Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7175b118 authored by Josh Poimboeuf's avatar Josh Poimboeuf Committed by Greg Kroah-Hartman
Browse files

x86/build: Disable CET instrumentation in the kernel 



commit 20bf2b378729c4a0366a53e2018a0b70ace94bcd upstream.

With retpolines disabled, some configurations of GCC, and specifically
the GCC versions 9 and 10 in Ubuntu will add Intel CET instrumentation
to the kernel by default. That breaks certain tracing scenarios by
adding a superfluous ENDBR64 instruction before the fentry call, for
functions which can be called indirectly.

CET instrumentation isn't currently necessary in the kernel, as CET is
only supported in user space. Disable it unconditionally and move it
into the x86's Makefile as CET/CFI... enablement should be a per-arch
decision anyway.

 [ bp: Massage and extend commit message. ]

Fixes: 29be86d7f9cb ("kbuild: add -fcf-protection=none when using retpoline flags")
Reported-by: default avatarNikolay Borisov <nborisov@suse.com>
Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
Tested-by: default avatarNikolay Borisov <nborisov@suse.com>
Cc: <stable@vger.kernel.org>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Link: https://lkml.kernel.org/r/20210128215219.6kct3h2eiustncws@treble


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 332293a2

Makefile

+0 −6
Original line number Diff line number Diff line
@@ -841,12 +841,6 @@ KBUILD_CFLAGS += $(call cc-option,-Werror=designated-init) 
# change __FILE__ to the relative path from the srctree

KBUILD_CFLAGS	+= $(call cc-option,-fmacro-prefix-map=$(srctree)/=)



# ensure -fcf-protection is disabled when using retpoline as it is

# incompatible with -mindirect-branch=thunk-extern

ifdef CONFIG_RETPOLINE

KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none)

endif



# use the deterministic mode of AR if available

KBUILD_ARFLAGS := $(call ar-option,D)

arch/x86/Makefile

+3 −0
Original line number Diff line number Diff line
@@ -137,6 +137,9 @@ else 
        KBUILD_CFLAGS += -mno-red-zone

        KBUILD_CFLAGS += -mcmodel=kernel



	# Intel CET isn't enabled in the kernel

	KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none)



        # -funit-at-a-time shrinks the kernel .text considerably

        # unfortunately it makes reading oopses harder.

        KBUILD_CFLAGS += $(call cc-option,-funit-at-a-time)