch/x86/Makefile
> @@ -137,8 +137,10 @@ ifeq ($(CONFIG_X86_32),y)
>          include $(srctree)/arch/x86/Makefile_32.cpu
>          KBUILD_CFLAGS += $(cflags-y)
>  
> +    ifeq ($(CONFIG_CC_IS_CLANG),y)
>          # temporary until string.h is fixed
>          KBUILD_CFLAGS += -ffreestanding
> +    endif
>  
>      ifeq ($(CONFIG_STACKPROTECTOR),y)
>          ifeq ($(CONFIG_SMP),y)
> -- 
> 2.34.1
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 1/2] x86/build: Remove -ffreestanding on i386 with GCC
  2025-03-08  9:17   ` Nathan Chancellor
@ 2025-03-08 17:23     ` Kees Cook
  0 siblings, 0 replies; 7+ messages in thread
From: Kees Cook @ 2025-03-08 17:23 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: Nick Desaulniers, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	Dave Hansen, x86, H. Peter Anvin, Gustavo A. R. Silva, Paul Moore,
	James Morris, Serge E. Hallyn, Nick Desaulniers, Bill Wendling,
	Justin Stitt, linux-kernel, linux-hardening,
	linux-security-module, llvm

On Sat, Mar 08, 2025 at 10:17:46AM +0100, Nathan Chancellor wrote:
> On Fri, Mar 07, 2025 at 08:29:25PM -0800, Kees Cook wrote:
> > The use of -ffreestanding is a leftover that is only needed for certain
> > versions of Clang. Adjust this to be Clang-only. A later patch will make
> > this a versioned check.
> > 
> > Signed-off-by: Kees Cook <kees@kernel.org>
> 
> This could also adjust the comment but it is probably not that big of a
> deal since the "temporary" is already pretty stale.

Ah yeah, good call. I'll fix that up locally.

> 
> Reviewed-by: Nathan Chancellor <nathan@kernel.org>

Thanks!

-Kees

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v2 2/2] hardening: Enable i386 FORTIFY_SOURCE on Clang 16+
  2025-03-08  4:29 [PATCH v2 0/2] hardening: Enable i386 FORTIFY_SOURCE on Clang 16+ Kees Cook
  2025-03-08  4:29 ` [PATCH v2 1/2] x86/build: Remove -ffreestanding on i386 with GCC Kees Cook
@ 2025-03-08  4:29 ` Kees Cook
  2025-03-08  9:19   ` Nathan Chancellor
  1 sibling, 1 reply; 7+ messages in thread
From: Kees Cook @ 2025-03-08  4:29 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: Kees Cook, Nick Desaulniers, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, Dave Hansen, H. Peter Anvin, Gustavo A. R. Silva,
	Paul Moore, James Morris, Serge E. Hallyn, Nick Desaulniers,
	Bill Wendling, Justin Stitt, linux-kernel, x86, linux-hardening,
	linux-security-module, llvm

The i386 regparm bug exposed with FORTIFY_SOURCE with Clang was fixed
in Clang 16[1].

Link: https://github.com/llvm/llvm-project/commit/c167c0a4dcdb998affb2756ce76903a12f7d8ca5 [1]
Signed-off-by: Kees Cook <kees@kernel.org>
---
 arch/x86/Makefile          | 2 +-
 security/Kconfig.hardening | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index d25ed25fb7d9..917459d1ad40 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -137,7 +137,7 @@ ifeq ($(CONFIG_X86_32),y)
         include $(srctree)/arch/x86/Makefile_32.cpu
         KBUILD_CFLAGS += $(cflags-y)
 
