Commit 5671a10f authored by Andy Whitcroft's avatar Andy Whitcroft Committed by Kleber Sacilotto de Souza

UBUNTU: [Packaging] retpoline -- add call site validation

CVE-2017-5715 (Spectre v2 retpoline)
Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 5aabe750
...@@ -65,6 +65,9 @@ ifeq ($(do_mainline_build),true) ...@@ -65,6 +65,9 @@ ifeq ($(do_mainline_build),true)
do_tools=false do_tools=false
no_dumpfile=1 no_dumpfile=1
do_zfs=false do_zfs=false
skipabi=true
skipmodule=true
skipretpoline=true
endif endif
# Disable tools build and packaging if do_tools != true # Disable tools build and packaging if do_tools != true
......
...@@ -30,6 +30,7 @@ AUTOBUILD= ...@@ -30,6 +30,7 @@ AUTOBUILD=
ifneq ($(AUTOBUILD),) ifneq ($(AUTOBUILD),)
skipabi = true skipabi = true
skipmodule = true skipmodule = true
skipretpoline = true
skipdbg = true skipdbg = true
gitver=$(shell if test -f .git/HEAD; then cat .git/HEAD; else uuidgen; fi) gitver=$(shell if test -f .git/HEAD; then cat .git/HEAD; else uuidgen; fi)
gitverpre=$(shell echo $(gitver) | cut -b -3) gitverpre=$(shell echo $(gitver) | cut -b -3)
......
...@@ -143,6 +143,8 @@ endif ...@@ -143,6 +143,8 @@ endif
$(pkgdir)/boot/config-$(abi_release)-$* $(pkgdir)/boot/config-$(abi_release)-$*
install -m644 $(abidir)/$* \ install -m644 $(abidir)/$* \
$(pkgdir)/boot/abi-$(abi_release)-$* $(pkgdir)/boot/abi-$(abi_release)-$*
install -m644 $(abidir)/$*.retpoline \
$(pkgdir)/boot/retpoline-$(abi_release)-$*
install -m600 $(builddir)/build-$*/System.map \ install -m600 $(builddir)/build-$*/System.map \
$(pkgdir)/boot/System.map-$(abi_release)-$* $(pkgdir)/boot/System.map-$(abi_release)-$*
if [ "$(filter true,$(do_dtbs))" ]; then \ if [ "$(filter true,$(do_dtbs))" ]; then \
......
...@@ -16,7 +16,20 @@ module-check-%: $(stampdir)/stamp-build-% ...@@ -16,7 +16,20 @@ module-check-%: $(stampdir)/stamp-build-%
@perl -f $(DROOT)/scripts/module-check "$*" \ @perl -f $(DROOT)/scripts/module-check "$*" \
"$(prev_abidir)" "$(abidir)" $(skipmodule) "$(prev_abidir)" "$(abidir)" $(skipmodule)
checks-%: module-check-% abi-check-% # Check the reptoline jmp/call functions against the last release.
retpoline-check-%: $(stampdir)/stamp-build-%
@echo Debug: $@
install -d $(abidir)
if grep -q CONFIG_RETPOLINE=y $(builddir)/build-$*/.config; then \
$(SHELL) $(DROOT)/scripts/retpoline-extract $(builddir)/build-$* \
>$(abidir)/$*.retpoline; \
else \
echo "# RETPOLINE NOT ENABLED" >$(abidir)/$*.retpoline; \
fi
$(SHELL) $(DROOT)/scripts/retpoline-check "$*" \
"$(prev_abidir)" "$(abidir)" "$(skipretpoline)"
checks-%: module-check-% abi-check-% retpoline-check-%
@echo Debug: $@ @echo Debug: $@
# Check the config against the known options list. # Check the config against the known options list.
......
#!/bin/bash
flavour="$1"
prev_abidir="$2"
curr_abidir="$3"
skipretpoline="$4"
echo "II: Checking retpoline indirections for $flavour...";
if [ "$skipretpoline" = 'true' ]; then
echo "manual request ignoring retpoline delta"
fi
if [ -f "$prev_abidir/ignore.retpoline" -o \
-f "$prev_abidir/$flavour.ignore.retpoline" ]; then
echo "explicitly ignoring retpoline delta"
skipretpoline='true'
fi
prev="$prev_abidir/$flavour.retpoline"
curr="$curr_abidir/$flavour.retpoline"
if [ ! -f "$prev" ]; then
echo "previous retpoline file missing!"
echo " $prev"
prev="/dev/null"
fi
if [ ! -f "$curr" ]; then
echo "current retpoline file missing!"
echo " $curr"
curr="/dev/null"
fi
echo "II: retpoline delta in this package..."
rc=0
diff -u "$prev" "$curr" || rc=1
echo "II: Done";
if [ "$skipretpoline" = 'true' -a "$rc" -ne 0 ]; then
echo "II: ignoring errors"
exit 0
fi
exit "$rc"
#!/bin/bash
cd "$1" || exit 1
{
echo "./vmlinux"
find . -name \*.ko
} | xargs objdump --disassemble | \
awk -F' ' '
/^.\// { file=$1; sub(":.*", "", file); sub("^.*/", "", file); }
/^[0-9a-f][0-9a-f]* <.*>:/ { tag=$1; sub(".*<", "", tag); sub(">.*", "", tag); tag=file " " tag; }
$3 ~ /(callq|jmpq) *\*%/ { print(tag " " $3); }
'
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment