1- Compile-time stack metadata validation
2- ======================================
1+ Objtool
2+ =======
33
4+ The kernel CONFIG_OBJTOOL option enables a host tool named 'objtool'
5+ which runs at compile time. It can do various validations and
6+ transformations on .o files.
47
5- Overview
8+ Objtool has become an integral part of the x86-64 kernel toolchain. The
9+ kernel depends on it for a variety of security and performance features
10+ (and other types of features as well).
11+
12+
13+ Features
614--------
715
8- The kernel CONFIG_STACK_VALIDATION option enables a host tool named
9- objtool which runs at compile time. It has a "check" subcommand which
10- analyzes every .o file and ensures the validity of its stack metadata.
11- It enforces a set of rules on asm code and C inline assembly code so
12- that stack traces can be reliable.
16+ Objtool has the following features:
17+
18+ - Stack unwinding metadata validation -- useful for helping to ensure
19+ stack traces are reliable for live patching
20+
21+ - ORC unwinder metadata generation -- a faster and more precise
22+ alternative to frame pointer based unwinding
23+
24+ - Retpoline validation -- ensures that all indirect calls go through
25+ retpoline thunks, for Spectre v2 mitigations
26+
27+ - Retpoline call site annotation -- annotates all retpoline thunk call
28+ sites, enabling the kernel to patch them inline, to prevent "thunk
29+ funneling" for both security and performance reasons
30+
31+ - Non-instrumentation validation -- validates non-instrumentable
32+ ("noinstr") code rules, preventing instrumentation in low-level C
33+ entry code
34+
35+ - Static call annotation -- annotates static call sites, enabling the
36+ kernel to implement inline static calls, a faster alternative to some
37+ indirect branches
38+
39+ - Uaccess validation -- validates uaccess rules for a proper
40+ implementation of Supervisor Mode Access Protection (SMAP)
41+
42+ - Straight Line Speculation validation -- validates certain SLS
43+ mitigations
44+
45+ - Indirect Branch Tracking validation -- validates Intel CET IBT rules
46+ to ensure that all functions referenced by function pointers have
47+ corresponding ENDBR instructions
48+
49+ - Indirect Branch Tracking annotation -- annotates unused ENDBR
50+ instruction sites, enabling the kernel to "seal" them (replace them
51+ with NOPs) to further harden IBT
52+
53+ - Function entry annotation -- annotates function entries, enabling
54+ kernel function tracing
55+
56+ - Other toolchain hacks which will go unmentioned at this time...
57+
58+ Each feature can be enabled individually or in combination using the
59+ objtool cmdline.
60+
61+
62+ Objects
63+ -------
64+
65+ Typically, objtool runs on every translation unit (TU, aka ".o file") in
66+ the kernel. If a TU is part of a kernel module, the '--module' option
67+ is added.
68+
69+ However:
70+
71+ - If noinstr validation is enabled, it also runs on vmlinux.o, with all
72+ options removed and '--noinstr' added.
73+
74+ - If IBT or LTO is enabled, it doesn't run on TUs at all. Instead it
75+ runs on vmlinux.o and linked modules, with all options.
76+
77+ In summary:
78+
79+ A) Legacy mode:
80+ TU: objtool [--module] <options>
81+ vmlinux: N/A
82+ module: N/A
83+
84+ B) CONFIG_NOINSTR_VALIDATION=y && !(CONFIG_X86_KERNEL_IBT=y || CONFIG_LTO=y):
85+ TU: objtool [--module] <options> // no --noinstr
86+ vmlinux: objtool --noinstr // other options removed
87+ module: N/A
88+
89+ C) CONFIG_X86_KERNEL_IBT=y || CONFIG_LTO=y:
90+ TU: N/A
91+ vmlinux: objtool --noinstr <options>
92+ module: objtool --module --noinstr <options>
93+
94+
95+ Stack validation
96+ ----------------
97+
98+ Objtool's stack validation feature analyzes every .o file and ensures
99+ the validity of its stack metadata. It enforces a set of rules on asm
100+ code and C inline assembly code so that stack traces can be reliable.
13101
14102For each function, it recursively follows all possible code paths and
15103validates the correct frame pointer state at each instruction.
@@ -20,14 +108,6 @@ alternative execution paths to a given instruction (or set of
20108instructions). Similarly, it knows how to follow switch statements, for
21109which gcc sometimes uses jump tables.
22110
23- (Objtool also has an 'orc generate' subcommand which generates debuginfo
24- for the ORC unwinder. See Documentation/x86/orc-unwinder.rst in the
25- kernel tree for more details.)
26-
27-
28- Why do we need stack metadata validation?
29- -----------------------------------------
30-
31111Here are some of the benefits of validating stack metadata:
32112
33113a) More reliable stack traces for frame pointer enabled kernels
@@ -113,9 +193,6 @@ c) Higher live patching compatibility rate
113193 For more details, see the livepatch documentation in the Linux kernel
114194 source tree at Documentation/livepatch/livepatch.rst.
115195
116- Rules
117- -----
118-
119196To achieve the validation, objtool enforces the following rules:
120197
1211981. Each callable function must be annotated as such with the ELF
@@ -177,7 +254,8 @@ Another possible cause for errors in C code is if the Makefile removes
177254-fno-omit-frame-pointer or adds -fomit-frame-pointer to the gcc options.
178255
179256Here are some examples of common warnings reported by objtool, what
180- they mean, and suggestions for how to fix them.
257+ they mean, and suggestions for how to fix them. When in doubt, ping
258+ the objtool maintainers.
181259
182260
1832611. file.o: warning: objtool: func()+0x128: call without frame pointer save/setup
@@ -358,3 +436,7 @@ ignore it:
358436 OBJECT_FILES_NON_STANDARD := y
359437
360438 to the Makefile.
439+
440+ NOTE: OBJECT_FILES_NON_STANDARD doesn't work for link time validation of
441+ vmlinux.o or a linked module. So it should only be used for files which
442+ aren't linked into vmlinux or a module.
0 commit comments