cf68fffb66
This change adds support for Clang’s forward-edge Control Flow Integrity (CFI) checking. With CONFIG_CFI_CLANG, the compiler injects a runtime check before each indirect function call to ensure the target is a valid function with the correct static type. This restricts possible call targets and makes it more difficult for an attacker to exploit bugs that allow the modification of stored function pointers. For more details, see: https://clang.llvm.org/docs/ControlFlowIntegrity.html Clang requires CONFIG_LTO_CLANG to be enabled with CFI to gain visibility to possible call targets. Kernel modules are supported with Clang’s cross-DSO CFI mode, which allows checking between independently compiled components. With CFI enabled, the compiler injects a __cfi_check() function into the kernel and each module for validating local call targets. For cross-module calls that cannot be validated locally, the compiler calls the global __cfi_slowpath_diag() function, which determines the target module and calls the correct __cfi_check() function. This patch includes a slowpath implementation that uses __module_address() to resolve call targets, and with CONFIG_CFI_CLANG_SHADOW enabled, a shadow map that speeds up module look-ups by ~3x. Clang implements indirect call checking using jump tables and offers two methods of generating them. With canonical jump tables, the compiler renames each address-taken function to <function>.cfi and points the original symbol to a jump table entry, which passes __cfi_check() validation. This isn’t compatible with stand-alone assembly code, which the compiler doesn’t instrument, and would result in indirect calls to assembly code to fail. Therefore, we default to using non-canonical jump tables instead, where the compiler generates a local jump table entry <function>.cfi_jt for each address-taken function, and replaces all references to the function with the address of the jump table entry. Note that because non-canonical jump table addresses are local to each component, they break cross-module function address equality. Specifically, the address of a global function will be different in each module, as it's replaced with the address of a local jump table entry. If this address is passed to a different module, it won’t match the address of the same function taken there. This may break code that relies on comparing addresses passed from other components. CFI checking can be disabled in a function with the __nocfi attribute. Additionally, CFI can be disabled for an entire compilation unit by filtering out CC_FLAGS_CFI. By default, CFI failures result in a kernel panic to stop a potential exploit. CONFIG_CFI_PERMISSIVE enables a permissive mode, where the kernel prints out a rate-limited warning instead, and allows execution to continue. This option is helpful for locating type mismatches, but should only be enabled during development. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Tested-by: Nathan Chancellor <nathan@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210408182843.1754385-2-samitolvanen@google.com
101 lines
3.2 KiB
Makefile
101 lines
3.2 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0-only
|
|
# ===========================================================================
|
|
# Module final link
|
|
# ===========================================================================
|
|
|
|
PHONY := __modfinal
|
|
__modfinal:
|
|
|
|
include include/config/auto.conf
|
|
include $(srctree)/scripts/Kbuild.include
|
|
|
|
# for c_flags and objtool_args
|
|
include $(srctree)/scripts/Makefile.lib
|
|
|
|
# find all modules listed in modules.order
|
|
modules := $(sort $(shell cat $(MODORDER)))
|
|
|
|
__modfinal: $(modules)
|
|
@:
|
|
|
|
# modname and part-of-module are set to make c_flags define proper module flags
|
|
modname = $(notdir $(@:.mod.o=))
|
|
part-of-module = y
|
|
|
|
quiet_cmd_cc_o_c = CC [M] $@
|
|
cmd_cc_o_c = $(CC) $(filter-out $(CC_FLAGS_CFI), $(c_flags)) -c -o $@ $<
|
|
|
|
%.mod.o: %.mod.c FORCE
|
|
$(call if_changed_dep,cc_o_c)
|
|
|
|
ARCH_POSTLINK := $(wildcard $(srctree)/arch/$(SRCARCH)/Makefile.postlink)
|
|
|
|
ifdef CONFIG_LTO_CLANG
|
|
# With CONFIG_LTO_CLANG, reuse the object file we compiled for modpost to
|
|
# avoid a second slow LTO link
|
|
prelink-ext := .lto
|
|
|
|
# ELF processing was skipped earlier because we didn't have native code,
|
|
# so let's now process the prelinked binary before we link the module.
|
|
|
|
ifdef CONFIG_STACK_VALIDATION
|
|
ifneq ($(SKIP_STACK_VALIDATION),1)
|
|
cmd_ld_ko_o += \
|
|
$(objtree)/tools/objtool/objtool $(objtool_args) \
|
|
$(@:.ko=$(prelink-ext).o);
|
|
|
|
endif # SKIP_STACK_VALIDATION
|
|
endif # CONFIG_STACK_VALIDATION
|
|
|
|
endif # CONFIG_LTO_CLANG
|
|
|
|
quiet_cmd_ld_ko_o = LD [M] $@
|
|
cmd_ld_ko_o += \
|
|
$(LD) -r $(KBUILD_LDFLAGS) \
|
|
$(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \
|
|
-T scripts/module.lds -o $@ $(filter %.o, $^); \
|
|
$(if $(ARCH_POSTLINK), $(MAKE) -f $(ARCH_POSTLINK) $@, true)
|
|
|
|
quiet_cmd_btf_ko = BTF [M] $@
|
|
cmd_btf_ko = \
|
|
if [ -f vmlinux ]; then \
|
|
LLVM_OBJCOPY=$(OBJCOPY) $(PAHOLE) -J --btf_base vmlinux $@; \
|
|
else \
|
|
printf "Skipping BTF generation for %s due to unavailability of vmlinux\n" $@ 1>&2; \
|
|
fi;
|
|
|
|
# Same as newer-prereqs, but allows to exclude specified extra dependencies
|
|
newer_prereqs_except = $(filter-out $(PHONY) $(1),$?)
|
|
|
|
# Same as if_changed, but allows to exclude specified extra dependencies
|
|
if_changed_except = $(if $(call newer_prereqs_except,$(2))$(cmd-check), \
|
|
$(cmd); \
|
|
printf '%s\n' 'cmd_$@ := $(make-cmd)' > $(dot-target).cmd, @:)
|
|
|
|
|
|
# Re-generate module BTFs if either module's .ko or vmlinux changed
|
|
$(modules): %.ko: %$(prelink-ext).o %.mod.o scripts/module.lds $(if $(KBUILD_BUILTIN),vmlinux) FORCE
|
|
+$(call if_changed_except,ld_ko_o,vmlinux)
|
|
ifdef CONFIG_DEBUG_INFO_BTF_MODULES
|
|
+$(if $(newer-prereqs),$(call cmd,btf_ko))
|
|
endif
|
|
|
|
targets += $(modules) $(modules:.ko=.mod.o)
|
|
|
|
# Add FORCE to the prequisites of a target to force it to be always rebuilt.
|
|
# ---------------------------------------------------------------------------
|
|
|
|
PHONY += FORCE
|
|
FORCE:
|
|
|
|
# Read all saved command lines and dependencies for the $(targets) we
|
|
# may be building above, using $(if_changed{,_dep}). As an
|
|
# optimization, we don't need to read them if the target does not
|
|
# exist, we will rebuild anyway in that case.
|
|
|
|
existing-targets := $(wildcard $(sort $(targets)))
|
|
|
|
-include $(foreach f,$(existing-targets),$(dir $(f)).$(notdir $(f)).cmd)
|
|
|
|
.PHONY: $(PHONY)
|