mirror of
https://github.com/torvalds/linux.git
synced 2026-04-26 02:22:28 -04:00
48ea09cdda
Pull kernel hardening updates from Kees Cook:
- Convert flexible array members, fix -Wstringop-overflow warnings, and
fix KCFI function type mismatches that went ignored by maintainers
(Gustavo A. R. Silva, Nathan Chancellor, Kees Cook)
- Remove the remaining side-effect users of ksize() by converting
dma-buf, btrfs, and coredump to using kmalloc_size_roundup(), add
more __alloc_size attributes, and introduce full testing of all
allocator functions. Finally remove the ksize() side-effect so that
each allocation-aware checker can finally behave without exceptions
- Introduce oops_limit (default 10,000) and warn_limit (default off) to
provide greater granularity of control for panic_on_oops and
panic_on_warn (Jann Horn, Kees Cook)
- Introduce overflows_type() and castable_to_type() helpers for cleaner
overflow checking
- Improve code generation for strscpy() and update str*() kern-doc
- Convert strscpy and sigphash tests to KUnit, and expand memcpy tests
- Always use a non-NULL argument for prepare_kernel_cred()
- Disable structleak plugin in FORTIFY KUnit test (Anders Roxell)
- Adjust orphan linker section checking to respect CONFIG_WERROR (Xin
Li)
- Make sure siginfo is cleared for forced SIGKILL (haifeng.xu)
- Fix um vs FORTIFY warnings for always-NULL arguments
* tag 'hardening-v6.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: (31 commits)
ksmbd: replace one-element arrays with flexible-array members
hpet: Replace one-element array with flexible-array member
um: virt-pci: Avoid GCC non-NULL warning
signal: Initialize the info in ksignal
lib: fortify_kunit: build without structleak plugin
panic: Expose "warn_count" to sysfs
panic: Introduce warn_limit
panic: Consolidate open-coded panic_on_warn checks
exit: Allow oops_limit to be disabled
exit: Expose "oops_count" to sysfs
exit: Put an upper limit on how often we can oops
panic: Separate sysctl logic from CONFIG_SMP
mm/pgtable: Fix multiple -Wstringop-overflow warnings
mm: Make ksize() a reporting-only function
kunit/fortify: Validate __alloc_size attribute results
drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
driver core: Add __alloc_size hint to devm allocators
overflow: Introduce overflows_type() and castable_to_type()
coredump: Proactively round up to kmalloc bucket size
...
162 lines
5.7 KiB
Makefile
162 lines
5.7 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# linux/arch/x86/boot/compressed/Makefile
