Re: [PATCH] x86/boot: Refuse to build with data relocations

On Thu, May 19, 2016 at 11:41 PM, Ingo Molnar wrote: > > * Kees Cook wrote: > >> On Wed, May 18, 2016 at 4:29 AM, Ingo Molnar wrote: >> > >> > * Kees Cook wrote: >> > >> >> > I think there is something way more

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Thu, May 19, 2016 at 11:41 PM, Ingo Molnar wrote: > > * Kees Cook wrote: > >> On Wed, May 18, 2016 at 4:29 AM, Ingo Molnar wrote: >> > >> > * Kees Cook wrote: >> > >> >> > I think there is something way more subtle going on here, and it >> >> > bothers me >> >> > exactly because it is

Re: [PATCH] x86/boot: Refuse to build with data relocations

* Kees Cook wrote: > On Wed, May 18, 2016 at 4:29 AM, Ingo Molnar wrote: > > > > * Kees Cook wrote: > > > >> > I think there is something way more subtle going on here, and it bothers > >> > me > >> > exactly because it is

Re: [PATCH] x86/boot: Refuse to build with data relocations

* Kees Cook wrote: > On Wed, May 18, 2016 at 4:29 AM, Ingo Molnar wrote: > > > > * Kees Cook wrote: > > > >> > I think there is something way more subtle going on here, and it bothers > >> > me > >> > exactly because it is subtle. It may be that it is OK right now, but > >> > there > >> >

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Wed, May 18, 2016 at 4:29 AM, Ingo Molnar wrote: > > * Kees Cook wrote: > >> > I think there is something way more subtle going on here, and it bothers me >> > exactly because it is subtle. It may be that it is OK right now, but there >> > are alarm

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Wed, May 18, 2016 at 4:29 AM, Ingo Molnar wrote: > > * Kees Cook wrote: > >> > I think there is something way more subtle going on here, and it bothers me >> > exactly because it is subtle. It may be that it is OK right now, but there >> > are alarm bells going on all over my brain on this.

Re: [PATCH] x86/boot: Refuse to build with data relocations

* Kees Cook wrote: > > I think there is something way more subtle going on here, and it bothers me > > exactly because it is subtle. It may be that it is OK right now, but there > > are alarm bells going on all over my brain on this. I'm going to stare at > > this

Re: [PATCH] x86/boot: Refuse to build with data relocations

* Kees Cook wrote: > > I think there is something way more subtle going on here, and it bothers me > > exactly because it is subtle. It may be that it is OK right now, but there > > are alarm bells going on all over my brain on this. I'm going to stare at > > this for a bit and see if I

Re: [PATCH] x86/boot: Refuse to build with data relocations

On 05/17/16 12:28, Kees Cook wrote: >> >> I think there is something way more subtle going on here, and it bothers >> me exactly because it is subtle. It may be that it is OK right now, but >> there are alarm bells going on all over my brain on this. I'm going to >> stare at this for a bit and

Re: [PATCH] x86/boot: Refuse to build with data relocations

On 05/17/16 12:28, Kees Cook wrote: >> >> I think there is something way more subtle going on here, and it bothers >> me exactly because it is subtle. It may be that it is OK right now, but >> there are alarm bells going on all over my brain on this. I'm going to >> stare at this for a bit and

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Tue, May 17, 2016 at 12:56 PM, H. Peter Anvin wrote: > On 05/17/16 06:53, Kees Cook wrote: >>> >>> Either look at the inputs, or add the -q option to the link line >>> (--emit-relocs); that preserves the relocations into the output file >>> (the same we use to generate the

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Tue, May 17, 2016 at 12:56 PM, H. Peter Anvin wrote: > On 05/17/16 06:53, Kees Cook wrote: >>> >>> Either look at the inputs, or add the -q option to the link line >>> (--emit-relocs); that preserves the relocations into the output file >>> (the same we use to generate the relocation tables to

Re: [PATCH] x86/boot: Refuse to build with data relocations

On 05/17/16 06:53, Kees Cook wrote: >> >> Either look at the inputs, or add the -q option to the link line >> (--emit-relocs); that preserves the relocations into the output file >> (the same we use to generate the relocation tables to be able to >> relocate the kernel proper.) > > (FWIW, this

Re: [PATCH] x86/boot: Refuse to build with data relocations

On 05/17/16 06:53, Kees Cook wrote: >> >> Either look at the inputs, or add the -q option to the link line >> (--emit-relocs); that preserves the relocations into the output file >> (the same we use to generate the relocation tables to be able to >> relocate the kernel proper.) > > (FWIW, this

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Tue, May 17, 2016 at 5:31 AM, H. Peter Anvin wrote: > On 05/17/16 01:13, Kees Cook wrote: >> On Mon, May 16, 2016 at 3:30 AM, Ingo Molnar wrote: >>> >>> * H. Peter Anvin wrote: >>> On 05/12/16 15:54, Kees Cook wrote: >> >> It

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Tue, May 17, 2016 at 5:31 AM, H. Peter Anvin wrote: > On 05/17/16 01:13, Kees Cook wrote: >> On Mon, May 16, 2016 at 3:30 AM, Ingo Molnar wrote: >>> >>> * H. Peter Anvin wrote: >>> On 05/12/16 15:54, Kees Cook wrote: >> >> It would be far better to warn on the *type* of

