UBUNTU: [Packaging] Remove all custom retpoline-extract code

BugLink: https://bugs.launchpad.net/bugs/2046440 Now that retpoline & SLS mitigration checks are enforced during build via objtool patch, drop all custom retpoline packaging, abi files, and checks. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
2023-12-14 12:14:32 +00:00
parent f921eba36b
commit bd433ee34b
17 changed files with 7 additions and 400 deletions
@@ -1 +0,0 @@
-# retpoline v1.0
@@ -1 +0,0 @@
-# RETPOLINE NOT ENABLED
@@ -1 +0,0 @@
-# RETPOLINE NOT ENABLED
@@ -1 +0,0 @@
-# RETPOLINE NOT ENABLED
@@ -1 +0,0 @@
-# RETPOLINE NOT ENABLED
@@ -1 +0,0 @@
-# RETPOLINE NOT ENABLED
@@ -142,9 +142,6 @@ clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs.
 	# Install the copyright information.
 	cp $(DEBIAN)/copyright debian/copyright

-	# Install the retpoline extractor.
-	cp $(DROOT)/scripts/retpoline-extract-one scripts/ubuntu-retpoline-extract-one
-
 	# If we have a reconstruct script use it.
 	[ -f $(DEBIAN)/reconstruct ] && bash $(DEBIAN)/reconstruct || true

@@ -155,8 +152,7 @@ clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs.
 .PHONY: distclean
 distclean: clean
 	rm -rf $(DROOT)/control debian/changelog \
-		debian/control debian/control.stub debian/copyright \
-		scripts/ubuntu-retpoline-extract-one
+		debian/control debian/control.stub debian/copyright

 # Builds the image, arch headers and debug packages
 include $(DROOT)/rules.d/2-binary-arch.mk
@@ -281,8 +281,6 @@ endif
 	grep '^HOSTCC	.*$(gcc)$$' $(hdrdir)/Makefile
 	grep '^CC	.*$(gcc)$$' $(hdrdir)/Makefile
 	rm -rf $(hdrdir)/include2 $(hdrdir)/source
-	# We do not need the retpoline information.
-	find $(hdrdir) -name \*.o.ur-\* -exec rm -f {} \;
 	# Copy over the compilation version.
 	cp "$(builddir)/build-$*/include/generated/compile.h" \
 		"$(hdrdir)/include/generated/compile.h"
@@ -301,8 +299,6 @@ ifeq ($(build_arch),s390)
 endif
 	# Copy over scripts/module.lds for building external modules
 	cp $(builddir)/build-$*/scripts/module.lds $(hdrdir)/scripts
-	# Copy over the new retpoline extractor.
-	cp scripts/ubuntu-retpoline-extract-one $(hdrdir)/scripts
 	# Script to symlink everything up
 	$(SHELL) $(DROOT)/scripts/link-headers "$(hdrdir)" "$(indeppkg)" "$*"
 	# The build symlink
@@ -461,15 +457,6 @@ endif
 			print "" \
 		}' | sort -u >$(abidir)/$*.compiler

-	# Build the final ABI retpoline information.
-	if grep -q CONFIG_RETPOLINE=y $(builddir)/build-$*/.config; then \
-		echo "# retpoline v1.0" >$(abidir)/$*.retpoline; \
-		$(SHELL) $(DROOT)/scripts/retpoline-extract $(builddir)/build-$* $(CURDIR) | \
-			sort >>$(abidir)/$*.retpoline; \
-	else \
-		echo "# RETPOLINE NOT ENABLED" >$(abidir)/$*.retpoline; \
-	fi
-
 	# Build the buildinfo package content.
 	install -d $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*
 	install -m644 $(builddir)/build-$*/.config \
@@ -480,8 +467,6 @@ endif
 		$(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/modules
 	install -m644 $(abidir)/$*.fwinfo \
 		$(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/fwinfo
-	install -m644 $(abidir)/$*.retpoline \
-		$(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/retpoline
 	install -m644 $(abidir)/$*.compiler \
 		$(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/compiler
 	if [ -f $(abidir)/$*.modules.builtin ] ; then \
@@ -18,13 +18,7 @@ module-signature-check-%: $(stampdir)/stamp-install-%
 		"$(DROOT)/$(mods_extra_pkg_name)-$*" \
 		$(do_skip_checks)

-# Check the reptoline jmp/call functions against the last release.
-retpoline-check-%: $(stampdir)/stamp-install-%
-	@echo Debug: $@
-	$(DROOT)/scripts/checks/retpoline-check "$*" \
-		"$(prev_abidir)" "$(abidir)" $(do_skip_checks)
-
-checks-%: module-check-% module-signature-check-% abi-check-% retpoline-check-%
+checks-%: module-check-% module-signature-check-% abi-check-%
 	@echo Debug: $@

 # Check the config against the known options list.
@@ -40,13 +40,6 @@ abi_check()
 	then
 		failure "$arch/$flavour ABI modules file missing"
 	fi
-
-	if [ ! -f "$abidir/$flavour.retpoline" ] && \
-	   [ ! -f "$abidir/$flavour.ignore.retpoline" ] && \
-	   [ ! -f "$abidir/ignore.retpoline" ]
-	then
-		failure "$arch/$flavour ABI retpoline file missing"
-	fi
 }

 abi_version="$debian/abi/version"
@@ -1,52 +0,0 @@
-#!/bin/bash
-
-flavour="$1"
-prev_abidir="$2"
-curr_abidir="$3"
-
-skipretpoline=${4:-}
-case "${skipretpoline,,}" in
-	1|true|yes) skipretpoline=true ;;
-	*) skipretpoline=false ;;
-esac
-
-echo "II: Checking retpoline indirections for $flavour...";
-
-if [ "$skipretpoline" = 'true' ]; then
-	echo "manual request ignoring retpoline delta"
-fi
-
-if [ -f "$prev_abidir/ignore.retpoline" -o \
-     -f "$prev_abidir/$flavour.ignore.retpoline" ]; then
-	echo "explicitly ignoring retpoline delta"
-	skipretpoline='true'
-fi
-
-prev="$prev_abidir/$flavour.retpoline"
-curr="$curr_abidir/$flavour.retpoline"
-if [ ! -f "$prev" ]; then
-	echo "previous retpoline file missing!"
-	echo "   $prev"
-	prev="/dev/null"
-fi
-if [ ! -f "$curr" ]; then
-	echo "current retpoline file missing!"
-	echo "   $curr"
-	curr="/dev/null"
-fi
-
-echo "II: retpoline delta in this package..."
-rc=0
-diff -u "$prev" "$curr" || true
-count=$( diff -u "$prev" "$curr" | grep '^+[^+]' | wc -l )
-if [ "$count" != 0 ]; then
-	rc=1
-	echo "WW: $count new retpoline sequences detected"
-fi
-
-echo "II: Done";
-if [ "$skipretpoline" = 'true' -a "$rc" -ne 0 ]; then
-	echo "II: ignoring errors"
-	exit 0
-fi
-exit "$rc"
@@ -144,7 +144,7 @@ shift 2
 # Copy the objects.
 echo "II: copying objects to '$to'"
 mkdir -p "$to"
-(cd "$from" && find -name \*.o -o -name \*.o.ur-\* -o -name \*.mod | cpio -Lpd "$to")
+(cd "$from" && find -name \*.o -o -name \*.mod | cpio -Lpd "$to")

 # Call the original post_install script if there is one.
 [ "$script" = '' ] && exit 0
@@ -17,10 +17,9 @@ shift 7

 build="$( dirname "$objects" )/build"

