ACK: [UNSTABLE][PATCH 0/5] Enforce RETPOLINE and SLS mitigrations

Tim Gardner tim.gardner at canonical.com
Wed Jan 3 16:12:45 UTC 2024 

On 12/14/23 5:49 AM, Dimitri John Ledkov wrote:
> [ Impact ]
> 
> Enforce RETPOLINE and SLS mitigrations
> 
> Currently retpoline ABI checks in the kernel build do nothing. They
> produce no output, as if everything is fine. And if one manually hacks
> makefile to "forget" retpoline & SLS mitigration flags, objtool prints
> lots of warnings, retpoline ABI check passes and the build is
> succesful. Yet totally vulnerable.
> 
> Proposal is to enforce objtool warnings as fatal errors for RETPOLINE
> and SLS, as tested to be passed on mantic for both kernel and all
> available dkms. And otherwise rip out custom Ubuntu retpoline abi
> checks.
> 
> I have prepared this for noble v6.7 kernel, once this lands, I will
> make appropriate backports for earlier series as we likely want usable
> retpoline build time enforcement in earlier series too where possible.
> 
> [ Test Plan ]
> 
> Hack arch/x86/Makefile and comment out KBUILD_CFLAGS += $(RETPOLINE_CFLAGS)
> 
> This simulate a build infrastructure, or toolchain regression, or
> hand-written assembly code that is susceptible to speculative attacks.
> 
> Attempt to build the kernel.
> 
> The kernel build must fail. Currently it doesn't, and retpoline ABI
> checks do not catch it.
> 
> Another approach is to build a known buggy dkms modules on x86 - for
> example zfs-dkms with ret -> RET changes reverted in assembly
> accelerated code.
> 
> [ Where problems could occur ]
> 
> This change will make our kernel build more strict, especially for
> dkms packages. dkms packages that ship in Ubuntu archive have been
> build tested to pass with these more strict requirements in
> place. Other external modules that fail with such strict configuration
> should either fix their code to be retpoline/redbleed safe - or use a
> config override CONFIG_RETPOLINE=n to disable retpoline during their
> build, or otherwise use one of the OBJTOOL_ settings in their dkms
> Makefiles to skip objtool on given portions of code, or otherwise mark
> things as retpoline_safe / noreturn / etc. See examples in the linux
> upstream source code.
> 
> [ Other Info ]
> 
> This work was done as part of hackathon questioning abi checks
> usefulness, given I have never experienced retpoline check
> failure. And they have always been empty since early v4.15 days
> https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/tree/debian.master/abi/4.15.0-13.14/amd64/generic.retpoline?h=Ubuntu-4.15.0-14.15
> 
> Gitea review URL:
> https://kernel.ubuntu.com/gitea/kernel/noble-linux-unstable/pulls/15
> 
> 
> Dimitri John Ledkov (5):
>    UBUNTU: SAUCE: objtool: Make objtool check actually fatal upon fatal
>      errors
>    UBUNTU: SAUCE: objtool: make objtool SLS validation fatal when
>      building with CONFIG_SLS=y
>    UBUNTU: SAUCE: objtool: make objtool RETPOLINE validation fatal when
>      building with CONFIG_RETPOLINE=y
>    UBUNTU: SAUCE: scripts: remove generating .o-ur objects
>    UBUNTU: [Packaging] Remove all custom retpoline-extract code
> 
>   debian.master/abi/amd64/generic.retpoline     |   1 -
>   debian.master/abi/arm64/generic-64k.retpoline |   1 -
>   debian.master/abi/arm64/generic.retpoline     |   1 -
>   debian.master/abi/armhf/generic.retpoline     |   1 -
>   debian.master/abi/ppc64el/generic.retpoline   |   1 -
>   debian.master/abi/riscv64/generic.retpoline   |   0
>   debian.master/abi/riscv64/ignore.retpoline    |   1 -
>   debian.master/abi/s390x/generic.retpoline     |   1 -
>   debian/rules                                  |   6 +-
>   debian/rules.d/2-binary-arch.mk               |  15 -
>   debian/rules.d/4-checks.mk                    |   8 +-
>   debian/scripts/checks/final-checks            |   7 -
>   debian/scripts/checks/retpoline-check         |  52 ----
>   debian/scripts/dkms-build                     |   2 +-
>   debian/scripts/dkms-build--nvidia-N           |   7 +-
>   debian/scripts/helpers/open                   |   3 +-
>   debian/scripts/misc/getabis                   |   7 +-
>   debian/scripts/retpoline-extract              |  23 --
>   debian/scripts/retpoline-extract-one          | 270 ------------------
>   scripts/Makefile.build                        |   8 -
>   snapcraft.yaml                                |   4 -
>   tools/objtool/check.c                         |  26 +-
>   22 files changed, 22 insertions(+), 423 deletions(-)
>   delete mode 100644 debian.master/abi/amd64/generic.retpoline
>   delete mode 100644 debian.master/abi/arm64/generic-64k.retpoline
>   delete mode 100644 debian.master/abi/arm64/generic.retpoline
>   delete mode 100644 debian.master/abi/armhf/generic.retpoline
>   delete mode 100644 debian.master/abi/ppc64el/generic.retpoline
>   delete mode 100644 debian.master/abi/riscv64/generic.retpoline
>   delete mode 100644 debian.master/abi/riscv64/ignore.retpoline
>   delete mode 100644 debian.master/abi/s390x/generic.retpoline
>   delete mode 100755 debian/scripts/checks/retpoline-check
>   delete mode 100755 debian/scripts/retpoline-extract
>   delete mode 100755 debian/scripts/retpoline-extract-one
> 
Acked-by: Tim Gardner <tim.gardner at canonical.com>
-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list