[ubuntu-hardened] [16.04 LTS] Why Linux kernel is compiled using "-fstack-protector-all" option, instead of previously used "strong" variant?

Steve Beattie sbeattie at ubuntu.com
Wed Oct 11 19:05:46 UTC 2017 

Hi Daniel,

Sorry for the delay, I overlooked your followup query while traveling.

On Wed, Sep 27, 2017 at 05:07:09PM +0200, daniel curtis wrote:
> >> (...) I hope this clarifies things.
> 
> Wow, this is an amazing answer! Thank You very much. So can I say, that
> everything is OK and each mentioned kernels were built, compiled with
> '-fstack-protector-strong' option

Correct as far as the kernel and its modules go.

> and that you're "not quite sure why it's
> not affecting the entire kernel build"?

I am unsure why the change to the build environment to export V=1
(i.e.  verbose build output) is not resulting in detailed output for
the entire kernel compilation, rather than for just the user space
perf tools.

> One more time, to be 100 % sure:
> '-strong' variant was used, even if the build logs shows '-all'?
> 
> I mean the whole things, mentioned by you in your answer and: "that appears
> to be the source of the new '-fstack-protector-all' messages in the build
> log" etc. Or just maybe, I'm wrong and I didn't understand it well? If so -
> I'm sorry.
> 
> Indeed, in a kernel config file, there are options related to the
> 'fstack-protector' (CONFIG_CC_STACKPROTECTOR_STRONG - just as an example.)
> However, this time it's the latest proposed (for now) kernel v4.4.0-97.120
> (which is a quite big update by the way) and - as before - built logs for
> i386 and amd64 architectures contains: '-fstack-protector-all' option.

The TL;DR explanation:

  - The Ubuntu kernels are built with the CONFIG_CC_STACKPROTECTOR_STRONG
    setting, resulting in the compiler flag -fstack-protector-strong being
    applied to the kernel and its modules.

  - The Ubuntu (and upstream) user space perf tools are built with
    -fstack-protector-all (and have been for several years now).

  - A recent change in the Launchpad build environment causes verbose
    build output for the user space perf tools, resulting in the
    -fstack-protector-all flag showing up in the logs.

  - My remaining confusion is why the build changes don't cause the
    entire kernel build to generate detailed compilation output,
    where we would see -fstack-protector-strong.

Does that clarify things?

Thanks again for prompting the investigation!
-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20171011/d09d4319/attachment.sig>

More information about the ubuntu-hardened mailing list