-# Copy over the objects ready for reconstruction.  The objects copy contains
-# the *.o files and the *.o-ur* retpoline files to allow the kernel to track
-# any retpoline sequences therein.  For our purposes we only want the *.o
-# files, elide the rest. And .mod files for ld linking in recentish kernels.
+# Copy over the objects ready for reconstruction.  The objects copy
+# contains the *.o files. For our purposes we only want the *.o files,
+# elide the rest. And .mod files for ld linking in recentish kernels.
 mkdir -p "$pkgdir/bits/scripts"
 (
 	gcc_variant1=$(gcc --version | head -1 | sed -e 's/^gcc/GCC:/')
@@ -126,11 +126,6 @@ getall_set()
 			else
 				echo "    NO ABI FILE"
 			fi
-			if [ -f tmp/boot/retpoline-* ]; then
-				mv tmp/boot/retpoline-* $abidir/$arch/$sub.retpoline
-			else
-				echo "    NO RETPOLINE FILE"
-			fi
 			(cd tmp; find lib/modules/$verabi-$sub/kernel -name '*.ko') | \
 				sed -e 's/.*\/\([^\/]*\)\.ko/\1/' | sort > \
 				$abidir/$arch/$sub.modules
@@ -157,7 +152,7 @@ getall_set()
 			echo "  buildinfo..."
 			base="tmp/usr/lib/linux/${verabi}-${sub}"
 			mv "$base/abi" "$abidir/$arch/$sub"
-			for comp in 'modules' 'retpoline' 'compiler'
+			for comp in 'modules' 'compiler'
 			do
 				mv "$base/$comp" "$abidir/$arch/$sub.$comp"
 			done
@@ -1,23 +0,0 @@
-#!/bin/bash
-
-cd "$1" || exit 1
-
-# Find all valid retpoline information, collate the detected and
-# safe information together.  Join the result to find the detected
-# but non-safe elements.  These are our concern.
-ur_detected=$(mktemp --tmpdir "retpoline-check-XXXXXX.ur-detected")
-ur_safe=$(mktemp --tmpdir "retpoline-check-XXXXXX.ur-safe")
-
-find "." -path './drivers/firmware/efi/libstub' -prune -o \
-	 -path './arch/x86/boot' -prune -o \
-	 -path './arch/x86/purgatory' -prune -o \
-	 -name \*.ur-detected -print0 | xargs -0 cat | \
-	sed -e "s@^$1@@" -e "s@ $2/@ @" -e "s@^/@@" | \
-	sort -k 1b,1 >"$ur_detected"
-find "." -name \*.ur-safe -print0 | xargs -0 cat | \
-	sed -e "s@^$1@@" -e "s@^/@@" | \
-	sort -k 1b,1 >"$ur_safe"
-
-join -v 1 -j 1 "$ur_detected" "$ur_safe" | sed -s 's/[^ ]*  *//'
-
-rm -f "$ur_detected" "$ur_safe"
@@ -1,270 +0,0 @@
-#!/bin/bash
-
-exec </dev/null
-
-object="$1"
-src="$2"
-bit16="$3"
-
-SECTION=".discard.retpoline_safe"
-
-# Form an associative lookup for the symbol numbers in the ELF symbol table.
-# Uses 8 character 0 expanded hexadecimal key for ease of consumption.
-__symbolmap_init()
-{
-	readelf -W --syms "$1" |
-		awk '($4 == "SECTION" && $1 ~ /^[0-9]*:/) { printf("%08x %08x\n", int($1), int($7)); }' | \
-	while read symbol_num section_num
-	do
-		echo "symbolmap_$symbol_num='$section_num'"
-	done
-}
-symbolmap_init()
-{
-	eval $(__symbolmap_init "$1")
-}
-symbolmap()
-{
-	eval RET="\$symbolmap_$1"
-	if [ "$RET" = '' ]; then
-		echo "symbolmap: $1: invalid section" 1>&2
-		exit 1
-	fi
-}
-
-# Form an associative lookup for the section numbers in the ELF symbol table.
-# Uses 8 character 0 expanded hexadecimal key for ease of consumption.
-__sectionmap_init()
-{
-	readelf -W --headers "$1" | \
-		awk '
-						{ sub("\\[", ""); sub("\\]", ""); }
-                        ($1 ~ /^[0-9][0-9]*/)   { printf("%08x %s %s %s\n", int($1), $2, $3, $4); }
-		' | \
-	{
-		while read section_num section_name section_type section_vma
-		do
-			echo "sectionmap_$section_num='$section_name'"
-			echo "sectionvma_$section_num='$section_vma'"
