[PATCH v3 2/2] rust: add flags for shadow call stack sanitizer

Alice Ryhl aliceryhl at google.com
Tue Jul 9 02:51:28 PDT 2024


On Thu, Jul 4, 2024 at 7:17 PM Conor Dooley <conor at kernel.org> wrote:
>
> On Thu, Jul 04, 2024 at 03:07:58PM +0000, Alice Ryhl wrote:
> > As of rustc 1.80.0, the Rust compiler supports the -Zfixed-x18 flag, so
> > we can now use Rust with the shadow call stack sanitizer.
> >
> > On older versions of Rust, it is possible to use shadow call stack by
> > passing -Ctarget-feature=+reserve-x18 instead of -Zfixed-x18. However,
> > this flag emits a warning, so this patch does not add support for that.
> >
> > Currently, the compiler thinks that the aarch64-unknown-none target
> > doesn't support -Zsanitizer=shadow-call-stack, so the build will fail if
> > you enable shadow call stack in non-dynamic mode. See [2] for the
> > feature request to add this. Kconfig is not configured to reject this
> > configuration because that leads to cyclic Kconfig rules.
> >
> > Link: https://github.com/rust-lang/rust/issues/121972 [1]
> > Signed-off-by: Alice Ryhl <aliceryhl at google.com>
> > ---
> >  Makefile            | 1 +
> >  arch/Kconfig        | 2 +-
> >  arch/arm64/Makefile | 3 +++
> >  3 files changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/Makefile b/Makefile
> > index c11a10c8e710..4ae741601a1c 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -945,6 +945,7 @@ ifdef CONFIG_SHADOW_CALL_STACK
> >  ifndef CONFIG_DYNAMIC_SCS
> >  CC_FLAGS_SCS := -fsanitize=shadow-call-stack
> >  KBUILD_CFLAGS        += $(CC_FLAGS_SCS)
> > +KBUILD_RUSTFLAGS += -Zsanitizer=shadow-call-stack
> >  endif
> >  export CC_FLAGS_SCS
> >  endif
> > diff --git a/arch/Kconfig b/arch/Kconfig
> > index 238448a9cb71..5a6e296df5e6 100644
> > --- a/arch/Kconfig
> > +++ b/arch/Kconfig
> > @@ -690,7 +690,7 @@ config SHADOW_CALL_STACK
> >       bool "Shadow Call Stack"
> >       depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
> >       depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
> > -     depends on !RUST
> > +     depends on !RUST || RUSTC_VERSION >= 108000
> >       depends on MMU
> >       help
> >         This option enables the compiler's Shadow Call Stack, which
>
> For these security related options, like CFI_CLANG or RANDSTRUCT, I'm
> inclined to say that RUST is actually what should grow the depends on.
> That way it'll be RUST that gets silently disabled in configs when patch
> 1 gets backported (where it is mostly useless anyway) rather than SCS
> nor will it disable SCS when someone enables RUST in their config,
> instead it'd be a conscious choice.

Okay, I'll make that change. I suspect this will also break the
Kconfig cycle mentioned in the commit message. Thanks for the
suggestion!

Alice



More information about the linux-arm-kernel mailing list