From nobody Sat Jan 11 20:44:47 2025 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YVr9v0TrCz5jkNC for ; Sat, 11 Jan 2025 20:44:51 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-il1-x12e.google.com (mail-il1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YVr9t1DJWz4HWn for ; Sat, 11 Jan 2025 20:44:50 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=Ux05kzDj; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::12e as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org; dmarc=none Received: by mail-il1-x12e.google.com with SMTP id e9e14a558f8ab-3a8f1c97ef1so8850505ab.2 for ; Sat, 11 Jan 2025 12:44:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1736628289; x=1737233089; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=N7NeFmI+qGFqFomLCRIbpPjB7fGYwtbwBbS1+kfxllc=; b=Ux05kzDj/HDOSkZeJz9AxYl1l5OjQvwAEov1SneclI6Vd+FW3UbadZU9RsUrSKUDlc de2OPdKDJmhReCF7+kdR+HJu+d5JElsXjL40qsJ2zBnurkX/IxkpQv2QZ2ZeOhlqt2U9 Cm51O7pVSTBECN53V63O9F/VfWX6ITFhae/n9efcq/MWJ6gdQ/M/+8Ecy7m55l+v6Tif KXoZVkprZk/7kLXLCuKCamXhEe0hJ+qV9VUQS7nKNPUW9PwdPbNZ0KSnoE7kHrmJ8kpA pnm+kSPYNjpxhE6iOaCyeL8TqjYDOludCmCWU8DDys8KorNV6LCPoKEftduzzEBwOaYx Jhaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736628289; x=1737233089; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=N7NeFmI+qGFqFomLCRIbpPjB7fGYwtbwBbS1+kfxllc=; b=iwHJ4HQt+QpXybmAQd5Vtw86Fx9ETaGoYTtz6XRxaXEesFsfnWob+dXwy+/CN1SMU8 e7qUsgQJ8vkSIraFp3zSnyqzscsQ0nL+P/vZbJlM3TXtNkUdxuFXug6Aj2lMfwgmjDbC sgTrW+24JPoZM0jlSqFKSXPI68FUiA6+hXuO2pN3wYDpIC93035R3BphHLg2pYqA9FR4 Cbvjo+X+sBLHKIxXrdE4waLMnIM9OGYJDJl9/PbcFgdTUfoDOphyRw+YjCC73lpB1g8e NwJ+1/sAqbi1eO+46XLWnQ0EL0PIvcyAecIuMcpCVU6zekXl7wVn0TftCOosDByjmwxp +FqA== X-Gm-Message-State: AOJu0YxB8nF8RMA7Dd0t8QU0zLuLk22N4JVOM3OVjkfB4ZM0KyD31Sk0 QV9iyx1T1AV6Ung3zQRjuW7J5qnJPsldoDkwH3kjDZQ5hpOkJnpwTRfTaYE4WVMT0/1aw/7ayDW R X-Gm-Gg: ASbGncsFeqpTNaPW5plvW1umQS8FYbbzU6WZ0pB9NsxnIfwfDCGdVfleetBMaSSJl5u tusBs/V5axX7ToALvyYwhqAETswR6NOZ2/9bpAWHDYqdkKQKYg69XEFVCqo/NXi5hg4/NDuCABc BQ74ipIoueI5r2BvETHyiXUIsuz5Vr3OlyujkTaNhMT09j/XyakMiFp59xFysnclc8l3wuEUh3U qZqEakVxdiLPx0gP0x/aP4Jfpyul73TmIz+Urg= X-Google-Smtp-Source: AGHT+IGXXTZ+0dAqdRuMPojymsVErCn7y8vC81WcZsTpUz9N1FCDt6sIKoEnlEdB8DR+tpbLGnLFEw== X-Received: by 2002:a05:6e02:b46:b0:3ce:5a7c:6b5d with SMTP id e9e14a558f8ab-3ce5a7c768bmr47321965ab.2.1736628289151; Sat, 11 Jan 2025 12:44:49 -0800 (PST) Received: from mutt-hbsd ([2001:470:4001:1::95]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4ea1b717652sm1720220173.93.2025.01.11.12.44.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Jan 2025 12:44:48 -0800 (PST) Date: Sat, 11 Jan 2025 20:44:47 +0000 From: Shawn Webb To: Alexander Leidinger Cc: Freebsd Arch Subject: Re: Setting a default value for OPT_INIT_ALL (stable=zero, current=pattern) Message-ID: X-Operating-System: FreeBSD mutt-hbsd 14.2-STABLE-HBSD FreeBSD 14.2-STABLE-HBSD HARDENEDBSD-14-STABLE amd64 X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="jnnafschibscwjwt" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4YVr9t1DJWz4HWn X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.10 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.997]; MID_RHS_NOT_FQDN(0.50)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; MISSING_XM_UA(0.00)[]; DMARC_NA(0.00)[hardenedbsd.org]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-arch@freebsd.org]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; DKIM_TRACE(0.00)[hardenedbsd.org:+] --jnnafschibscwjwt Content-Type: text/plain; protected-headers=v1; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: Re: Setting a default value for OPT_INIT_ALL (stable=zero, current=pattern) MIME-Version: 1.0 On Sat, Jan 11, 2025 at 08:18:27PM +0000, Shawn Webb wrote: > On Sat, Jan 11, 2025 at 08:43:13PM +0100, Alexander Leidinger wrote: > > Hi, > >=20 > > we have support to set a default initialization value for uninitialized > > variables (OPT_INIT_ALL in src.conf). Possible values are (copy&paste f= rom > > https://gcc.gnu.org/pipermail/gcc-patches/2021-February/565514.html): > > '-ftrivial-auto-var-init=3DCHOICE' > > Initialize automatic variables with either a pattern or with zeroes > > to increase program