-			case "$section_type" in
-			REL|RELA) section_relocation="$section_type" ;;
-			esac
-		done
-		echo "section_relocation='$section_relocation'"
-	}
-}
-sectionmap_init()
-{
-	eval $(__sectionmap_init "$1")
-}
-sectionmap()
-{
-	eval RET="\$sectionmap_$1"
-	if [ "$RET" = '' ]; then
-		echo "sectionmap: $1: invalid section" 1>&2
-		exit 1
-	fi
-}
-sectionvma()
-{
-	eval RET="\$sectionvma_$1"
-	if [ "$RET" = '' ]; then
-		echo "sectionvma: $1: invalid section" 1>&2
-		exit 1
-	fi
-}
-
-# Read and parse the hex-dump output.
-hex="[0-9a-f]"
-hex_8="$hex$hex$hex$hex$hex$hex$hex$hex"
-hexspc="[0-9a-f ]"
-hexspc_8="$hexspc$hexspc$hexspc$hexspc$hexspc$hexspc$hexspc$hexspc"
-
-raw32()
-{
-	readelf --hex-dump "$2" "$1" 2>/dev/null |
-	sed \
-		-e '/^Hex/d' -e '/^$/d' -e '/^ *NOTE/d' \
-		-e 's/  *[^ ][^ ]*  *\('"$hex_8"'\) \('"$hexspc_8"'\) \('"$hexspc_8"'\) \('"$hexspc_8"'\) .*/\1 \2 \3 \4 /' \
-		-e 's/\('"$hex$hex"'\)\('"$hex$hex"'\)\('"$hex$hex"'\)\('"$hex$hex"'\) /\4\3\2\1 /g' \
-		-e 's/ $//g' -e 's/ /\n/g'
-}
-#-e 's/\([^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ]\) \([^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ]\) /\2\1 /g' \
-
-rela()
-{
-	#file="$(basename "$1")"
-	file="$1"
-
-	# Read relocation information for a 64bit binary.  Each relocation entry
-	# is 3 long longs so we collect 6 quads here.  Note that the dump is in
-	# listed in increasing byte order not withstanding the quad split.
-	#
-	# The record says to take the value of <symbol> add <symbol offset> and
-	# shove that into <write offset> in the segment of the <symbol>.
-	#
-	# Format:
-	#  <write offset>	64 bits
-	#  <symbol number>	32 bits
-	#  <relocation type>	32 bits
-	#  <symbol offset>	64 bits
-	raw32 "$1" ".rela$SECTION" | \
-	{
-		a1=''; a2=''; a3=''; a4=''; a5=''
-		while read a6
-		do
-			[ "$a1" = '' ] && { a1="$a6"; continue; }
-			[ "$a2" = '' ] && { a2="$a6"; continue; }
-			[ "$a3" = '' ] && { a3="$a6"; continue; }
-			[ "$a4" = '' ] && { a4="$a6"; continue; }
-			[ "$a5" = '' ] && { a5="$a6"; continue; }
-
-			#echo ">$a1< >$a2< >$a3< >$a4< >$a5< >$a6<" 1>&2
-			#echo "type<$a3> symbol<$a4> offset<$a2$a1> addr<$a6a5>" 1>&2
-
-			symbolmap "$a4"; section_num="$RET"
-			#echo "section_num<$section_num>" 1>&2
-
-			sectionmap "$section_num"; section="$RET"
-			sectionvma "$section_num"; vma="$RET"
-			#echo "section<$section> vma<$vma>" 1>&2
-
-			# Adjust the segment addressing by the segment offset.
-			printf -v addr "%u" "0x$a6$a5"
-			printf -v vma "%u" "0x$vma"
-			let offset="$addr + $vma"
-			printf -v offset "%x" "$offset"
-
-			echo "$file-$section-$offset"
-
-			a1=''; a2=''; a3=''; a4=''; a5=''
-		done
-	} | sed -e 's/-00*\([0-9a-f]\)/-\1/'
-}
-
-# Form an associative lookup for the raw contents for an ELF section.
-# Uses 8 character 0 expanded hexadecimal key for ease of consumption.
-contentmap_init()
-{
-	raw32 "$1" "$2" >"$tmp"
-	let offset=0
-	while read value
-	do
-		printf -v offset_hex "%08x" $offset
-		eval contentmap_$offset_hex=\'$value\'
-
-		let offset="$offset + 4"
-	done <"$tmp"
-	rm -f "$tmp"
-}
-contentmap()
-{
-	eval RET="\$contentmap_$1"
-	if [ "$RET" = '' ]; then
-		echo "contentmap: $1: invalid offset" 1>&2
-		exit 1
-	fi
-}
-
-rel()
-{
-	# Load up the current contents of the $SECTION segment
-	# as the offsets (see below) are recorded there and we will need
-	# those to calculate the actuall address.
-	contentmap_init "$1" "$SECTION"
