From debb07bf107a9feb3cbf03db6b10abae466e4d41 Mon Sep 17 00:00:00 2001 From: Andre Przywara Date: Mon, 12 Apr 2021 01:04:52 +0100 Subject: net: calxedagmac: Convert to DM_ETH To squash that nasty warning message and make better use of the newly gained OF_CONTROL feature, let's convert the calxedagmac driver to the "new" driver model. The conversion is pretty straight forward, mostly just adjusting the use of the involved data structures. The only actual change is the required split of the receive routine into a receive and free_pkt part. Also this allows us to get rid of the hardcoded platform information and explicit init calls. This also uses the opportunity to wrap the code decoding the MMIO register base address, to make it safe for using PHYS_64BIT later. Signed-off-by: Andre Przywara Reviewed-by: Ramon Fried --- scripts/config_whitelist.txt | 1 - 1 file changed, 1 deletion(-) (limited to 'scripts') diff --git a/scripts/config_whitelist.txt b/scripts/config_whitelist.txt index b24fa36da0f..a2fcafd2e6c 100644 --- a/scripts/config_whitelist.txt +++ b/scripts/config_whitelist.txt @@ -149,7 +149,6 @@ CONFIG_BTB CONFIG_BUFNO_AUTO_INCR_BIT CONFIG_BUILD_ENVCRC CONFIG_BUS_WIDTH -CONFIG_CALXEDA_XGMAC CONFIG_CDP_APPLIANCE_VLAN_TYPE CONFIG_CDP_CAPABILITIES CONFIG_CDP_DEVICE_ID -- cgit v1.3.1 From 4e9bce12432492aa7a7c2121d9fae1640606ace5 Mon Sep 17 00:00:00 2001 From: Joel Peshkin Date: Sun, 11 Apr 2021 11:21:58 +0200 Subject: Add support for stack-protector Add support for stack protector for UBOOT, SPL, and TPL as well as new pytest for stackprotector Signed-off-by: Joel Peshkin Adjust UEFI build flags. Signed-off-by: Heinrich Schuchardt --- MAINTAINERS | 7 +++++++ Makefile | 5 +++++ arch/arm/config.mk | 3 ++- arch/riscv/lib/Makefile | 1 + arch/x86/config.mk | 2 +- cmd/Kconfig | 9 +++++++++ cmd/Makefile | 1 + cmd/stackprot_test.c | 19 +++++++++++++++++++ common/Kconfig | 17 +++++++++++++++++ common/Makefile | 1 + common/stackprot.c | 20 ++++++++++++++++++++ configs/sandbox_defconfig | 2 ++ scripts/Makefile.spl | 6 ++++++ test/py/tests/test_stackprotector.py | 14 ++++++++++++++ 14 files changed, 105 insertions(+), 2 deletions(-) create mode 100644 cmd/stackprot_test.c create mode 100644 common/stackprot.c create mode 100644 test/py/tests/test_stackprotector.py (limited to 'scripts') diff --git a/MAINTAINERS b/MAINTAINERS index c6dd9bf838d..2d267aeff24 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1062,6 +1062,13 @@ F: include/sqfs.h F: cmd/sqfs.c F: test/py/tests/test_fs/test_squashfs/ +STACKPROTECTOR +M: Joel Peshkin +S: Maintained +F: common/stackprot.c +F: cmd/stackprot_test.c +F: test/py/tests/test_stackprotector.py + TARGET_BCMNS3 M: Bharat Gooty M: Rayagonda Kokatanur diff --git a/Makefile b/Makefile index e423f6de746..3fc9777b0b2 100644 --- a/Makefile +++ b/Makefile @@ -676,7 +676,12 @@ else KBUILD_CFLAGS += -O2 endif +ifeq ($(CONFIG_STACKPROTECTOR),y) +KBUILD_CFLAGS += $(call cc-option,-fstack-protector-strong) +CFLAGS_EFI += $(call cc-option,-fno-stack-protector) +else KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector) +endif KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks) # disable stringop warnings in gcc 