[PATCH v3 2/2] rust: add flags for shadow call stack sanitizer

Conor Dooley conor at kernel.org
Thu Jul 4 10:16:58 PDT 2024 

On Thu, Jul 04, 2024 at 03:07:58PM +0000, Alice Ryhl wrote:
> As of rustc 1.80.0, the Rust compiler supports the -Zfixed-x18 flag, so
> we can now use Rust with the shadow call stack sanitizer.
> 
> On older versions of Rust, it is possible to use shadow call stack by
> passing -Ctarget-feature=+reserve-x18 instead of -Zfixed-x18. However,
> this flag emits a warning, so this patch does not add support for that.
> 
> Currently, the compiler thinks that the aarch64-unknown-none target
> doesn't support -Zsanitizer=shadow-call-stack, so the build will fail if
> you enable shadow call stack in non-dynamic mode. See [2] for the
> feature request to add this. Kconfig is not configured to reject this
> configuration because that leads to cyclic Kconfig rules.
> 
> Link: https://github.com/rust-lang/rust/issues/121972 [1]
> Signed-off-by: Alice Ryhl <aliceryhl at google.com>
> ---
>  Makefile            | 1 +
>  arch/Kconfig        | 2 +-
>  arch/arm64/Makefile | 3 +++
>  3 files changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/Makefile b/Makefile
> index c11a10c8e710..4ae741601a1c 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -945,6 +945,7 @@ ifdef CONFIG_SHADOW_CALL_STACK
>  ifndef CONFIG_DYNAMIC_SCS
>  CC_FLAGS_SCS	:= -fsanitize=shadow-call-stack
>  KBUILD_CFLAGS	+= $(CC_FLAGS_SCS)
> +KBUILD_RUSTFLAGS += -Zsanitizer=shadow-call-stack
>  endif
>  export CC_FLAGS_SCS
>  endif
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 238448a9cb71..5a6e296df5e6 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -690,7 +690,7 @@ config SHADOW_CALL_STACK
>  	bool "Shadow Call Stack"
>  	depends on ARCH_SUPPORTS_SHADOW_CALL_STACK
>  	depends on DYNAMIC_FTRACE_WITH_ARGS || DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER
> -	depends on !RUST
> +	depends on !RUST || RUSTC_VERSION >= 108000
>  	depends on MMU
>  	help
>  	  This option enables the compiler's Shadow Call Stack, which

For these security related options, like CFI_CLANG or RANDSTRUCT, I'm
inclined to say that RUST is actually what should grow the depends on.
That way it'll be RUST that gets silently disabled in configs when patch
1 gets backported (where it is mostly useless anyway) rather than SCS
nor will it disable SCS when someone enables RUST in their config,
instead it'd be a conscious choice.

Cheers,
Conor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20240704/40deddd3/attachment.sig>

More information about the linux-arm-kernel mailing list