Enforce RETPOLINE and SLS mitigrations
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
Enforce RETPOLINE and SLS mitigrations
Currently retpoline ABI checks in the kernel build do nothing. They produce no output, as if everything is fine. And if one manually hacks makefile to "forget" retpoline & SLS mitigration flags, objtool prints lots of warnings, retpoline ABI check passes and the build is succesful. Yet totally vulnerable.
Proposal is to enforce objtool warnings as fatal errors for RETPOLINE and SLS, as tested to be passed on mantic for both kernel and all available dkms. And otherwise rip out custom Ubuntu retpoline abi checks.
I have prepared this for noble v6.7 kernel, once this lands, I will make appropriate backports for earlier series as we likely want usable retpoline build time enforcement in earlier series too where possible.
[ Test Plan ]
Hack arch/x86/Makefile and comment out KBUILD_CFLAGS += $(RETPOLINE_CFLAGS)
This simulate a build infrastructure, or toolchain regression, or hand-written assembly code that is susceptible to speculative attacks.
Attempt to build the kernel.
The kernel build must fail. Currently it doesn't, and retpoline ABI checks do not catch it.
Another approach is to build a known buggy dkms modules on x86 - for example zfs-dkms with ret -> RET changes reverted in assembly accelerated code.
[ Where problems could occur ]
This change will make our kernel build more strict, especially for dkms packages. dkms packages that ship in Ubuntu archive have been build tested to pass with these more strict requirements in place. Other external modules that fail with such strict configuration should either fix their code to be retpoline/redbleed safe - or use a config override CONFIG_RETPOLINE=n to disable retpoline during their build, or otherwise use one of the OBJTOOL_ settings in their dkms Makefiles to skip objtool on given portions of code, or otherwise mark things as retpoline_safe / noreturn / etc. See examples in the linux upstream source code.
[ Other Info ]
This work was done as part of hackathon questioning abi checks usefulness, given I have never experienced retpoline check failure. And they have always been empty since early v4.15 days https:/
description: | updated |
description: | updated |
This bug was fixed in the package linux - 6.8.0-11.11
---------------
linux (6.8.0-11.11) noble; urgency=medium
* noble/linux: 6.8.0-11.11 -proposed tracker (LP: #2053094)
* Miscellaneous Ubuntu changes
- [Packaging] riscv64: disable building unnecessary binary debs
-- Paolo Pisati <email address hidden> Wed, 14 Feb 2024 00:04:31 +0100