Re: [PATCH] x86/boot: Refuse to build with data relocations

On 05/17/16 01:13, Kees Cook wrote: > On Mon, May 16, 2016 at 3:30 AM, Ingo Molnar wrote: >> >> * H. Peter Anvin wrote: >> >>> On 05/12/16 15:54, Kees Cook wrote: > > It would be far better to warn on the *type* of relocations rather than > in which

Re: [PATCH] x86/boot: Refuse to build with data relocations

On 05/17/16 01:13, Kees Cook wrote: > On Mon, May 16, 2016 at 3:30 AM, Ingo Molnar wrote: >> >> * H. Peter Anvin wrote: >> >>> On 05/12/16 15:54, Kees Cook wrote: > > It would be far better to warn on the *type* of relocations rather than > in which section they feel. I'm

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Mon, May 16, 2016 at 3:30 AM, Ingo Molnar wrote: > > * H. Peter Anvin wrote: > >> On 05/12/16 15:54, Kees Cook wrote: >> >> >> >> It would be far better to warn on the *type* of relocations rather than >> >> in which section they feel. >> > >> > I'm open to

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Mon, May 16, 2016 at 3:30 AM, Ingo Molnar wrote: > > * H. Peter Anvin wrote: > >> On 05/12/16 15:54, Kees Cook wrote: >> >> >> >> It would be far better to warn on the *type* of relocations rather than >> >> in which section they feel. >> > >> > I'm open to specific changes. What's the best

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Thu, May 12, 2016 at 01:31:04PM -0700, Kees Cook wrote: > diff --git a/arch/x86/boot/compressed/Makefile > b/arch/x86/boot/compressed/Makefile > index cfdd8c3f8af2..25d477fcd5b4 100644 > --- a/arch/x86/boot/compressed/Makefile > +++ b/arch/x86/boot/compressed/Makefile > @@ -85,7 +85,25 @@

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Thu, May 12, 2016 at 01:31:04PM -0700, Kees Cook wrote: > diff --git a/arch/x86/boot/compressed/Makefile > b/arch/x86/boot/compressed/Makefile > index cfdd8c3f8af2..25d477fcd5b4 100644 > --- a/arch/x86/boot/compressed/Makefile > +++ b/arch/x86/boot/compressed/Makefile > @@ -85,7 +85,25 @@

Re: [PATCH] x86/boot: Refuse to build with data relocations

* H. Peter Anvin wrote: > On 05/12/16 15:54, Kees Cook wrote: > >> > >> It would be far better to warn on the *type* of relocations rather than in > >> which section they feel. > > > > I'm open to specific changes. What's the best way to detect what you want > > here? > > >

Re: [PATCH] x86/boot: Refuse to build with data relocations

* H. Peter Anvin wrote: > On 05/12/16 15:54, Kees Cook wrote: > >> > >> It would be far better to warn on the *type* of relocations rather than in > >> which section they feel. > > > > I'm open to specific changes. What's the best way to detect what you want > > here? > > > > Use readelf

Re: [PATCH] x86/boot: Refuse to build with data relocations

On 05/12/16 15:54, Kees Cook wrote: >> >> It would be far better to warn on the *type* of relocations rather than in >> which section they feel. > > I'm open to specific changes. What's the best way to detect what you want > here? > Use readelf -r and look for inappropriate relocation types

Re: [PATCH] x86/boot: Refuse to build with data relocations

On 05/12/16 15:54, Kees Cook wrote: >> >> It would be far better to warn on the *type* of relocations rather than in >> which section they feel. > > I'm open to specific changes. What's the best way to detect what you want > here? > Use readelf -r and look for inappropriate relocation types

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Thu, May 12, 2016 at 3:29 PM, H. Peter Anvin wrote: > On May 12, 2016 1:31:04 PM PDT, Kees Cook wrote: >>The compressed kernel is built with -fPIC/-fPIE so that it can run in >>any >>location a bootloader happens to put it. However, since ELF relocation

Re: [PATCH] x86/boot: Refuse to build with data relocations

On Thu, May 12, 2016 at 3:29 PM, H. Peter Anvin wrote: > On May 12, 2016 1:31:04 PM PDT, Kees Cook wrote: >>The compressed kernel is built with -fPIC/-fPIE so that it can run in >>any >>location a bootloader happens to put it. However, since ELF relocation >>processing is not happening (and all

Re: [PATCH] x86/boot: Refuse to build with data relocations

On May 12, 2016 1:31:04 PM PDT, Kees Cook wrote: >The compressed kernel is built with -fPIC/-fPIE so that it can run in >any >location a bootloader happens to put it. However, since ELF relocation >processing is not happening (and all the relocation information has >already

Re: [PATCH] x86/boot: Refuse to build with data relocations

On May 12, 2016 1:31:04 PM PDT, Kees Cook wrote: >The compressed kernel is built with -fPIC/-fPIE so that it can run in >any >location a bootloader happens to put it. However, since ELF relocation >processing is not happening (and all the relocation information has >already been stripped at link

[PATCH] x86/boot: Refuse to build with data relocations

The compressed kernel is built with -fPIC/-fPIE so that it can run in any location a bootloader happens to put it. However, since ELF relocation processing is not happening (and all the relocation information has already been stripped at link time), none of the code can use data relocations (e.g.

[PATCH] x86/boot: Refuse to build with data relocations

The compressed kernel is built with -fPIC/-fPIE so that it can run in any location a bootloader happens to put it. However, since ELF relocation processing is not happening (and all the relocation information has already been stripped at link time), none of the code can use data relocations (e.g.