|
|
#
|
|
# create a compressed vmlinux image from the original vmlinux
|
|
#
|
|
# vmlinuz is:
|
|
# decompression code (*.o)
|
|
# asm globals (piggy.S), including:
|
|
# vmlinux.bin.(gz|bz2|lzma|...)
|
|
#
|
|
# vmlinux.bin is:
|
|
# vmlinux stripped of debugging and comments
|
|
# vmlinux.bin.all is:
|
|
# vmlinux.bin + vmlinux.relocs
|
|
# vmlinux.bin.(gz|bz2|lzma|...) is:
|
|
# (see scripts/Makefile.lib size_append)
|
|
# compressed vmlinux.bin.all + u32 size of vmlinux.bin.all
|
|
|
|
# Sanitizer runtimes are unavailable and cannot be linked for early boot code.
|
|
KASAN_SANITIZE := n
|
|
KCSAN_SANITIZE := n
|
|
KMSAN_SANITIZE := n
|
|
OBJECT_FILES_NON_STANDARD := y
|
|
|
|
# Prevents link failures: __sanitizer_cov_trace_pc() is not linked in.
|
|
KCOV_INSTRUMENT := n
|
|
|
|
targets := vmlinux vmlinux.bin vmlinux.bin.gz vmlinux.bin.bz2 vmlinux.bin.lzma \
|
|
vmlinux.bin.xz vmlinux.bin.lzo vmlinux.bin.lz4 vmlinux.bin.zst
|
|
|
|
# CLANG_FLAGS must come before any cc-disable-warning or cc-option calls in
|
|
# case of cross compiling, as it has the '--target=' flag, which is needed to
|
|
# avoid errors with '-march=i386', and future flags may depend on the target to
|
|
# be valid.
|
|
KBUILD_CFLAGS := -m$(BITS) -O2 $(CLANG_FLAGS)
|
|
KBUILD_CFLAGS += -fno-strict-aliasing -fPIE
|
|
KBUILD_CFLAGS += -Wundef
|
|
KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
|
|
cflags-$(CONFIG_X86_32) := -march=i386
|
|
cflags-$(CONFIG_X86_64) := -mcmodel=small -mno-red-zone
|
|
KBUILD_CFLAGS += $(cflags-y)
|
|
KBUILD_CFLAGS += -mno-mmx -mno-sse
|
|
KBUILD_CFLAGS += -ffreestanding -fshort-wchar
|
|
KBUILD_CFLAGS += -fno-stack-protector
|
|
KBUILD_CFLAGS += $(call cc-disable-warning, address-of-packed-member)
|
|
KBUILD_CFLAGS += $(call cc-disable-warning, gnu)
|
|
KBUILD_CFLAGS += -Wno-pointer-sign
|
|
KBUILD_CFLAGS += $(call cc-option,-fmacro-prefix-map=$(srctree)/=)
|
|
KBUILD_CFLAGS += -fno-asynchronous-unwind-tables
|
|
KBUILD_CFLAGS += -D__DISABLE_EXPORTS
|
|
# Disable relocation relaxation in case the link is not PIE.
|
|
KBUILD_CFLAGS += $(call as-option,-Wa$(comma)-mrelax-relocations=no)
|
|
KBUILD_CFLAGS += -include $(srctree)/include/linux/hidden.h
|
|
|
|
# sev.c indirectly inludes inat-table.h which is generated during
|
|
# compilation and stored in $(objtree). Add the directory to the includes so
|
|
# that the compiler finds it even with out-of-tree builds (make O=/some/path).
|
|
CFLAGS_sev.o += -I$(objtree)/arch/x86/lib/
|
|
|
|
KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
|
|
GCOV_PROFILE := n
|
|
UBSAN_SANITIZE :=n
|
|
|
|
KBUILD_LDFLAGS := -m elf_$(UTS_MACHINE)
|
|
KBUILD_LDFLAGS += $(call ld-option,--no-ld-generated-unwind-info)
|
|
# Compressed kernel should be built as PIE since it may be loaded at any
|
|
# address by the bootloader.
|
|
LDFLAGS_vmlinux := -pie $(call ld-option, --no-dynamic-linker)
|
|
ifdef CONFIG_LD_ORPHAN_WARN
|
|
LDFLAGS_vmlinux += --orphan-handling=$(CONFIG_LD_ORPHAN_WARN_LEVEL)
|
|
endif
|
|
LDFLAGS_vmlinux += -z noexecstack
|
|
ifeq ($(CONFIG_LD_IS_BFD),y)
|
|
LDFLAGS_vmlinux += $(call ld-option,--no-warn-rwx-segments)
|
|
endif
|
|
LDFLAGS_vmlinux += -T
|
|
|