-    ifeq ($(CONFIG_CC_IS_CLANG),y)
+    ifneq ($(call clang-min-version, 160000),y)
         # temporary until string.h is fixed
         KBUILD_CFLAGS += -ffreestanding
     endif
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 23ffb0d7c845..c17366ce8224 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -286,7 +286,7 @@ config FORTIFY_SOURCE
 	bool "Harden common str/mem functions against buffer overflows"
 	depends on ARCH_HAS_FORTIFY_SOURCE
 	# https://github.com/llvm/llvm-project/issues/53645
-	depends on !CC_IS_CLANG || !X86_32
+	depends on !X86_32 || !CC_IS_CLANG || CLANG_VERSION >= 160000
 	help
 	  Detect overflows of buffers in common string and memory functions
 	  where the compiler can determine and validate the buffer sizes.
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 2/2] hardening: Enable i386 FORTIFY_SOURCE on Clang 16+
  2025-03-08  4:29 ` [PATCH v2 2/2] hardening: Enable i386 FORTIFY_SOURCE on Clang 16+ Kees Cook
@ 2025-03-08  9:19   ` Nathan Chancellor
  0 siblings, 0 replies; 7+ messages in thread
From: Nathan Chancellor @ 2025-03-08  9:19 UTC (permalink / raw)
  To: Kees Cook
  Cc: Nick Desaulniers, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	Dave Hansen, H. Peter Anvin, Gustavo A. R. Silva, Paul Moore,
	James Morris, Serge E. Hallyn, Nick Desaulniers, Bill Wendling,
	Justin Stitt, linux-kernel, x86, linux-hardening,
	linux-security-module, llvm

On Fri, Mar 07, 2025 at 08:29:26PM -0800, Kees Cook wrote:
> The i386 regparm bug exposed with FORTIFY_SOURCE with Clang was fixed
> in Clang 16[1].
> 
> Link: https://github.com/llvm/llvm-project/commit/c167c0a4dcdb998affb2756ce76903a12f7d8ca5 [1]
> Signed-off-by: Kees Cook <kees@kernel.org>

Reviewed-by: Nathan Chancellor <nathan@kernel.org>

> ---
>  arch/x86/Makefile          | 2 +-
>  security/Kconfig.hardening | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/Makefile b/arch/x86/Makefile
> index d25ed25fb7d9..917459d1ad40 100644
> --- a/arch/x86/Makefile
> +++ b/arch/x86/Makefile
> @@ -137,7 +137,7 @@ ifeq ($(CONFIG_X86_32),y)
>          include $(srctree)/arch/x86/Makefile_32.cpu
>          KBUILD_CFLAGS += $(cflags-y)
>  
> -    ifeq ($(CONFIG_CC_IS_CLANG),y)
> +    ifneq ($(call clang-min-version, 160000),y)
>          # temporary until string.h is fixed
>          KBUILD_CFLAGS += -ffreestanding
>      endif
> diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
> index 23ffb0d7c845..c17366ce8224 100644
> --- a/security/Kconfig.hardening
> +++ b/security/Kconfig.hardening
> @@ -286,7 +286,7 @@ config FORTIFY_SOURCE
>  	bool "Harden common str/mem functions against buffer overflows"
>  	depends on ARCH_HAS_FORTIFY_SOURCE
>  	# https://github.com/llvm/llvm-project/issues/53645
> -	depends on !CC_IS_CLANG || !X86_32
> +	depends on !X86_32 || !CC_IS_CLANG || CLANG_VERSION >= 160000
>  	help
>  	  Detect overflows of buffers in common string and memory functions
>  	  where the compiler can determine and validate the buffer sizes.
> -- 
> 2.34.1
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2025-03-08 17:23 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-08  4:29 [PATCH v2 0/2] hardening: Enable i386 FORTIFY_SOURCE on Clang 16+ Kees Cook
2025-03-08  4:29 ` [PATCH v2 1/2] x86/build: Remove -ffreestanding on i386 with GCC Kees Cook
2025-03-08  8:26   ` Ingo Molnar
2025-03-08  9:17   ` Nathan Chancellor
2025-03-08 17:23     ` Kees Cook
2025-03-08  4:29 ` [PATCH v2 2/2] hardening: Enable i386 FORTIFY_SOURCE on Clang 16+ Kees Cook
2025-03-08  9:19   ` Nathan Chancellor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).