| Message ID | 6f293556-db9a-086e-1b2d-5e7d10eee48b@ipfire.org |
|---|---|
| State | Rejected |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LxPwJ3zzJz3x7M for <patchwork@web04.haj.ipfire.org>; Mon, 1 Aug 2022 17:18:24 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LxPwG5jq6z14t; Mon, 1 Aug 2022 17:18:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LxPwG5XZCz2xyV; Mon, 1 Aug 2022 17:18:22 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LxPwF2TtNz2x9p for <development@lists.ipfire.org>; Mon, 1 Aug 2022 17:18:21 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4LxPwD0fxTzxQ for <development@lists.ipfire.org>; Mon, 1 Aug 2022 17:18:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1659374301; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=YBiTw7PwrP+16P6/frMan9GqreMAWiJwz7dvreJoDPg=; b=gTbAf+6Lvr1FqH+tBzKdpiRs9OSr/EYB5tIOwLuBd10pVDKStC4LqFirK6eWknYVMHGVH8 ZO7YqlQA71bS8CDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1659374301; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=YBiTw7PwrP+16P6/frMan9GqreMAWiJwz7dvreJoDPg=; b=XLsaotTWsqQyh1raHSizE9s/hb7lPyJPl1iXpKvpeXRzvHxSHXHOVq9L+IkR1/+xuJbY5/ 0fYyvUlaAYKEhGWMA+VY7vOkAM2GaHF10Xy8EHw1nPs/7hO0TkVdpLQkTixv01mzFDHtkv bXwCJV0wzGTVvwGuZFI0fZ6uMCnNathCx5PF8rL2dQfq2koAH4dEZBOQLKLxlngoZynIdh lUM8M9Ya2GYA1r6e+Gp8D86COvo7Pp3IBugp3Ixh+nK6ZyIHY9AbZwxzv7gX03144uMYtS Uj9rHv8/2/alyaHqcnMy2wjdrz6wkvuALPt0MclLz4ThLvnMjSzwLJY+/BL+3g== Message-ID: <6f293556-db9a-086e-1b2d-5e7d10eee48b@ipfire.org> Date: Mon, 1 Aug 2022 17:18:07 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH] linux: Randomize layout of sensitive kernel structures Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
linux: Randomize layout of sensitive kernel structures
|
|
Commit Message
Peter Müller
Aug. 1, 2022, 5:18 p.m. UTC
To quote from the kernel documentation: > If you say Y here, the layouts of structures that are entirely > function pointers (and have not been manually annotated with > __no_randomize_layout), or structures that have been explicitly > marked with __randomize_layout, will be randomized at compile-time. > This can introduce the requirement of an additional information > exposure vulnerability for exploits targeting these structure > types. > > Enabling this feature will introduce some performance impact, > slightly increase memory usage, and prevent the use of forensic > tools like Volatility against the system (unless the kernel > source tree isn't cleaned after kernel installation). > > The seed used for compilation is located at > scripts/gcc-plgins/randomize_layout_seed.h. It remains after > a make clean to allow for external modules to be compiled with > the existing seed and will be removed by a make mrproper or > make distclean. > > Note that the implementation requires gcc 4.7 or newer. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> --- config/kernel/kernel.config.x86_64-ipfire | 3 ++- config/rootfiles/common/aarch64/linux | 5 +++++ config/rootfiles/common/armv6l/linux | 5 +++++ config/rootfiles/common/x86_64/linux | 5 +++++ 4 files changed, 17 insertions(+), 1 deletion(-)
Comments
Do we finally know how much the impact is at compile time? -Michael > On 1 Aug 2022, at 18:18, Peter Müller <peter.mueller@ipfire.org> wrote: > > To quote from the kernel documentation: > >> If you say Y here, the layouts of structures that are entirely >> function pointers (and have not been manually annotated with >> __no_randomize_layout), or structures that have been explicitly >> marked with __randomize_layout, will be randomized at compile-time. >> This can introduce the requirement of an additional information >> exposure vulnerability for exploits targeting these structure >> types. >> >> Enabling this feature will introduce some performance impact, >> slightly increase memory usage, and prevent the use of forensic >> tools like Volatility against the system (unless the kernel >> source tree isn't cleaned after kernel installation). >> >> The seed used for compilation is located at >> scripts/gcc-plgins/randomize_layout_seed.h. It remains after >> a make clean to allow for external modules to be compiled with >> the existing seed and will be removed by a make mrproper or >> make distclean. >> >> Note that the implementation requires gcc 4.7 or newer. > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/kernel/kernel.config.x86_64-ipfire | 3 ++- > config/rootfiles/common/aarch64/linux | 5 +++++ > config/rootfiles/common/armv6l/linux | 5 +++++ > config/rootfiles/common/x86_64/linux | 5 +++++ > 4 files changed, 17 insertions(+), 1 deletion(-) > > diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire > index 40975b5fc..c8e7ada01 100644 > --- a/config/kernel/kernel.config.x86_64-ipfire > +++ b/config/kernel/kernel.config.x86_64-ipfire > @@ -793,7 +793,8 @@ CONFIG_HAVE_GCC_PLUGINS=y > CONFIG_GCC_PLUGINS=y > # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set > CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y > -# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set > +CONFIG_GCC_PLUGIN_RANDSTRUCT=y > +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y > # end of General architecture-dependent options > > CONFIG_RT_MUTEXES=y > diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux > index dbd6e8f2f..b3a642e56 100644 > --- a/config/rootfiles/common/aarch64/linux > +++ b/config/rootfiles/common/aarch64/linux > @@ -7646,6 +7646,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/config/GARP > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL > #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION > @@ -11684,6 +11686,7 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/generated/autoconf.h > #lib/modules/KVER-ipfire/build/include/generated/bounds.h > #lib/modules/KVER-ipfire/build/include/generated/compile.h > +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h > #lib/modules/KVER-ipfire/build/include/generated/timeconst.h > #lib/modules/KVER-ipfire/build/include/generated/uapi > #lib/modules/KVER-ipfire/build/include/generated/uapi/linux > @@ -17129,6 +17132,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c > diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux > index 79e4facfe..c3411fe8d 100644 > --- a/config/rootfiles/common/armv6l/linux > +++ b/config/rootfiles/common/armv6l/linux > @@ -8071,6 +8071,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_ARM_SSP_PER_TASK > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL > #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION > @@ -12134,6 +12136,7 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/generated/autoconf.h > #lib/modules/KVER-ipfire/build/include/generated/bounds.h > #lib/modules/KVER-ipfire/build/include/generated/compile.h > +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h > #lib/modules/KVER-ipfire/build/include/generated/timeconst.h > #lib/modules/KVER-ipfire/build/include/generated/uapi > #lib/modules/KVER-ipfire/build/include/generated/uapi/linux > @@ -17579,6 +17582,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c > diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux > index b25f85a3a..1b78fe8c5 100644 > --- a/config/rootfiles/common/x86_64/linux > +++ b/config/rootfiles/common/x86_64/linux > @@ -7624,6 +7624,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/config/GARP > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL > #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION > @@ -12128,6 +12130,7 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/generated/autoconf.h > #lib/modules/KVER-ipfire/build/include/generated/bounds.h > #lib/modules/KVER-ipfire/build/include/generated/compile.h > +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h > #lib/modules/KVER-ipfire/build/include/generated/timeconst.h > #lib/modules/KVER-ipfire/build/include/generated/uapi > #lib/modules/KVER-ipfire/build/include/generated/uapi/linux > @@ -17567,6 +17570,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c > -- > 2.35.3
Hello Michael, on my local workstation (featuring an Intel i5-6500), the kernel takes ~ 48 minutes to compile with randstruct enabled, which is around the same time I have experienced before. Thanks, and best regards, Peter Müller > Do we finally know how much the impact is at compile time? > > -Michael > >> On 1 Aug 2022, at 18:18, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> To quote from the kernel documentation: >> >>> If you say Y here, the layouts of structures that are entirely >>> function pointers (and have not been manually annotated with >>> __no_randomize_layout), or structures that have been explicitly >>> marked with __randomize_layout, will be randomized at compile-time. >>> This can introduce the requirement of an additional information >>> exposure vulnerability for exploits targeting these structure >>> types. >>> >>> Enabling this feature will introduce some performance impact, >>> slightly increase memory usage, and prevent the use of forensic >>> tools like Volatility against the system (unless the kernel >>> source tree isn't cleaned after kernel installation). >>> >>> The seed used for compilation is located at >>> scripts/gcc-plgins/randomize_layout_seed.h. It remains after >>> a make clean to allow for external modules to be compiled with >>> the existing seed and will be removed by a make mrproper or >>> make distclean. >>> >>> Note that the implementation requires gcc 4.7 or newer. >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/kernel/kernel.config.x86_64-ipfire | 3 ++- >> config/rootfiles/common/aarch64/linux | 5 +++++ >> config/rootfiles/common/armv6l/linux | 5 +++++ >> config/rootfiles/common/x86_64/linux | 5 +++++ >> 4 files changed, 17 insertions(+), 1 deletion(-) >> >> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >> index 