linux-stable/scripts/Makefile.gcc-plugins
Linus Torvalds f594e28d80 compiler hardening updates for v5.16-rc1
This collects various compiler hardening feature related updates:
 
 - gcc-plugins:
   - remove support for GCC 4.9 and older (Ard Biesheuvel)
   - remove duplicate include in gcc-common.h (Ye Guojin)
   - Explicitly document purpose and deprecation schedule (Kees Cook)
   - Remove cyc_complexity (Kees Cook)
 
 - instrumentation:
   - Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO (Kees Cook)
 
 - Clang LTO:
   - kallsyms: strip LTO suffixes from static functions (Nick Desaulniers)
 -----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmGAEyEWHGtlZXNjb29r
 QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJg82D/90Cnh7yCtuWJUlFDjlYsKhZbGR
 GxAfn+r92dS024G6aNgQjgmsJreZeY4HIkX4UJP6Xw8CakptjxpSJMrA19VeAVja
 B4hMph6dJ5XIJQEGKff1QFgyxSviW/FG8BmoMn/eCo9PYSPLmam44FOUERanMr/S
 aqARSxafmxX/wHT9fbegvbHmr7hBUStvFP7TYDoSVuSLfuuT4hYnqePy02t5jC9k
 RBVUQxEUuYaDIpMga5n/auLaodFcNkVTA0Kznoj5D8pgciKJU/qcoErB/49x1eQZ
 UNgDdEDa87emHNSj7WEheuEWOqIwEttXHnJhItbARew074lIAvfOWQZuS6ApmStw
 CsB5GH6gLu1qYHqQYyu03ZQrTjOES5OBRZ+bRSsC7rJhbES8m/Rp/cE59yNihall
 bWRPnQGxcgmxZh7lu6AOpJ6p31Wfn3WMG9fyjhseENCYlEawFm5LDN6UI+2ubULb
 nu41llRlgrBB8tEnDh67t6Pvyquz71zqWrX+rZMZLhjxZE3Trpuq7u35Rdrc8BSM
 m4w+bwWDbOt/LKF79c5iXURZdqDEwkjkh8sJA2e5bZCQU3nLgHXobC+NjTS044+f
 /MFXV4OFquFRzB5P7kfP2USM+ghxZvPRqAmUoNEPcBopzZdcdnx1dNkMfI52c8Jc
 GClPQHThoM+Ht5t9yQ==
 =u7XU
 -----END PGP SIGNATURE-----

Merge tag 'hardening-v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull compiler hardening updates from Kees Cook:
 "These are various compiler-related hardening feature updates. Notable
  is the addition of an explicit limited rationale for, and deprecation
  schedule of, gcc-plugins.

  gcc-plugins:
   - remove support for GCC 4.9 and older (Ard Biesheuvel)
   - remove duplicate include in gcc-common.h (Ye Guojin)
   - Explicitly document purpose and deprecation schedule (Kees Cook)
   - Remove cyc_complexity (Kees Cook)

  instrumentation:
   - Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO (Kees Cook)

  Clang LTO:
   - kallsyms: strip LTO suffixes from static functions (Nick Desaulniers)"

* tag 'hardening-v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  gcc-plugins: remove duplicate include in gcc-common.h
  gcc-plugins: Remove cyc_complexity
  gcc-plugins: Explicitly document purpose and deprecation schedule
  kallsyms: strip LTO suffixes from static functions
  gcc-plugins: remove support for GCC 4.9 and older
  hardening: Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO
2021-11-01 17:09:03 -07:00

63 lines
2.6 KiB
Text

# SPDX-License-Identifier: GPL-2.0
gcc-plugin-$(CONFIG_GCC_PLUGIN_LATENT_ENTROPY) += latent_entropy_plugin.so
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_LATENT_ENTROPY) \
+= -DLATENT_ENTROPY_PLUGIN
ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY
DISABLE_LATENT_ENTROPY_PLUGIN += -fplugin-arg-latent_entropy_plugin-disable
endif
export DISABLE_LATENT_ENTROPY_PLUGIN
gcc-plugin-$(CONFIG_GCC_PLUGIN_SANCOV) += sancov_plugin.so
gcc-plugin-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) += structleak_plugin.so
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE) \
+= -fplugin-arg-structleak_plugin-verbose
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF) \
+= -fplugin-arg-structleak_plugin-byref
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL) \
+= -fplugin-arg-structleak_plugin-byref-all
ifdef CONFIG_GCC_PLUGIN_STRUCTLEAK
DISABLE_STRUCTLEAK_PLUGIN += -fplugin-arg-structleak_plugin-disable
endif
export DISABLE_STRUCTLEAK_PLUGIN
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) \
+= -DSTRUCTLEAK_PLUGIN
gcc-plugin-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) += randomize_layout_plugin.so
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \
+= -DRANDSTRUCT_PLUGIN
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE) \
+= -fplugin-arg-randomize_layout_plugin-performance-mode
gcc-plugin-$(CONFIG_GCC_PLUGIN_STACKLEAK) += stackleak_plugin.so
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \
+= -DSTACKLEAK_PLUGIN
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \
+= -fplugin-arg-stackleak_plugin-track-min-size=$(CONFIG_STACKLEAK_TRACK_MIN_SIZE)
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STACKLEAK) \
+= -fplugin-arg-stackleak_plugin-arch=$(SRCARCH)
ifdef CONFIG_GCC_PLUGIN_STACKLEAK
DISABLE_STACKLEAK_PLUGIN += -fplugin-arg-stackleak_plugin-disable
endif
export DISABLE_STACKLEAK_PLUGIN
gcc-plugin-$(CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK) += arm_ssp_per_task_plugin.so
ifdef CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK
DISABLE_ARM_SSP_PER_TASK_PLUGIN += -fplugin-arg-arm_ssp_per_task_plugin-disable
endif
export DISABLE_ARM_SSP_PER_TASK_PLUGIN
# All the plugin CFLAGS are collected here in case a build target needs to
# filter them out of the KBUILD_CFLAGS.
GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y))
# The sancov_plugin.so is included via CFLAGS_KCOV, so it is removed here.
GCC_PLUGINS_CFLAGS := $(filter-out %/sancov_plugin.so, $(GCC_PLUGINS_CFLAGS))
export GCC_PLUGINS_CFLAGS
# Add the flags to the build!
KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
# All enabled GCC plugins are collected here for building below.
GCC_PLUGIN := $(gcc-plugin-y)
export GCC_PLUGIN