From ce0d73ef8dea52d7253bdc2fd3cc3e89d7089ded Mon Sep 17 00:00:00 2001 From: Stephen Boyd Date: Tue, 14 May 2024 15:48:38 -0700 Subject: [PATCH 1/3] loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression If modules are built compressed, and LoadPin is enforcing by default, we must have in-kernel module decompression enabled (MODULE_DECOMPRESS). Modules will fail to load without decompression built into the kernel because they'll be blocked by LoadPin. Add a depends on clause to prevent this combination. Cc: Dmitry Torokhov Cc: Douglas Anderson Signed-off-by: Stephen Boyd Link: https://lore.kernel.org/r/20240514224839.2526112-1-swboyd@chromium.org Signed-off-by: Kees Cook --- security/loadpin/Kconfig | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig index 6724eaba3d36..848f8b4a6019 100644 --- a/security/loadpin/Kconfig +++ b/security/loadpin/Kconfig @@ -14,6 +14,9 @@ config SECURITY_LOADPIN config SECURITY_LOADPIN_ENFORCE bool "Enforce LoadPin at boot" depends on SECURITY_LOADPIN + # Module compression breaks LoadPin unless modules are decompressed in + # the kernel. + depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS) help If selected, LoadPin will enforce pinning at boot. If not selected, it can be enabled at boot with the kernel parameter From 890a64810d59b1a58ed26efc28cfd821fc068e84 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Tue, 14 May 2024 16:37:48 -0700 Subject: [PATCH 2/3] ubsan: Restore dependency on ARCH_HAS_UBSAN While removing CONFIG_UBSAN_SANITIZE_ALL, ARCH_HAS_UBSAN wasn't correctly depended on. Restore this, as we do not want to attempt UBSAN builds unless it's actually been tested on a given architecture. Reported-by: Masahiro Yamada Closes: https://lore.kernel.org/all/20240514095427.541201-1-masahiroy@kernel.org Fixes: 918327e9b7ff ("ubsan: Remove CONFIG_UBSAN_SANITIZE_ALL") Link: https://lore.kernel.org/r/20240514233747.work.441-kees@kernel.org Signed-off-by: Kees Cook --- lib/Kconfig.ubsan | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index e81e1ac4a919..bdda600f8dfb 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -4,6 +4,7 @@ config ARCH_HAS_UBSAN menuconfig UBSAN bool "Undefined behaviour sanity checker" + depends on ARCH_HAS_UBSAN help This option enables the Undefined Behaviour sanity checker. Compile-time instrumentation is used to detect various undefined From ae1a863bcdbd6ea2abc93519a82ab5d715d5dcbc Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sat, 18 May 2024 11:40:23 -0700 Subject: [PATCH 3/3] kunit/fortify: Fix memcmp() test to be amplitude agnostic When memcmp() returns a non-zero value, only the signed bit has any meaning. The actual value may differ between implementations. Reported-by: Nathan Chancellor Closes: https://github.com/ClangBuiltLinux/linux/issues/2025 Tested-by: Nathan Chancellor Link: https://lore.kernel.org/r/20240518184020.work.604-kees@kernel.org Signed-off-by: Kees Cook --- lib/fortify_kunit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/fortify_kunit.c b/lib/fortify_kunit.c index d2377e00caab..39da5b3bc649 100644 --- a/lib/fortify_kunit.c +++ b/lib/fortify_kunit.c @@ -990,7 +990,7 @@ static void fortify_test_memcmp(struct kunit *test) KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0); KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); /* Still in bounds, but no longer matching. */ - KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 1), -32); + KUNIT_ASSERT_LT(test, memcmp(one, two, one_len + 1), 0); KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); /* Catch too-large ranges. */