40975b5fc..c8e7ada01 100644 >> --- a/config/kernel/kernel.config.x86_64-ipfire >> +++ b/config/kernel/kernel.config.x86_64-ipfire >> @@ -793,7 +793,8 @@ CONFIG_HAVE_GCC_PLUGINS=y >> CONFIG_GCC_PLUGINS=y >> # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set >> CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y >> -# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set >> +CONFIG_GCC_PLUGIN_RANDSTRUCT=y >> +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y >> # end of General architecture-dependent options >> >> CONFIG_RT_MUTEXES=y >> diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux >> index dbd6e8f2f..b3a642e56 100644 >> --- a/config/rootfiles/common/aarch64/linux >> +++ b/config/rootfiles/common/aarch64/linux >> @@ -7646,6 +7646,8 @@ etc/modprobe.d/ipv6.conf >> #lib/modules/KVER-ipfire/build/include/config/GARP >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >> @@ -11684,6 +11686,7 @@ etc/modprobe.d/ipv6.conf >> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >> #lib/modules/KVER-ipfire/build/include/generated/compile.h >> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >> #lib/modules/KVER-ipfire/build/include/generated/uapi >> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >> @@ -17129,6 +17132,8 @@ etc/modprobe.d/ipv6.conf >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >> diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux >> index 79e4facfe..c3411fe8d 100644 >> --- a/config/rootfiles/common/armv6l/linux >> +++ b/config/rootfiles/common/armv6l/linux >> @@ -8071,6 +8071,8 @@ etc/modprobe.d/ipv6.conf >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_ARM_SSP_PER_TASK >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >> @@ -12134,6 +12136,7 @@ etc/modprobe.d/ipv6.conf >> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >> #lib/modules/KVER-ipfire/build/include/generated/compile.h >> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >> #lib/modules/KVER-ipfire/build/include/generated/uapi >> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >> @@ -17579,6 +17582,8 @@ etc/modprobe.d/ipv6.conf >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >> diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux >> index b25f85a3a..1b78fe8c5 100644 >> --- a/config/rootfiles/common/x86_64/linux >> +++ b/config/rootfiles/common/x86_64/linux >> @@ -7624,6 +7624,8 @@ etc/modprobe.d/ipv6.conf >> #lib/modules/KVER-ipfire/build/include/config/GARP >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >> @@ -12128,6 +12130,7 @@ etc/modprobe.d/ipv6.conf >> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >> #lib/modules/KVER-ipfire/build/include/generated/compile.h >> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >> #lib/modules/KVER-ipfire/build/include/generated/uapi >> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >> @@ -17567,6 +17570,8 @@ etc/modprobe.d/ipv6.conf >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >> -- >> 2.35.3 >
Hello, I assume that is without any ccache whatsoever? Why is this so slow? From cache, the kernel should build in about 5-ish minutes. -Michael > On 2 Aug 2022, at 16:13, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > on my local workstation (featuring an Intel i5-6500), the kernel takes ~ 48 > minutes to compile with randstruct enabled, which is around the same time I have > experienced before. > > Thanks, and best regards, > Peter Müller > > >> Do we finally know how much the impact is at compile time? >> >> -Michael >> >>> On 1 Aug 2022, at 18:18, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> To quote from the kernel documentation: >>> >>>> If you say Y here, the layouts of structures that are entirely >>>> function pointers (and have not been manually annotated with >>>> __no_randomize_layout), or structures that have been explicitly >>>> marked with __randomize_layout, will be randomized at compile-time. >>>> This can introduce the requirement of an additional information >>>> exposure vulnerability for exploits targeting these structure >>>> types. >>>> >>>> Enabling this feature will introduce some performance impact, >>>> slightly increase memory usage, and prevent the use of forensic >>>> tools like Volatility against the system (unless the kernel >>>> source tree isn't cleaned after kernel installation). >>>> >>>> The seed used for compilation is located at >>>> scripts/gcc-plgins/randomize_layout_seed.h. It remains after >>>> a make clean to allow for external modules to be compiled with >>>> the existing seed and will be removed by a make mrproper or >>>> make distclean. >>>> >>>> Note that the implementation requires gcc 4.7 or newer. >>> >>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>> --- >>> config/kernel/kernel.config.x86_64-ipfire | 3 ++- >>> config/rootfiles/common/aarch64/linux | 5 +++++ >>> config/rootfiles/common/armv6l/linux | 5 +++++ >>> config/rootfiles/common/x86_64/linux | 5 +++++ >>> 4 files changed, 17 insertions(+), 1 deletion(-) >>> >>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >>> index 40975b5fc..c8e7ada01 100644 >>> --- a/config/kernel/kernel.config.x86_64-ipfire >>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>> @@ -793,7 +793,8 @@ CONFIG_HAVE_GCC_PLUGINS=y >>> CONFIG_GCC_PLUGINS=y >>> # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set >>> CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y >>> -# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set >>> +CONFIG_GCC_PLUGIN_RANDSTRUCT=y >>> +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y >>> # end of General architecture-dependent options >>> >>> CONFIG_RT_MUTEXES=y >>> diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux >>> index dbd6e8f2f..b3a642e56 100644 >>> --- a/config/rootfiles/common/aarch64/linux >>> +++ b/config/rootfiles/common/aarch64/linux >>> @@ -7646,6 +7646,8 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/GARP >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >>> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >>> @@ -11684,6 +11686,7 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >>> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >>> #lib/modules/KVER-ipfire/build/include/generated/compile.h >>> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >>> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >>> #lib/modules/KVER-ipfire/build/include/generated/uapi >>> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >>> @@ -17129,6 +17132,8 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >>> diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux >>> index 79e4facfe..c3411fe8d 100644 >>> --- a/config/rootfiles/common/armv6l/linux >>> +++ b/config/rootfiles/common/armv6l/linux >>> @@ -8071,6 +8071,8 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_ARM_SSP_PER_TASK >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >>> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >>> @@ -12134,6 +12136,7 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >>> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >>> #lib/modules/KVER-ipfire/build/include/generated/compile.h >>> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >>> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >>> #lib/modules/KVER-ipfire/build/include/generated/uapi >>> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >>> @@ -17579,6 +17582,8 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >>> diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux >>> index b25f85a3a..1b78fe8c5 100644 >>> --- a/config/rootfiles/common/x86_64/linux >>> +++ b/config/rootfiles/common/x86_64/linux >>> @@ -7624,6 +7624,8 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/config/GARP >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >>> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >>> @@ -12128,6 +12130,7 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >>> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >>> #lib/modules/KVER-ipfire/build/include/generated/compile.h >>> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >>> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >>> #lib/modules/KVER-ipfire/build/include/generated/uapi >>> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >>> @@ -17567,6 +17570,8 @@ etc/modprobe.d/ipv6.conf >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >>> -- >>> 2.35.3 >>
Hello Michael, thanks for your reply. > Hello, > > I assume that is without any ccache whatsoever? Yes, this is without ccache, since I wanted the results to be (somewhat) reproducible. > > Why is this so slow? > > From cache, the kernel should build in about 5-ish minutes. Indeed. With ccache, the kernel takes about 7 minutes on my workstation. Thanks, and best regards, Peter Müller > > -Michael > >> On 2 Aug 2022, at 16:13, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Hello Michael, >> >> on my local workstation (featuring an Intel i5-6500), the kernel takes ~ 48 >> minutes to compile with randstruct enabled, which is around the same time I have >> experienced before. >> >> Thanks, and best regards, >> Peter Müller >> >> >>> Do we finally know how much the impact is at compile time? >>> >>> -Michael >>> >>>> On 1 Aug 2022, at 18:18, Peter Müller <peter.mueller@ipfire.org> wrote: >>>> >>>> To quote from the kernel documentation: >>>> >>>>> If you say Y here, the layouts of structures that are entirely >>>>> function pointers (and have not been manually annotated with >>>>> __no_randomize_layout), or structures that have been explicitly >>>>> marked with __randomize_layout, will be randomized at compile-time. >>>>> This can introduce the requirement of an additional information >>>>> exposure vulnerability for exploits targeting these structure >>>>> types. >>>>> >>>>> Enabling