8+ diff --git a/arch/arm/config.mk b/arch/arm/config.mk index 4153f7e3713..e79f0104b92 100644 --- a/arch/arm/config.mk +++ b/arch/arm/config.mk @@ -11,7 +11,8 @@ CONFIG_STANDALONE_LOAD_ADDR = 0xc100000 endif endif -CFLAGS_NON_EFI := -fno-pic -ffixed-r9 -ffunction-sections -fdata-sections +CFLAGS_NON_EFI := -fno-pic -ffixed-r9 -ffunction-sections -fdata-sections \ + -fstack-protector-strong CFLAGS_EFI := -fpic -fshort-wchar LDFLAGS_FINAL += --gc-sections diff --git a/arch/riscv/lib/Makefile b/arch/riscv/lib/Makefile index ff0677aa966..d08cbe9b79d 100644 --- a/arch/riscv/lib/Makefile +++ b/arch/riscv/lib/Makefile @@ -27,6 +27,7 @@ obj-$(CONFIG_SPL_BUILD) += spl.o obj-y += fdt_fixup.o # For building EFI apps +CFLAGS_NON_EFI := -fstack-protector-strong CFLAGS_$(EFI_CRT0) := $(CFLAGS_EFI) CFLAGS_REMOVE_$(EFI_CRT0) := $(CFLAGS_NON_EFI) diff --git a/arch/x86/config.mk b/arch/x86/config.mk index 3067702858a..7a8242562db 100644 --- a/arch/x86/config.mk +++ b/arch/x86/config.mk @@ -42,7 +42,7 @@ OBJCOPYFLAGS_EFI := -j .text -j .sdata -j .data -j .dynamic -j .dynsym \ # Compiler flags to be added when building UEFI applications CFLAGS_EFI := -fpic -fshort-wchar # Compiler flags to be removed when building UEFI applications -CFLAGS_NON_EFI := -mregparm=3 +CFLAGS_NON_EFI := -mregparm=3 -fstack-protector-strong ifeq ($(CONFIG_EFI_STUB_64BIT),) CFLAGS_EFI += $(call cc-option, -mno-red-zone) diff --git a/cmd/Kconfig b/cmd/Kconfig index 2b66285e0d4..9e8b69258ff 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2325,6 +2325,15 @@ config CMD_AVB avb read_part_hex - read data from partition and output to stdout avb write_part - write data to partition avb verify - run full verification chain + +config CMD_STACKPROTECTOR_TEST + bool "Test command for stack protector" + depends on STACKPROTECTOR + help + Enable stackprot_test command + The stackprot_test command will force a stack overrun to test + the stack smashing detection mechanisms. + endmenu config CMD_UBI diff --git a/cmd/Makefile b/cmd/Makefile index e606ac4e8c0..4977fa15f43 100644 --- a/cmd/Makefile +++ b/cmd/Makefile @@ -144,6 +144,7 @@ obj-$(CONFIG_CMD_SPI) += spi.o obj-$(CONFIG_CMD_STRINGS) += strings.o obj-$(CONFIG_CMD_SMC) += smccc.o obj-$(CONFIG_CMD_SYSBOOT) += sysboot.o pxe_utils.o +obj-$(CONFIG_CMD_STACKPROTECTOR_TEST) += stackprot_test.o obj-$(CONFIG_CMD_TERMINAL) += terminal.o obj-$(CONFIG_CMD_TIME) += time.o obj-$(CONFIG_CMD_TIMER) += timer.o diff --git a/cmd/stackprot_test.c b/cmd/stackprot_test.c new file mode 100644 index 00000000000..36f5bac8d23 --- /dev/null +++ b/cmd/stackprot_test.c @@ -0,0 +1,19 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright 2021 Broadcom + */ + +#include +#include + +static int do_test_stackprot_fail(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + char a[128]; + + memset(a, 0xa5, 512); + return 0; +} + +U_BOOT_CMD(stackprot_test, 1, 1, do_test_stackprot_fail, + "test stack protector fail", ""); diff --git a/common/Kconfig b/common/Kconfig index 0e36dfd2368..26496f9a2e7 100644 --- a/common/Kconfig +++ b/common/Kconfig @@ -618,6 +618,23 @@ config TPL_HASH and the algorithms it supports are defined in common/hash.c. See also CMD_HASH for command-line