On Tue, Mar 24, 2020 at 02:24:51PM -0700, Kristen Carlson Accardi wrote: > On Tue, 2020-02-25 at 12:55 -0500, Arvind Sankar wrote: > > On Wed, Feb 05, 2020 at 02:39:44PM -0800, Kristen Carlson Accardi > > wrote: > > > Allow user to select CONFIG_FG_KASLR if dependencies are met. > > > Change > > > the make file to build with -ffunction-sections if CONFIG_FG_KASLR > > > > > > Signed-off-by: Kristen Carlson Accardi <kristen@xxxxxxxxxxxxxxx> > > > --- > > > Makefile | 4 ++++ > > > arch/x86/Kconfig | 13 +++++++++++++ > > > 2 files changed, 17 insertions(+) > > > > > > diff --git a/Makefile b/Makefile > > > index c50ef91f6136..41438a921666 100644 > > > --- a/Makefile > > > +++ b/Makefile > > > @@ -846,6 +846,10 @@ ifdef CONFIG_LIVEPATCH > > > KBUILD_CFLAGS += $(call cc-option, -flive-patching=inline-clone) > > > endif > > > > > > +ifdef CONFIG_FG_KASLR > > > +KBUILD_CFLAGS += -ffunction-sections > > > +endif > > > + > > > > With -ffunction-sections I get a few unreachable code warnings from > > objtool. > > > > [...] > > net/mac80211/ibss.o: warning: objtool: > > ieee80211_ibss_work.cold()+0x157: unreachable instruction > > drivers/net/ethernet/intel/e1000/e1000_main.o: warning: objtool: > > e1000_clean.cold()+0x0: unreachable instruction > > net/core/skbuff.o: warning: objtool: skb_dump.cold()+0x3fd: > > unreachable instruction > > I'm still working on a solution, but the issue here is that any .cold > function is going to be in a different section than the related > function, and when objtool is searching for instructions in > find_insn(), it assumes that it must be in the same section as the > caller. Can we teach objtool about this? It doesn't seem too unreasonable. -- Kees Cook