this feature will introduce some performance impact, >>>>> slightly increase memory usage, and prevent the use of forensic >>>>> tools like Volatility against the system (unless the kernel >>>>> source tree isn't cleaned after kernel installation). >>>>> >>>>> The seed used for compilation is located at >>>>> scripts/gcc-plgins/randomize_layout_seed.h. It remains after >>>>> a make clean to allow for external modules to be compiled with >>>>> the existing seed and will be removed by a make mrproper or >>>>> make distclean. >>>>> >>>>> Note that the implementation requires gcc 4.7 or newer. >>>> >>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>> --- >>>> config/kernel/kernel.config.x86_64-ipfire | 3 ++- >>>> config/rootfiles/common/aarch64/linux | 5 +++++ >>>> config/rootfiles/common/armv6l/linux | 5 +++++ >>>> config/rootfiles/common/x86_64/linux | 5 +++++ >>>> 4 files changed, 17 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >>>> index 40975b5fc..c8e7ada01 100644 >>>> --- a/config/kernel/kernel.config.x86_64-ipfire >>>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>>> @@ -793,7 +793,8 @@ CONFIG_HAVE_GCC_PLUGINS=y >>>> CONFIG_GCC_PLUGINS=y >>>> # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set >>>> CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y >>>> -# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set >>>> +CONFIG_GCC_PLUGIN_RANDSTRUCT=y >>>> +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y >>>> # end of General architecture-dependent options >>>> >>>> CONFIG_RT_MUTEXES=y >>>> diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux >>>> index dbd6e8f2f..b3a642e56 100644 >>>> --- a/config/rootfiles/common/aarch64/linux >>>> +++ b/config/rootfiles/common/aarch64/linux >>>> @@ -7646,6 +7646,8 @@ etc/modprobe.d/ipv6.conf >>>> #lib/modules/KVER-ipfire/build/include/config/GARP >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >>>> @@ -11684,6 +11686,7 @@ etc/modprobe.d/ipv6.conf >>>> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >>>> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >>>> #lib/modules/KVER-ipfire/build/include/generated/compile.h >>>> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >>>> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >>>> #lib/modules/KVER-ipfire/build/include/generated/uapi >>>> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >>>> @@ -17129,6 +17132,8 @@ etc/modprobe.d/ipv6.conf >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >>>> diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux >>>> index 79e4facfe..c3411fe8d 100644 >>>> --- a/config/rootfiles/common/armv6l/linux >>>> +++ b/config/rootfiles/common/armv6l/linux >>>> @@ -8071,6 +8071,8 @@ etc/modprobe.d/ipv6.conf >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_ARM_SSP_PER_TASK >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >>>> @@ -12134,6 +12136,7 @@ etc/modprobe.d/ipv6.conf >>>> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >>>> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >>>> #lib/modules/KVER-ipfire/build/include/generated/compile.h >>>> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >>>> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >>>> #lib/modules/KVER-ipfire/build/include/generated/uapi >>>> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >>>> @@ -17579,6 +17582,8 @@ etc/modprobe.d/ipv6.conf >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >>>> diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux >>>> index b25f85a3a..1b78fe8c5 100644 >>>> --- a/config/rootfiles/common/x86_64/linux >>>> +++ b/config/rootfiles/common/x86_64/linux >>>> @@ -7624,6 +7624,8 @@ etc/modprobe.d/ipv6.conf >>>> #lib/modules/KVER-ipfire/build/include/config/GARP >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >>>> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >>>> @@ -12128,6 +12130,7 @@ etc/modprobe.d/ipv6.conf >>>> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >>>> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >>>> #lib/modules/KVER-ipfire/build/include/generated/compile.h >>>> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >>>> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >>>> #lib/modules/KVER-ipfire/build/include/generated/uapi >>>> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >>>> @@ -17567,6 +17570,8 @@ etc/modprobe.d/ipv6.conf >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >>>> -- >>>> 2.35.3 >>> >
