Skip to content

Commit 222f608

Browse files
JacobBarthelmehJacobBarthelmeh
authored
Merge pull request #9399 from douzzer/20251106-linuxkm-PIE-inline-thunks
20251106-linuxkm-PIE-inline-thunks
2 parents a96b35c + 53a20f4 commit 222f608

1 file changed

Lines changed: 36 additions & 34 deletions

File tree

linuxkm/Kbuild

Lines changed: 36 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -99,11 +99,6 @@ endif
9999

100100
ccflags-y := $(WOLFSSL_CFLAGS) $(WOLFSSL_CFLAGS_NO_VECTOR_INSNS)
101101

102-
$(obj)/libwolfssl.mod.o: ccflags-y :=
103-
$(obj)/wolfcrypt/test/test.o: ccflags-y += -DNO_MAIN_DRIVER -DWOLFSSL_NO_OPTIONS_H
104-
105-
$(obj)/wolfcrypt/src/aes.o: ccflags-y = $(WOLFSSL_CFLAGS) $(WOLFSSL_CFLAGS_YES_VECTOR_INSNS)
106-
107102
ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
108103
# note, we need -fno-stack-protector to avoid references to
109104
# "__stack_chk_fail" from the wolfCrypt container.
@@ -113,27 +108,31 @@ ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
113108
KASAN_SANITIZE := n
114109
UBSAN_SANITIZE := n
115110
ifeq "$(KERNEL_ARCH_X86)" "yes"
116-
PIE_FLAGS += -mcmodel=small
117-
ifeq "$(CONFIG_MITIGATION_RETPOLINE)" "y"
118-
PIE_FLAGS += -mfunction-return=thunk-inline
119-
else
120-
PIE_FLAGS += -mfunction-return=keep
121-
endif
122-
ifeq "$(CONFIG_MITIGATION_RETHUNK)" "y"
123-
PIE_FLAGS += -mindirect-branch=thunk-inline
124-
else
125-
PIE_FLAGS += -mindirect-branch=keep
126-
endif
111+
PIE_FLAGS += -mcmodel=small
112+
113+
# eliminate external references to __x86_return_thunk and
114+
# __x86_indirect_thunk_foo implementations. _all_ references must be
115+
# eliminated, not just those in PIE objects, otherwise some kernels will
116+
# false-positively complain about unpatched thunks.
117+
ifeq "$(CONFIG_MITIGATION_RETPOLINE)" "y"
118+
PIE_SUPPORT_FLAGS += -mfunction-return=thunk-inline
119+
else
120+
PIE_SUPPORT_FLAGS += -mfunction-return=keep
121+
endif
122+
ifeq "$(CONFIG_MITIGATION_RETHUNK)" "y"
123+
PIE_SUPPORT_FLAGS += -mindirect-branch=thunk-inline
124+
else
125+
PIE_SUPPORT_FLAGS += -mindirect-branch=keep
126+
endif
127+
128+
OBJECT_FILES_NON_STANDARD := y
127129
endif
128130
ifeq "$(KERNEL_ARCH)" "mips"
129131
PIE_FLAGS += -mabicalls
130132
endif
131-
$(WOLFCRYPT_PIE_FILES): ccflags-y += $(PIE_SUPPORT_FLAGS) $(PIE_FLAGS)
133+
ccflags-y += $(PIE_SUPPORT_FLAGS)
134+
$(WOLFCRYPT_PIE_FILES): ccflags-y += $(PIE_FLAGS)
132135
$(WOLFCRYPT_PIE_FILES): ccflags-remove-y += -pg
133-
$(obj)/linuxkm/module_hooks.o: ccflags-y += $(PIE_SUPPORT_FLAGS)
134-
# using inline retpolines leads to "unannotated intra-function call"
135-
# warnings from objtool without this:
136-
$(WOLFCRYPT_PIE_FILES): OBJECT_FILES_NON_STANDARD := y
137136
ifdef FORCE_GLOBAL_OBJTOOL_OFF
138137
undefine CONFIG_OBJTOOL
139138
endif
@@ -143,35 +142,38 @@ ifdef KERNEL_EXTRA_CFLAGS_REMOVE
143142
ccflags-remove-y += KERNEL_EXTRA_CFLAGS_REMOVE
144143
endif
145144