|
hostprogs := mkpiggy
|
|
HOST_EXTRACFLAGS += -I$(srctree)/tools/include
|
|
|
|
sed-voffset := -e 's/^\([0-9a-fA-F]*\) [ABCDGRSTVW] \(_text\|__bss_start\|_end\)$$/\#define VO_\2 _AC(0x\1,UL)/p'
|
|
|
|
quiet_cmd_voffset = VOFFSET $@
|
|
cmd_voffset = $(NM) $< | sed -n $(sed-voffset) > $@
|
|
|
|
targets += ../voffset.h
|
|
|
|
$(obj)/../voffset.h: vmlinux FORCE
|
|
$(call if_changed,voffset)
|
|
|
|
$(obj)/misc.o: $(obj)/../voffset.h
|
|
|
|
vmlinux-objs-y := $(obj)/vmlinux.lds $(obj)/kernel_info.o $(obj)/head_$(BITS).o \
|
|
$(obj)/misc.o $(obj)/string.o $(obj)/cmdline.o $(obj)/error.o \
|
|
$(obj)/piggy.o $(obj)/cpuflags.o
|
|
|
|
vmlinux-objs-$(CONFIG_EARLY_PRINTK) += $(obj)/early_serial_console.o
|
|
vmlinux-objs-$(CONFIG_RANDOMIZE_BASE) += $(obj)/kaslr.o
|
|
ifdef CONFIG_X86_64
|
|
vmlinux-objs-y += $(obj)/ident_map_64.o
|
|
vmlinux-objs-y += $(obj)/idt_64.o $(obj)/idt_handlers_64.o
|
|
vmlinux-objs-$(CONFIG_AMD_MEM_ENCRYPT) += $(obj)/mem_encrypt.o
|
|
vmlinux-objs-y += $(obj)/pgtable_64.o
|
|
vmlinux-objs-$(CONFIG_AMD_MEM_ENCRYPT) += $(obj)/sev.o
|
|
endif
|
|
|
|
vmlinux-objs-$(CONFIG_ACPI) += $(obj)/acpi.o
|
|
vmlinux-objs-$(CONFIG_INTEL_TDX_GUEST) += $(obj)/tdx.o $(obj)/tdcall.o
|
|
|
|
vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o
|
|
vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_mixed.o
|
|
vmlinux-objs-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a
|
|
|
|
$(obj)/vmlinux: $(vmlinux-objs-y) FORCE
|
|
$(call if_changed,ld)
|
|
|
|
OBJCOPYFLAGS_vmlinux.bin := -R .comment -S
|
|
$(obj)/vmlinux.bin: vmlinux FORCE
|
|
$(call if_changed,objcopy)
|
|
|
|
targets += $(patsubst $(obj)/%,%,$(vmlinux-objs-y)) vmlinux.bin.all vmlinux.relocs
|
|
|
|
CMD_RELOCS = arch/x86/tools/relocs
|
|
quiet_cmd_relocs = RELOCS $@
|
|
cmd_relocs = $(CMD_RELOCS) $< > $@;$(CMD_RELOCS) --abs-relocs $<
|
|
$(obj)/vmlinux.relocs: vmlinux FORCE
|
|
$(call if_changed,relocs)
|
|
|
|
vmlinux.bin.all-y := $(obj)/vmlinux.bin
|
|
vmlinux.bin.all-$(CONFIG_X86_NEED_RELOCS) += $(obj)/vmlinux.relocs
|
|
|
|
$(obj)/vmlinux.bin.gz: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,gzip)
|
|
$(obj)/vmlinux.bin.bz2: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,bzip2_with_size)
|
|
$(obj)/vmlinux.bin.lzma: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,lzma_with_size)
|
|
$(obj)/vmlinux.bin.xz: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,xzkern_with_size)
|
|
$(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,lzo_with_size)
|
|
$(obj)/vmlinux.bin.lz4: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,lz4_with_size)
|
|
$(obj)/vmlinux.bin.zst: $(vmlinux.bin.all-y) FORCE
|
|
$(call if_changed,zstd22_with_size)
|
|
|
|
suffix-$(CONFIG_KERNEL_GZIP) := gz
|
|
suffix-$(CONFIG_KERNEL_BZIP2) := bz2
|
|
suffix-$(CONFIG_KERNEL_LZMA) := lzma
|
|
suffix-$(CONFIG_KERNEL_XZ) := xz
|
|
suffix-$(CONFIG_KERNEL_LZO) := lzo
|
|
suffix-$(CONFIG_KERNEL_LZ4) := lz4
|
|
suffix-$(CONFIG_KERNEL_ZSTD) := zst
|
|
|
|
quiet_cmd_mkpiggy = MKPIGGY $@
|
|
cmd_mkpiggy = $(obj)/mkpiggy $< > $@
|
|
|
|
targets += piggy.S
|
|
$(obj)/piggy.S: $(obj)/vmlinux.bin.$(suffix-y) $(obj)/mkpiggy FORCE
|
|
$(call if_changed,mkpiggy)
|