> On 3 Aug 2022, at 10:59, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > thanks for your reply. > >> Hello, >> >> I assume that is without any ccache whatsoever? > > Yes, this is without ccache, since I wanted the results to be (somewhat) reproducible. > >> >> Why is this so slow? >> >> From cache, the kernel should build in about 5-ish minutes. > > Indeed. With ccache, the kernel takes about 7 minutes on my workstation. And that is repeatable with the plugin enabled? If so, how is this random? -Michael > Thanks, and best regards, > Peter Müller > >> >> -Michael >> >>> On 2 Aug 2022, at 16:13, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> Hello Michael, >>> >>> on my local workstation (featuring an Intel i5-6500), the kernel takes ~ 48 >>> minutes to compile with randstruct enabled, which is around the same time I have >>> experienced before. >>> >>> Thanks, and best regards, >>> Peter Müller >>> >>> >>>> Do we finally know how much the impact is at compile time? >>>> >>>> -Michael >>>> >>>>> On 1 Aug 2022, at 18:18, Peter Müller <peter.mueller@ipfire.org> wrote: >>>>> >>>>> To quote from the kernel documentation: >>>>> >>>>>> If you say Y here, the layouts of structures that are entirely >>>>>> function pointers (and have not been manually annotated with >>>>>> __no_randomize_layout), or structures that have been explicitly >>>>>> marked with __randomize_layout, will be randomized at compile-time. >>>>>> This can introduce the requirement of an additional information >>>>>> exposure vulnerability for exploits targeting these structure >>>>>> types. >>>>>> >>>>>> Enabling this feature will introduce some performance impact, >>>>>> slightly increase memory usage, and prevent the use of forensic >>>>>> tools like Volatility against the system (unless the kernel >>>>>> source tree isn't cleaned after kernel installation). >>>>>> >>>>>> The seed used for compilation is located at >>>>>> scripts/gcc-plgins/randomize_layout_seed.h. It remains after >>>>>> a make clean to allow for external modules to be compiled with >>>>>> the existing seed and will be removed by a make mrproper or >>>>>> make distclean. >>>>>> >>>>>> Note that the implementation requires gcc 4.7 or newer. >>>>> >>>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>>> --- >>>>> config/kernel/kernel.config.x86_64-ipfire | 3 ++- >>>>> config/rootfiles/common/aarch64/linux | 5 +++++ >>>>> config/rootfiles/common/armv6l/linux | 5 +++++ >>>>> config/rootfiles/common/x86_64/linux | 5 +++++ >>>>> 4 files changed, 17 insertions(+), 1 deletion(-) >>>>> >>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >>>>> index 40975b5fc..c8e7ada01 100644 >>>>> --- a/config/kernel/kernel.config.x86_64-ipfire >>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>>>> @@ -793,7 +793,8 @@ CONFIG_HAVE_GCC_PLUGINS=y >>>>> CONFIG_GCC_PLUGINS=y >>>>> # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set >>>>> CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y >>>>> -# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set >>>>> +CONFIG_GCC_PLUGIN_RANDSTRUCT=y >>>>> +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y >>>>> # end of General architecture-dependent options >>>>> >>>>> CONFIG_RT_MUTEXES=y >>>>> diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux >>>>> index dbd6e8f2f..b3a642e56 100644 >>>>> --- a/config/rootfiles/common/aarch64/linux >>>>> +++ b/config/rootfiles/common/aarch64/linux >>>>> @@ -7646,6 +7646,8 @@ etc/modprobe.d/ipv6.conf >>>>> #lib/modules/KVER-ipfire/build/include/config/GARP >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >>>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >>>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >>>>> @@ -11684,6 +11686,7 @@ etc/modprobe.d/ipv6.conf >>>>> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/compile.h >>>>> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/uapi >>>>> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >>>>> @@ -17129,6 +17132,8 @@ etc/modprobe.d/ipv6.conf >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >>>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >>>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >>>>> diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux >>>>> index 79e4facfe..c3411fe8d 100644 >>>>> --- a/config/rootfiles/common/armv6l/linux >>>>> +++ b/config/rootfiles/common/armv6l/linux >>>>> @@ -8071,6 +8071,8 @@ etc/modprobe.d/ipv6.conf >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_ARM_SSP_PER_TASK >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >>>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >>>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >>>>> @@ -12134,6 +12136,7 @@ etc/modprobe.d/ipv6.conf >>>>> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/compile.h >>>>> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/uapi >>>>> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >>>>> @@ -17579,6 +17582,8 @@ etc/modprobe.d/ipv6.conf >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >>>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >>>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >>>>> diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux >>>>> index b25f85a3a..1b78fe8c5 100644 >>>>> --- a/config/rootfiles/common/x86_64/linux >>>>> +++ b/config/rootfiles/common/x86_64/linux >>>>> @@ -7624,6 +7624,8 @@ etc/modprobe.d/ipv6.conf >>>>> #lib/modules/KVER-ipfire/build/include/config/GARP >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY >>>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT >>>>> +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL >>>>> #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION >>>>> @@ -12128,6 +12130,7 @@ etc/modprobe.d/ipv6.conf >>>>> #lib/modules/KVER-ipfire/build/include/generated/autoconf.