access. +config STACKPROTECTOR + bool "Stack Protector buffer overflow detection" + default n + help + Enable stack smash detection through compiler's stack-protector + canary logic + +config SPL_STACKPROTECTOR + bool "Stack Protector buffer overflow detection for SPL" + depends on STACKPROTECTOR && SPL + default n + +config TPL_STACKPROTECTOR + bool "Stack Protector buffer overflow detection for TPL" + depends on STACKPROTECTOR && TPL + default n + endmenu menu "Update support" diff --git a/common/Makefile b/common/Makefile index 0952ae23f8c..829ea5fb426 100644 --- a/common/Makefile +++ b/common/Makefile @@ -137,6 +137,7 @@ obj-$(CONFIG_CMD_LOADB) += xyzModem.o obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o obj-$(CONFIG_AVB_VERIFY) += avb_verify.o +obj-$(CONFIG_$(SPL_TPL_)STACKPROTECTOR) += stackprot.o obj-$(CONFIG_SCP03) += scp03.o obj-$(CONFIG_QFW) += qfw.o diff --git a/common/stackprot.c b/common/stackprot.c new file mode 100644 index 00000000000..d5b70616655 --- /dev/null +++ b/common/stackprot.c @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright 2021 Broadcom + */ + +#include +#include + +DECLARE_GLOBAL_DATA_PTR; + +unsigned long __stack_chk_guard = (unsigned long)(0xfeedf00ddeadbeef & ~0UL); + +void __stack_chk_fail(void) +{ + void *ra; + + ra = __builtin_extract_return_addr(__builtin_return_address(0)); + panic("Stack smashing detected in function:\n%p relocated from %p", + ra, ra - gd->reloc_off); +} diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index 12af9be3603..d3de9c31554 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -25,6 +25,7 @@ CONFIG_LOG_SYSLOG=y CONFIG_LOG_ERROR_RETURN=y CONFIG_DISPLAY_BOARDINFO_LATE=y CONFIG_MISC_INIT_F=y +CONFIG_STACKPROTECTOR=y CONFIG_ANDROID_AB=y CONFIG_CMD_CPU=y CONFIG_CMD_LICENSE=y @@ -97,6 +98,7 @@ CONFIG_CMD_CRAMFS=y CONFIG_CMD_EXT4_WRITE=y CONFIG_CMD_SQUASHFS=y CONFIG_CMD_MTDPARTS=y +CONFIG_CMD_STACKPROTECTOR_TEST=y CONFIG_MAC_PARTITION=y CONFIG_AMIGA_PARTITION=y CONFIG_OF_CONTROL=y diff --git a/scripts/Makefile.spl b/scripts/Makefile.spl index ca988224dad..c69525fa748 100644 --- a/scripts/Makefile.spl +++ b/scripts/Makefile.spl @@ -67,6 +67,12 @@ include $(srctree)/scripts/Makefile.lib KBUILD_CFLAGS += -ffunction-sections -fdata-sections LDFLAGS_FINAL += --gc-sections +ifeq ($(CONFIG_$(SPL_TPL_)STACKPROTECTOR),y) +KBUILD_CFLAGS += -fstack-protector-strong +else +KBUILD_CFLAGS += -fno-stack-protector +endif + # FIX ME cpp_flags := $(KBUILD_CPPFLAGS) $(PLATFORM_CPPFLAGS) $(UBOOTINCLUDE) \ $(NOSTDINC_FLAGS) diff --git a/test/py/tests/test_stackprotector.py b/test/py/tests/test_stackprotector.py new file mode 100644 index 00000000000..b009437e5e0 --- /dev/null +++ b/test/py/tests/test_stackprotector.py @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2021 Broadcom + +import pytest +import signal + +@pytest.mark.buildconfigspec('cmd_stackprotector_test') +def test_stackprotector(u_boot_console): + """Test that the stackprotector function works.""" + + u_boot_console.run_command('stackprot_test',wait_for_prompt=False) + expected_response = 'Stack smashing detected' + u_boot_console.wait_for(expected_response) + u_boot_console.restart_uboot() -- cgit v1.3.1