-
-	#file="$(basename "$1")"
-	file="$1"
-
-	# Read relocation information for a 32bit binary.  Each relocation entry
-	# is 3 longs so we collect 3 quads here.  Note that the dump is in
-	# listed in increasing byte order not withstanding the quad split.
-	#
-	# The record says to take the value of <symbol> and add that to the
-	# existing contents of <write offset> in the segment of the <symbol>.
-	#
-	# Format:
-	#  <write offset>	32 bits
-	#  <symbol number>	24 bits
-	#  <relocation type>	 8 bits
-	raw32 "$1" ".rel$SECTION" | \
-	{
-		a1=''
-		while read a2
-		do
-			[ "$a1" = '' ] && { a1="$a2"; continue; }
-
-			#echo ">$a1< >$a2<"
-			contentmap "$a1"; offset="$RET"
-			symbolmap "00${a2%??}"; section_num="$RET"
-
-			sectionmap "$section_num"; section="$RET"
-			sectionvma "$section_num"; vma="$RET"
-			#echo ">$a1< >$a2< >$offset< >$section<"
-
-			echo "$file-$section-$offset"
-
-			a1=''
-		done
-	} | sed -e 's/-00*\([0-9a-f]\)/-\1/'
-}
-
-tmp=$(mktemp --tmpdir "retpoline-extract-XXXXXX")
-
-disassemble()
-{
-	local object="$1"
-	local src="$2"
-	local options="$3"
-	local selector="$4"
-
-	objdump $options --disassemble --no-show-raw-insn "$object" | \
-	awk -F' ' '
-		BEGIN				{ file="'"$object"'"; src="'"$src"'"; }
-		/Disassembly of section/        { segment=$4; sub(":", "", segment); }
-		/^[0-9a-f][0-9a-f]* <.*>:/      { tag=$0; sub(".*<", "", tag); sub(">.*", "", tag); }
-		$0 ~ /(call|jmp)q?  *\*0x[0-9a-f]*\(%rip\)/ {
-			next
-		}
-		$0 ~ /(call|jmp)q?  *\*.*%/ {
-			sub(":", "", $1);
-			if ('"$selector"') {
-				offset=$1
-				$1=tag
-				print(file "-" segment "-" offset " " src " " segment " " $0);
-			}
-		}
-	'
-}
-
-# Accumulate potentially vunerable indirect call/jmp sequences.  We do this
-# by examining the raw disassembly for affected forms, recording the location
-# of each.
-case "$bit16" in
-'')	disassemble "$object" "$src" '' 'segment != ".init.text"' ;;
-*)	disassemble "$object" "$src" '--disassembler-options=i8086' 'segment != ".init.text" && segment != ".text32" && segment != ".text64"'
-	disassemble "$object" "$src" '--disassembler-options=i386' 'segment == ".text32"'
-	disassemble "$object" "$src" '--disassembler-options=x86-64' 'segment == ".text64"'
-	;;
-esac | sort -k 1b,1 >"$object.ur-detected"
-[ ! -s "$object.ur-detected" ] && rm -f "$object.ur-detected"
-
-# Load up the symbol table and section mappings.
-symbolmap_init "$object"
-sectionmap_init "$object"
-
-# Accumulate annotated safe indirect call/jmp sequences.  We do this by examining
-# the $SECTION sections (and their associated relocation information),
-# each entry represents the address of an instruction which has been marked
-# as ok.
-case "$section_relocation" in
-REL)	rel "$object" ;;
-RELA)	rela "$object" ;;
-esac | sort -k 1b,1 >"$object.ur-safe"
-[ ! -s "$object.ur-safe" ] && rm -f "$object.ur-safe"
-
-# We will perform the below join on the summarised and sorted fragments
-# formed above.  This is performed in retpoline-check.
-#join -v 1 -j 1 "$tmp.extracted" "$tmp.safe" | sed -s 's/[^ ]*  *//'
-
-rm -f "$tmp"
@@ -17,10 +17,6 @@ parts:
    kconfigflavour: generic
    kconfigs:
      - CONFIG_DEBUG_INFO=n
-    override-build: |
-      cp debian/scripts/retpoline-extract-one \
-        $SNAPCRAFT_PART_BUILD/scripts/ubuntu-retpoline-extract-one
-      snapcraftctl build
    kernel-with-firmware: false
  firmware:
    plugin: nil