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/bounds.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/compile.h >>>>> +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/timeconst.h >>>>> #lib/modules/KVER-ipfire/build/include/generated/uapi >>>>> #lib/modules/KVER-ipfire/build/include/generated/uapi/linux >>>>> @@ -17567,6 +17570,8 @@ etc/modprobe.d/ipv6.conf >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c >>>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so >>>>> +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c >>>>> #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c >>>>> -- >>>>> 2.35.3 >>>> >>
Acked-by: Michael Tremer <michael.tremer@ipfire.org> > On 1 Aug 2022, at 18:18, Peter Müller <peter.mueller@ipfire.org> wrote: > > To quote from the kernel documentation: > >> If you say Y here, the layouts of structures that are entirely >> function pointers (and have not been manually annotated with >> __no_randomize_layout), or structures that have been explicitly >> marked with __randomize_layout, will be randomized at compile-time. >> This can introduce the requirement of an additional information >> exposure vulnerability for exploits targeting these structure >> types. >> >> Enabling this feature will introduce some performance impact, >> slightly increase memory usage, and prevent the use of forensic >> tools like Volatility against the system (unless the kernel >> source tree isn't cleaned after kernel installation). >> >> The seed used for compilation is located at >> scripts/gcc-plgins/randomize_layout_seed.h. It remains after >> a make clean to allow for external modules to be compiled with >> the existing seed and will be removed by a make mrproper or >> make distclean. >> >> Note that the implementation requires gcc 4.7 or newer. > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/kernel/kernel.config.x86_64-ipfire | 3 ++- > config/rootfiles/common/aarch64/linux | 5 +++++ > config/rootfiles/common/armv6l/linux | 5 +++++ > config/rootfiles/common/x86_64/linux | 5 +++++ > 4 files changed, 17 insertions(+), 1 deletion(-) > > diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire > index 40975b5fc..c8e7ada01 100644 > --- a/config/kernel/kernel.config.x86_64-ipfire > +++ b/config/kernel/kernel.config.x86_64-ipfire > @@ -793,7 +793,8 @@ CONFIG_HAVE_GCC_PLUGINS=y > CONFIG_GCC_PLUGINS=y > # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set > CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y > -# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set > +CONFIG_GCC_PLUGIN_RANDSTRUCT=y > +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y > # end of General architecture-dependent options > > CONFIG_RT_MUTEXES=y > diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux > index dbd6e8f2f..b3a642e56 100644 > --- a/config/rootfiles/common/aarch64/linux > +++ b/config/rootfiles/common/aarch64/linux > @@ -7646,6 +7646,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/config/GARP > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL > #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION > @@ -11684,6 +11686,7 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/generated/autoconf.h > #lib/modules/KVER-ipfire/build/include/generated/bounds.h > #lib/modules/KVER-ipfire/build/include/generated/compile.h > +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h > #lib/modules/KVER-ipfire/build/include/generated/timeconst.h > #lib/modules/KVER-ipfire/build/include/generated/uapi > #lib/modules/KVER-ipfire/build/include/generated/uapi/linux > @@ -17129,6 +17132,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c > diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux > index 79e4facfe..c3411fe8d 100644 > --- a/config/rootfiles/common/armv6l/linux > +++ b/config/rootfiles/common/armv6l/linux > @@ -8071,6 +8071,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_ARM_SSP_PER_TASK > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL > #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION > @@ -12134,6 +12136,7 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/generated/autoconf.h > #lib/modules/KVER-ipfire/build/include/generated/bounds.h > #lib/modules/KVER-ipfire/build/include/generated/compile.h > +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h > #lib/modules/KVER-ipfire/build/include/generated/timeconst.h > #lib/modules/KVER-ipfire/build/include/generated/uapi > #lib/modules/KVER-ipfire/build/include/generated/uapi/linux > @@ -17579,6 +17582,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c > diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux > index b25f85a3a..1b78fe8c5 100644 > --- a/config/rootfiles/common/x86_64/linux > +++ b/config/rootfiles/common/x86_64/linux > @@ -7624,6 +7624,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/config/GARP > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT > +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK > #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL > #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION > @@ -12128,6 +12130,7 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/generated/autoconf.h > #lib/modules/KVER-ipfire/build/include/generated/bounds.h > #lib/modules/KVER-ipfire/build/include/generated/compile.h > +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h > #lib/modules/KVER-ipfire/build/include/generated/timeconst.h > #lib/modules/KVER-ipfire/build/include/generated/uapi > #lib/modules/KVER-ipfire/build/include/generated/uapi/linux > @@ -17567,6 +17570,8 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so > +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c > #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c > -- > 2.35.3
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 40975b5fc..c8e7ada01 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -793,7 +793,8 @@ CONFIG_HAVE_GCC_PLUGINS=y CONFIG_GCC_PLUGINS=y # CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set +CONFIG_GCC_PLUGIN_RANDSTRUCT=y +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y # end of General architecture-dependent options CONFIG_RT_MUTEXES=y diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index dbd6e8f2f..b3a642e56 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -7646,6 +7646,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/GARP #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION @@ -11684,6 +11686,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/generated/autoconf.h #lib/modules/KVER-ipfire/build/include/generated/bounds.h #lib/modules/KVER-ipfire/build/include/generated/compile.h +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h #lib/modules/KVER-ipfire/build/include/generated/timeconst.h #lib/modules/KVER-ipfire/build/include/generated/uapi #lib/modules/KVER-ipfire/build/include/generated/uapi/linux @@ -17129,6 +17132,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux index 79e4facfe..c3411fe8d 100644 --- a/config/rootfiles/common/armv6l/linux +++ b/config/rootfiles/common/armv6l/linux @@ -8071,6 +8071,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_ARM_SSP_PER_TASK #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION @@ -12134,6 +12136,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/generated/autoconf.h #lib/modules/KVER-ipfire/build/include/generated/bounds.h #lib/modules/KVER-ipfire/build/include/generated/compile.h +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h #lib/modules/KVER-ipfire/build/include/generated/timeconst.h #lib/modules/KVER-ipfire/build/include/generated/uapi #lib/modules/KVER-ipfire/build/include/generated/uapi/linux @@ -17579,6 +17582,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux index b25f85a3a..1b78fe8c5 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -7624,6 +7624,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/GARP #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGINS #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_LATENT_ENTROPY +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT +#lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_RANDSTRUCT_PERFORMANCE #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK #lib/modules/KVER-ipfire/build/include/config/GCC_PLUGIN_STRUCTLEAK_BYREF_ALL #lib/modules/KVER-ipfire/build/include/config/GCC_VERSION @@ -12128,6 +12130,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/generated/autoconf.h #lib/modules/KVER-ipfire/build/include/generated/bounds.h #lib/modules/KVER-ipfire/build/include/generated/compile.h +#lib/modules/KVER-ipfire/build/include/generated/randomize_layout_hash.h #lib/modules/KVER-ipfire/build/include/generated/timeconst.h #lib/modules/KVER-ipfire/build/include/generated/uapi #lib/modules/KVER-ipfire/build/include/generated/uapi/linux @@ -17567,6 +17570,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/latent_entropy_plugin.so #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.c +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_plugin.so +#lib/modules/KVER-ipfire/build/scripts/gcc-plugins/randomize_layout_seed.h #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/sancov_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/stackleak_plugin.c #lib/modules/KVER-ipfire/build/scripts/gcc-plugins/structleak_plugin.c