On Thu, Sep 29, 2022 at 11:06:24PM -0700, Kees Cook wrote:
> Now that Clang's -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang
> option is no longer required, remove it from the command line. Clang 16
> and later will warn when it is used, which will cause Kconfig to think
> it can't use -ftrivial-auto-var-init=zero at all. Check for whether it
> is required and only use it when so.
>
> Cc: Nathan Chancellor <nathan@xxxxxxxxxx>
> Cc: Masahiro Yamada <masahiroy@xxxxxxxxxx>
> Cc: Nick Desaulniers <ndesaulniers@xxxxxxxxxx>
> Cc: linux-kbuild@xxxxxxxxxxxxxxx
> Cc: llvm@xxxxxxxxxxxxxxx
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: f02003c860d9 ("hardening: Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO")
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Thanks for sending this change!
Reviewed-by: Nathan Chancellor <nathan@xxxxxxxxxx>
Tested-by: Nathan Chancellor <nathan@xxxxxxxxxx>
Please consider getting this to Linus ASAP so that this can start
filtering into stable now that the LLVM change has landed, as I lost the
ability to use CONFIG_INIT_STACK_ALL_ZERO after upgrading my toolchain
over the weekend :)
Additionally, I am not sure the fixes tag is going to ensure that this
change automatically makes it back to 5.15 and 5.10, which have
commit f0fe00d4972a ("security: allow using Clang's zero initialization
for stack variables") but not commit f02003c860d9 ("hardening: Avoid
harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO"). I guess if I
am reading the stable documentation right, we could do something like:
Cc: stable@xxxxxxxxxxxxxxx # dcb7c0b9461c + f02003c860d9
Fixes: f0fe00d4972a ("security: allow using Clang's zero initialization for stack variables")
but I am not sure. I guess we can always just send manual backports
once it is merged.
> ---
> Makefile | 4 ++--
> security/Kconfig.hardening | 14 ++++++++++----
> 2 files changed, 12 insertions(+), 6 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index c7705f749601..02c857e2243c 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -831,8 +831,8 @@ endif
> # Initialize all stack variables with a zero value.
> ifdef CONFIG_INIT_STACK_ALL_ZERO
> KBUILD_CFLAGS += -ftrivial-auto-var-init=zero
> -ifdef CONFIG_CC_IS_CLANG
> -# https://bugs.llvm.org/show_bug.cgi?id=45497
> +ifdef CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
> +# https://github.com/llvm/llvm-project/issues/44842
> KBUILD_CFLAGS += -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang
> endif
> endif
> diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
> index bd2aabb2c60f..995bc42003e6 100644
> --- a/security/Kconfig.hardening
> +++ b/security/Kconfig.hardening
> @@ -22,11 +22,17 @@ menu "Memory initialization"
> config CC_HAS_AUTO_VAR_INIT_PATTERN
> def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
>
> -config CC_HAS_AUTO_VAR_INIT_ZERO
> - # GCC ignores the -enable flag, so we can test for the feature with
> - # a single invocation using the flag, but drop it as appropriate in
> - # the Makefile, depending on the presence of Clang.
> +config CC_HAS_AUTO_VAR_INIT_ZERO_BARE
> + def_bool $(cc-option,-ftrivial-auto-var-init=zero)
> +
> +config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
> + # Clang 16 and later warn about using the -enable flag, but it
> + # is required before then.
> def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang)
> + depends on !CC_HAS_AUTO_VAR_INIT_ZERO_BARE
> +
> +config CC_HAS_AUTO_VAR_INIT_ZERO
> + def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BARE || CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
>
> choice
> prompt "Initialize kernel stack variables at function entry"
> --
> 2.34.1
>