security by preventing uninitialized memory > > disclosure and use. > >=20 > > The three values of CHOICE are: > >=20 > > * 'uninitialized' doesn't initialize any automatic variables. > > This is C and C++'s default. > >=20 > > * 'pattern' Initialize automatic variables with values which > > will likely transform logic bugs into crashes down the line, > > are easily recognized in a crash dump and without being values > > that programmers can rely on for useful program semantics. > > The values used for pattern initialization might be changed in > > the future. > >=20 > > * 'zero' Initialize automatic variables with zeroes. > >=20 > > The default is 'uninitialized'. > >=20 > > The main point of this option is to prevent leaking random data by acci= dent. > >=20 > > What I propose is to have OPT_INIT_ALL set to "zero" in stable branches= =2E We > > could maybe also set it to "pattern" in -current. In my opinion this a > > similar thing like the malloc production setting, or witness, and so on. > >=20 > > Any thoughts about this? > >=20 > > In case of a generic consensus of this, I would expect the release > > engineering team to take this into their procedure for branching a new > > stable branch. The locations where a OPT_INIT_ALL?=3Dzero would need to= be > > added are share/mk/bsd.lib.mk, share/mk/bsd.prog.mk and sys/conf/kern.m= k. >=20 > Hey Alex, >=20 > To give some additional data points coming from the HardenedBSD side: >=20 > 1. In 2019, we added support for this feature on an opt-in basis. > * Commit 6b573e328baa44bf8b47d40ff72fc1cc8a86fb00 > 2. In 2021, we enabled -ftrivial-auto-var-init=3Dzero by default. > * Commit e4494782e5015da340106ca81445c65121c55ae3 > 3. In 2022, we modified clang itself to enable it by default. > * Commit 7557c8fd656c83a21e4d43071ea502445efb1ef3 > 4. In 2023, we added support for kernel modules to opt-in. > * Commit dd21b931eca8e5370a6d0341908316538b52de71 >=20 > The following kernel modules have opted in: >=20 > 1. netlink (commit 10aa23df4d0ef6a527b1f2d2092126175f64899f) > 2. virtio-net (commit c9a07fd0d828e4a8d0ee32f2143cca8e3eb55e8c) > 3. zfs (commit fdabd703d9870b00c34837299253423ab4fa8ad6) > 4. iwlwifi (commit 96d935f2f7328b3e2be0ceb557f09e7d2f9a9ea9) > 5. linuxkpi (commit 803b838923ff76660ae9f5e25696725e77deb274) > 6. tmpfs (commit 2e5d303a25c030664a6cbf2efd10de29de0da600) > 7. tarfs (commit c08174516b33c58a771c46a17d94c2ba9ed4f1a0) > 8. geli (commit 94ee2b3faa4712bd57f3cd82fe442b883a79b68a) > 9. pf (commit bd836619adb5b502c594dfab0df98e40f8adefe2) > 10. pfsync (commit a69ea2297d85a9537d2a08d4e4011d3e834b2cba) > 11. pflog (commit 0ec32fb1fd6062ca9e185e73316ff06a26a1d7af) > 12. vmm (commit 50d5dbec1c82cc568e0a621e4e405de7ec73b921) > 13. fusefs (commit 3e58a69c9b83380d77ea432e58868a0b0f3c8374) I forgot to mention the ports tree. We ported src commit 7557c8fd656c83a21e4d43071ea502445efb1ef3 to: 1. devel/llvm17 (commit 9127ee56f7ab79886b41733673550e38ca4aa96f) 2. devel/llvm18 (commit 9f203a68036261ed856182d15c0998c24d866066) 3. devel/llvm19 (commit 491ae9b6db623db60f3a8dd2e68a9ddbca7c14d7) So ports built either with llvm-from-base or llvm{17,18,19}-from-ports are automatically built with -ftrivial-var-auto-init=3Dzero. This provides rather significant coverage between src and ports. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --jnnafschibscwjwt Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmeC2DgACgkQ/y5nonf4 4frXBA/+ONIcChOlz8pTiVVizY0wf6V0HnpEVs8Rc+XZ+7wFtlf64+o7poxRn7VY J1hh0Wn7ceW7jP2KEeN0FCcIuz4TNNOn8hYlIa6RuyOBtCIqxIS6bW5F5/Mthy6q EWJ9Wn9NkdKsOx6Y+QwOURn/yKsGF1dFKQbGKt8dhU+b23USPWTCX4VrURrWuf0D tB2G7ZOxCUf5k83vMHDudPnjnLNfc9svCuigW0DMzZy5mV+fFJKsAS6eSgA6el4I PV3xgQ8ANrnkoRj46FcZWSvHRcMqw4ccrYxwLrq828NiO96B5chkZTjuRU3cdbEL jcvLtc2hN83zjTjJDyft+0l56L2uGIjZy+IDhBgLWnxq+9sYe5snsr8wgoTSexIS 6EMdKhEp7sZI5hL5KsYT2+UrFPFwxnf10dcD9jDzbxXpn067xNJ8aqpTKRkWFUEM DB5sNX81j88hHi/dfYgCvk3pMj5TdrE6ptCRTiWpZnqjrnVwKOeB10VuqctvXb7G OXwk25qGQ+euIkM5DZ0XNp0kzp83OSLNdOfsGCR6t2Sks8d4OuGVQB/xHVgYPwtj BHRlCcQXOgxNclPPpCJ+Np6bRulZEnlaVz1myVsD3XaRk35VCClYGQVEwAz0fGzL qYU9Ihm4DwJu94jaVjqRD6PTxt841AZSrMEmJB+tMx9Wnk/MOqc= =fD1g -----END PGP SIGNATURE----- --jnnafschibscwjwt--