On 12/12/2024 12:13 am, Volodymyr Babchuk wrote: > Hello Jan, > > Jan Beulich <jbeul...@suse.com> writes: > >> On 11.12.2024 03:04, Volodymyr Babchuk wrote: >>> Both GCC and Clang support -fstack-protector feature, which add stack >>> canaries to functions where stack corruption is possible. This series >>> makes possible to use this feature in Xen. I tested this on ARM64 and >>> it is working as intended. Tested both with GCC and Clang. >>> >>> It is hard to enable this feature on x86, as GCC stores stack canary >>> in %fs:40 by default, but Xen can't use %fs for various reasons. It is >>> possibly to change stack canary location new newer GCC versions, but >>> this will change minimal GCC requirement, which is also hard due to >>> various reasons. So, this series focus mostly on ARM and RISCV. >> Why exactly would it not be possible to offer the feature when new enough >> gcc is in use? > It is possible to use this feature with a modern enough GCC, yes. Are > you suggesting to make HAS_STACK_PROTECTOR dependent on GCC_VERSION for > x86 platform?
(With the knowledge that this is a disputed Kconfig pattern, and will need rebasing), the way I want this to work is simply: diff --git a/xen/Makefile b/xen/Makefile index 0de0101fd0bf..5d0a88fb3c3f 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -434,6 +434,9 @@ endif ifeq ($(CONFIG_STACK_PROTECTOR),y) CFLAGS += -fstack-protector +ifeq ($(CONFIG_X86),y) +CFLAGS += -mstack-protector-guard=global +endif else CFLAGS += -fno-stack-protector endif diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index 9cdd04721afa..7951ca908b36 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -28,6 +28,7 @@ config X86 select HAS_PCI_MSI select HAS_PIRQ select HAS_SCHED_GRANULARITY + select HAS_STACK_PROTECTOR if $(cc-option,-mstack-protector-guard=global) select HAS_UBSAN select HAS_VMAP select HAS_VPCI if HVM Sadly, it doesn't build. I get a handful of: prelink.o: in function `cmdline_parse': /home/andrew/xen.git/xen/common/kernel.c:216:(.init.text+0x20f2): failed to convert GOTPCREL relocation against '__stack_chk_guard'; relink with --no-relax /home/andrew/xen.git/xen/common/kernel.c:230:(.init.text+0x246f): failed to convert GOTPCREL relocation against '__stack_chk_guard'; relink with --no-relax which is more toolchain-whispering than I feel like doing tonight. ~Andrew