146-
$(obj)/wolfcrypt/benchmark/benchmark.o: ccflags-y = $(WOLFSSL_CFLAGS) $(CFLAGS_FPU_ENABLE) $(CFLAGS_SIMD_ENABLE) $(PIE_SUPPORT_FLAGS) -DNO_MAIN_FUNCTION -DWOLFSSL_NO_OPTIONS_H
147-
$(obj)/wolfcrypt/benchmark/benchmark.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_ENABLE_SIMD_DISABLE)
145+
$(obj)/libwolfssl.mod.o: ccflags-y := $(PIE_SUPPORT_FLAGS)
146+
$(obj)/wolfcrypt/test/test.o: ccflags-y += -DNO_MAIN_DRIVER -DWOLFSSL_NO_OPTIONS_H
147+
$(obj)/wolfcrypt/src/aes.o: ccflags-y := $(WOLFSSL_CFLAGS) $(WOLFSSL_CFLAGS_YES_VECTOR_INSNS) $(PIE_FLAGS) $(PIE_SUPPORT_FLAGS)
148+
$(obj)/wolfcrypt/benchmark/benchmark.o: ccflags-y := $(WOLFSSL_CFLAGS) $(CFLAGS_FPU_ENABLE) $(CFLAGS_SIMD_ENABLE) $(PIE_SUPPORT_FLAGS) -DNO_MAIN_FUNCTION -DWOLFSSL_NO_OPTIONS_H
149+
$(obj)/wolfcrypt/benchmark/benchmark.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_ENABLE_SIMD_DISABLE)
148150

149151
asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPUSIMD_DISABLE)
150152

151153
# vectorized implementations that are kernel-safe are listed here.
152154
# these are known kernel-compatible, but need the vector instructions enabled in the assembler,
153155
# and most of them still irritate objtool.
154-
$(obj)/wolfcrypt/src/aes_asm.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
156+
$(obj)/wolfcrypt/src/aes_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
155157
$(obj)/wolfcrypt/src/aes_asm.o: OBJECT_FILES_NON_STANDARD := y
156-
$(obj)/wolfcrypt/src/aes_gcm_asm.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
158+
$(obj)/wolfcrypt/src/aes_gcm_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
157159
$(obj)/wolfcrypt/src/aes_gcm_asm.o: OBJECT_FILES_NON_STANDARD := y
158-
$(obj)/wolfcrypt/src/aes_xts_asm.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
160+
$(obj)/wolfcrypt/src/aes_xts_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
159161
$(obj)/wolfcrypt/src/aes_xts_asm.o: OBJECT_FILES_NON_STANDARD := y
160-
$(obj)/wolfcrypt/src/sp_x86_64_asm.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
162+
$(obj)/wolfcrypt/src/sp_x86_64_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
161163
$(obj)/wolfcrypt/src/sp_x86_64_asm.o: OBJECT_FILES_NON_STANDARD := y
162-
$(obj)/wolfcrypt/src/sha256_asm.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
164+
$(obj)/wolfcrypt/src/sha256_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
163165
$(obj)/wolfcrypt/src/sha256_asm.o: OBJECT_FILES_NON_STANDARD := y
164-
$(obj)/wolfcrypt/src/sha512_asm.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
166+
$(obj)/wolfcrypt/src/sha512_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
165167
$(obj)/wolfcrypt/src/sha512_asm.o: OBJECT_FILES_NON_STANDARD := y
166-
$(obj)/wolfcrypt/src/sha3_asm.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
168+
$(obj)/wolfcrypt/src/sha3_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
167169
$(obj)/wolfcrypt/src/sha3_asm.o: OBJECT_FILES_NON_STANDARD := y
168-
$(obj)/wolfcrypt/src/chacha_asm.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
170+
$(obj)/wolfcrypt/src/chacha_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
169171
$(obj)/wolfcrypt/src/chacha_asm.o: OBJECT_FILES_NON_STANDARD := y
170-
$(obj)/wolfcrypt/src/poly1305_asm.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
172+
$(obj)/wolfcrypt/src/poly1305_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
171173
$(obj)/wolfcrypt/src/poly1305_asm.o: OBJECT_FILES_NON_STANDARD := y
172-
$(obj)/wolfcrypt/src/wc_mlkem_asm.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
174+
$(obj)/wolfcrypt/src/wc_mlkem_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
173175
$(obj)/wolfcrypt/src/wc_mlkem_asm.o: OBJECT_FILES_NON_STANDARD := y
174-
$(obj)/wolfcrypt/src/wc_mldsa_asm.o: asflags-y = $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
176+
$(obj)/wolfcrypt/src/wc_mldsa_asm.o: asflags-y := $(WOLFSSL_ASFLAGS) $(ASFLAGS_FPU_DISABLE_SIMD_ENABLE)
175177
$(obj)/wolfcrypt/src/wc_mldsa_asm.o: OBJECT_FILES_NON_STANDARD := y
176178

177179
ifndef READELF

0 commit comments

Comments
 (0)