f594e28d80
This collects various compiler hardening feature related updates: - gcc-plugins: - remove support for GCC 4.9 and older (Ard Biesheuvel) - remove duplicate include in gcc-common.h (Ye Guojin) - Explicitly document purpose and deprecation schedule (Kees Cook) - Remove cyc_complexity (Kees Cook) - instrumentation: - Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO (Kees Cook) - Clang LTO: - kallsyms: strip LTO suffixes from static functions (Nick Desaulniers) -----BEGIN PGP SIGNATURE----- iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmGAEyEWHGtlZXNjb29r QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJg82D/90Cnh7yCtuWJUlFDjlYsKhZbGR GxAfn+r92dS024G6aNgQjgmsJreZeY4HIkX4UJP6Xw8CakptjxpSJMrA19VeAVja B4hMph6dJ5XIJQEGKff1QFgyxSviW/FG8BmoMn/eCo9PYSPLmam44FOUERanMr/S aqARSxafmxX/wHT9fbegvbHmr7hBUStvFP7TYDoSVuSLfuuT4hYnqePy02t5jC9k RBVUQxEUuYaDIpMga5n/auLaodFcNkVTA0Kznoj5D8pgciKJU/qcoErB/49x1eQZ UNgDdEDa87emHNSj7WEheuEWOqIwEttXHnJhItbARew074lIAvfOWQZuS6ApmStw CsB5GH6gLu1qYHqQYyu03ZQrTjOES5OBRZ+bRSsC7rJhbES8m/Rp/cE59yNihall bWRPnQGxcgmxZh7lu6AOpJ6p31Wfn3WMG9fyjhseENCYlEawFm5LDN6UI+2ubULb nu41llRlgrBB8tEnDh67t6Pvyquz71zqWrX+rZMZLhjxZE3Trpuq7u35Rdrc8BSM m4w+bwWDbOt/LKF79c5iXURZdqDEwkjkh8sJA2e5bZCQU3nLgHXobC+NjTS044+f /MFXV4OFquFRzB5P7kfP2USM+ghxZvPRqAmUoNEPcBopzZdcdnx1dNkMfI52c8Jc GClPQHThoM+Ht5t9yQ== =u7XU -----END PGP SIGNATURE----- Merge tag 'hardening-v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull compiler hardening updates from Kees Cook: "These are various compiler-related hardening feature updates. Notable is the addition of an explicit limited rationale for, and deprecation schedule of, gcc-plugins. gcc-plugins: - remove support for GCC 4.9 and older (Ard Biesheuvel) - remove duplicate include in gcc-common.h (Ye Guojin) - Explicitly document purpose and deprecation schedule (Kees Cook) - Remove cyc_complexity (Kees Cook) instrumentation: - Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO (Kees Cook) Clang LTO: - kallsyms: strip LTO suffixes from static functions (Nick Desaulniers)" * tag 'hardening-v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: gcc-plugins: remove duplicate include in gcc-common.h gcc-plugins: Remove cyc_complexity gcc-plugins: Explicitly document purpose and deprecation schedule kallsyms: strip LTO suffixes from static functions gcc-plugins: remove support for GCC 4.9 and older hardening: Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO
64 lines
2.6 KiB
Makefile
64 lines
2.6 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
|
|
gcc-plugin-$(CONFIG_GCC_PLUGIN_LATENT_ENTROPY) += latent_entropy_plugin.so
|
|
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_LATENT_ENTROPY) \
|
|
+= -DLATENT_ENTROPY_PLUGIN
|
|
ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY
|
|
DISABLE_LATENT_ENTROPY_PLUGIN += -fplugin-arg-latent_entropy_plugin-disable
|
|
endif
|
|
export DISABLE_LATENT_ENTROPY_PLUGIN
|
|
|
|
gcc-plugin-$(CONFIG_GCC_PLUGIN_SANCOV) += sancov_plugin.so
|
|
|
|
gcc-plugin-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) += structleak_plugin.so
|
|
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE) \
|
|
+= -fplugin-arg-structleak_plugin-verbose
|
|
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF) \
|
|
+= -fplugin-arg-structleak_plugin-byref
|
|
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL) \
|
|
+= -fplugin-arg-structleak_plugin-byref-all
|
|
ifdef CONFIG_GCC_PLUGIN_STRUCTLEAK
|
|
DISABLE_STRUCTLEAK_PLUGIN += -fplugin-arg-structleak_plugin-disable
|
|
endif
|
|
export DISABLE_STRUCTLEAK_PLUGIN
|
|
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) \
|
|
+= -DSTRUCTLEAK_PLUGIN
|
|
|
|
gcc-plugin-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) += randomize_layout_plugin.so
|
|
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \
|
|
+= -DRANDSTRUCT_PLUGIN
|
|
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE) \
|
|
+= -fplugin-arg-randomize_layout_plugin-performance-mode
|
|
|
|
gcc-plugin-$(CONFIG_GCC_PLUGIN_STACKLEAK) += stackleak_plugin.so
|
|
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \
|
|
+= -DSTACKLEAK_PLUGIN
|
|
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \
|
|
+= -fplugin-arg-stackleak_plugin-track-min-size=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE)
|
|
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \
|
|
+= -fplugin-arg-stackleak_plugin-arch=$(SRCARCH)
|
|
ifdef CONFIG_GCC_PLUGIN_STACKLEAK
|
|
DISABLE_STACKLEAK_PLUGIN += -fplugin-arg-stackleak_plugin-disable
|
|
endif
|
|
export DISABLE_STACKLEAK_PLUGIN
|
|
|
|
gcc-plugin-$(CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK) += arm_ssp_per_task_plugin.so
|
|
ifdef CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK
|
|
DISABLE_ARM_SSP_PER_TASK_PLUGIN += -fplugin-arg-arm_ssp_per_task_plugin-disable
|
|
endif
|
|
export DISABLE_ARM_SSP_PER_TASK_PLUGIN
|
|
|
|
# All the plugin CFLAGS are collected here in case a build target needs to
|
|
# filter them out of the KBUILD_CFLAGS.
|
|
GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y))
|
|
# The sancov_plugin.so is included via CFLAGS_KCOV, so it is removed here.
|
|
GCC_PLUGINS_CFLAGS := $(filter-out %/sancov_plugin.so, $(GCC_PLUGINS_CFLAGS))
|
|
export GCC_PLUGINS_CFLAGS
|
|
|
|
# Add the flags to the build!
|
|
KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
|
|
|
|
# All enabled GCC plugins are collected here for building below.
|
|
GCC_PLUGIN := $(gcc-plugin-y)
|
|
export GCC_PLUGIN
|