diff --git a/debian.master/abi/amd64/generic.retpoline b/debian.master/abi/amd64/generic.retpoline deleted file mode 100644 index 945dc3fef780..000000000000 --- a/debian.master/abi/amd64/generic.retpoline +++ /dev/null @@ -1 +0,0 @@ -# retpoline v1.0 diff --git a/debian.master/abi/arm64/generic-64k.retpoline b/debian.master/abi/arm64/generic-64k.retpoline deleted file mode 100644 index 7f959eb917cd..000000000000 --- a/debian.master/abi/arm64/generic-64k.retpoline +++ /dev/null @@ -1 +0,0 @@ -# RETPOLINE NOT ENABLED diff --git a/debian.master/abi/arm64/generic.retpoline b/debian.master/abi/arm64/generic.retpoline deleted file mode 100644 index 7f959eb917cd..000000000000 --- a/debian.master/abi/arm64/generic.retpoline +++ /dev/null @@ -1 +0,0 @@ -# RETPOLINE NOT ENABLED diff --git a/debian.master/abi/armhf/generic.retpoline b/debian.master/abi/armhf/generic.retpoline deleted file mode 100644 index 7f959eb917cd..000000000000 --- a/debian.master/abi/armhf/generic.retpoline +++ /dev/null @@ -1 +0,0 @@ -# RETPOLINE NOT ENABLED diff --git a/debian.master/abi/ppc64el/generic.retpoline b/debian.master/abi/ppc64el/generic.retpoline deleted file mode 100644 index 7f959eb917cd..000000000000 --- a/debian.master/abi/ppc64el/generic.retpoline +++ /dev/null @@ -1 +0,0 @@ -# RETPOLINE NOT ENABLED diff --git a/debian.master/abi/s390x/generic.retpoline b/debian.master/abi/s390x/generic.retpoline deleted file mode 100644 index 7f959eb917cd..000000000000 --- a/debian.master/abi/s390x/generic.retpoline +++ /dev/null @@ -1 +0,0 @@ -# RETPOLINE NOT ENABLED diff --git a/debian/rules b/debian/rules index 10b59f2a3e16..1319a5f5d86a 100755 --- a/debian/rules +++ b/debian/rules @@ -142,9 +142,6 @@ clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs. # Install the copyright information. cp $(DEBIAN)/copyright debian/copyright - # Install the retpoline extractor. - cp $(DROOT)/scripts/retpoline-extract-one scripts/ubuntu-retpoline-extract-one - # If we have a reconstruct script use it. [ -f $(DEBIAN)/reconstruct ] && bash $(DEBIAN)/reconstruct || true @@ -155,8 +152,7 @@ clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs. .PHONY: distclean distclean: clean rm -rf $(DROOT)/control debian/changelog \ - debian/control debian/control.stub debian/copyright \ - scripts/ubuntu-retpoline-extract-one + debian/control debian/control.stub debian/copyright # Builds the image, arch headers and debug packages include $(DROOT)/rules.d/2-binary-arch.mk diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk index f0478c91983b..510103d1b5b0 100644 --- a/debian/rules.d/2-binary-arch.mk +++ b/debian/rules.d/2-binary-arch.mk @@ -281,8 +281,6 @@ endif grep '^HOSTCC .*$(gcc)$$' $(hdrdir)/Makefile grep '^CC .*$(gcc)$$' $(hdrdir)/Makefile rm -rf $(hdrdir)/include2 $(hdrdir)/source - # We do not need the retpoline information. - find $(hdrdir) -name \*.o.ur-\* -exec rm -f {} \; # Copy over the compilation version. cp "$(builddir)/build-$*/include/generated/compile.h" \ "$(hdrdir)/include/generated/compile.h" @@ -301,8 +299,6 @@ ifeq ($(build_arch),s390) endif # Copy over scripts/module.lds for building external modules cp $(builddir)/build-$*/scripts/module.lds $(hdrdir)/scripts - # Copy over the new retpoline extractor. - cp scripts/ubuntu-retpoline-extract-one $(hdrdir)/scripts # Script to symlink everything up $(SHELL) $(DROOT)/scripts/link-headers "$(hdrdir)" "$(indeppkg)" "$*" # The build symlink @@ -461,15 +457,6 @@ endif print "" \ }' | sort -u >$(abidir)/$*.compiler - # Build the final ABI retpoline information. - if grep -q CONFIG_RETPOLINE=y $(builddir)/build-$*/.config; then \ - echo "# retpoline v1.0" >$(abidir)/$*.retpoline; \ - $(SHELL) $(DROOT)/scripts/retpoline-extract $(builddir)/build-$* $(CURDIR) | \ - sort >>$(abidir)/$*.retpoline; \ - else \ - echo "# RETPOLINE NOT ENABLED" >$(abidir)/$*.retpoline; \ - fi - # Build the buildinfo package content. install -d $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$* install -m644 $(builddir)/build-$*/.config \ @@ -480,8 +467,6 @@ endif $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/modules install -m644 $(abidir)/$*.fwinfo \ $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/fwinfo - install -m644 $(abidir)/$*.retpoline \ - $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/retpoline install -m644 $(abidir)/$*.compiler \ $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/compiler if [ -f $(abidir)/$*.modules.builtin ] ; then \ diff --git a/debian/rules.d/4-checks.mk b/debian/rules.d/4-checks.mk index 34b343189de5..6e2d4f8524cf 100644 --- a/debian/rules.d/4-checks.mk +++ b/debian/rules.d/4-checks.mk @@ -18,13 +18,7 @@ module-signature-check-%: $(stampdir)/stamp-install-% "$(DROOT)/$(mods_extra_pkg_name)-$*" \ $(do_skip_checks) -# Check the reptoline jmp/call functions against the last release. -retpoline-check-%: $(stampdir)/stamp-install-% - @echo Debug: $@ - $(DROOT)/scripts/checks/retpoline-check "$*" \ - "$(prev_abidir)" "$(abidir)" $(do_skip_checks) - -checks-%: module-check-% module-signature-check-% abi-check-% retpoline-check-% +checks-%: module-check-% module-signature-check-% abi-check-% @echo Debug: $@ # Check the config against the known options list. diff --git a/debian/scripts/checks/final-checks b/debian/scripts/checks/final-checks index 37067f90be3a..4602cb5c34bd 100755 --- a/debian/scripts/checks/final-checks +++ b/debian/scripts/checks/final-checks @@ -40,13 +40,6 @@ abi_check() then failure "$arch/$flavour ABI modules file missing" fi - - if [ ! -f "$abidir/$flavour.retpoline" ] && \ - [ ! -f "$abidir/$flavour.ignore.retpoline" ] && \ - [ ! -f "$abidir/ignore.retpoline" ] - then - failure "$arch/$flavour ABI retpoline file missing" - fi } abi_version="$debian/abi/version" diff --git a/debian/scripts/checks/retpoline-check b/debian/scripts/checks/retpoline-check deleted file mode 100755 index 5a0f870a741b..000000000000 --- a/debian/scripts/checks/retpoline-check +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/bash - -flavour="$1" -prev_abidir="$2" -curr_abidir="$3" - -skipretpoline=${4:-} -case "${skipretpoline,,}" in - 1|true|yes) skipretpoline=true ;; - *) skipretpoline=false ;; -esac - -echo "II: Checking retpoline indirections for $flavour..."; - -if [ "$skipretpoline" = 'true' ]; then - echo "manual request ignoring retpoline delta" -fi - -if [ -f "$prev_abidir/ignore.retpoline" -o \ - -f "$prev_abidir/$flavour.ignore.retpoline" ]; then - echo "explicitly ignoring retpoline delta" - skipretpoline='true' -fi - -prev="$prev_abidir/$flavour.retpoline" -curr="$curr_abidir/$flavour.retpoline" -if [ ! -f "$prev" ]; then - echo "previous retpoline file missing!" - echo " $prev" - prev="/dev/null" -fi -if [ ! -f "$curr" ]; then - echo "current retpoline file missing!" - echo " $curr" - curr="/dev/null" -fi - -echo "II: retpoline delta in this package..." -rc=0 -diff -u "$prev" "$curr" || true -count=$( diff -u "$prev" "$curr" | grep '^+[^+]' | wc -l ) -if [ "$count" != 0 ]; then - rc=1 - echo "WW: $count new retpoline sequences detected" -fi - -echo "II: Done"; -if [ "$skipretpoline" = 'true' -a "$rc" -ne 0 ]; then - echo "II: ignoring errors" - exit 0 -fi -exit "$rc" diff --git a/debian/scripts/dkms-build b/debian/scripts/dkms-build index f85a6557a8e0..de97466d587a 100755 --- a/debian/scripts/dkms-build +++ b/debian/scripts/dkms-build @@ -144,7 +144,7 @@ shift 2 # Copy the objects. echo "II: copying objects to '$to'" mkdir -p "$to" -(cd "$from" && find -name \*.o -o -name \*.o.ur-\* -o -name \*.mod | cpio -Lpd "$to") +(cd "$from" && find -name \*.o -o -name \*.mod | cpio -Lpd "$to") # Call the original post_install script if there is one. [ "$script" = '' ] && exit 0 diff --git a/debian/scripts/dkms-build--nvidia-N b/debian/scripts/dkms-build--nvidia-N index 383af5932720..22e60cafa087 100755 --- a/debian/scripts/dkms-build--nvidia-N +++ b/debian/scripts/dkms-build--nvidia-N @@ -17,10 +17,9 @@ shift 7 build="$( dirname "$objects" )/build" -# Copy over the objects ready for reconstruction. The objects copy contains -# the *.o files and the *.o-ur* retpoline files to allow the kernel to track -# any retpoline sequences therein. For our purposes we only want the *.o -# files, elide the rest. And .mod files for ld linking in recentish kernels. +# Copy over the objects ready for reconstruction. The objects copy +# contains the *.o files. For our purposes we only want the *.o files, +# elide the rest. And .mod files for ld linking in recentish kernels. mkdir -p "$pkgdir/bits/scripts" ( gcc_variant1=$(gcc --version | head -1 | sed -e 's/^gcc/GCC:/') diff --git a/debian/scripts/misc/getabis b/debian/scripts/misc/getabis index 819824f6162c..1f2851c59fd3 100755 --- a/debian/scripts/misc/getabis +++ b/debian/scripts/misc/getabis @@ -126,11 +126,6 @@ getall_set() else echo " NO ABI FILE" fi - if [ -f tmp/boot/retpoline-* ]; then - mv tmp/boot/retpoline-* $abidir/$arch/$sub.retpoline - else - echo " NO RETPOLINE FILE" - fi (cd tmp; find lib/modules/$verabi-$sub/kernel -name '*.ko') | \ sed -e 's/.*\/\([^\/]*\)\.ko/\1/' | sort > \ $abidir/$arch/$sub.modules @@ -157,7 +152,7 @@ getall_set() echo " buildinfo..." base="tmp/usr/lib/linux/${verabi}-${sub}" mv "$base/abi" "$abidir/$arch/$sub" - for comp in 'modules' 'retpoline' 'compiler' + for comp in 'modules' 'compiler' do mv "$base/$comp" "$abidir/$arch/$sub.$comp" done diff --git a/debian/scripts/retpoline-extract b/debian/scripts/retpoline-extract deleted file mode 100755 index cf13a30b1c62..000000000000 --- a/debian/scripts/retpoline-extract +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -cd "$1" || exit 1 - -# Find all valid retpoline information, collate the detected and -# safe information together. Join the result to find the detected -# but non-safe elements. These are our concern. -ur_detected=$(mktemp --tmpdir "retpoline-check-XXXXXX.ur-detected") -ur_safe=$(mktemp --tmpdir "retpoline-check-XXXXXX.ur-safe") - -find "." -path './drivers/firmware/efi/libstub' -prune -o \ - -path './arch/x86/boot' -prune -o \ - -path './arch/x86/purgatory' -prune -o \ - -name \*.ur-detected -print0 | xargs -0 cat | \ - sed -e "s@^$1@@" -e "s@ $2/@ @" -e "s@^/@@" | \ - sort -k 1b,1 >"$ur_detected" -find "." -name \*.ur-safe -print0 | xargs -0 cat | \ - sed -e "s@^$1@@" -e "s@^/@@" | \ - sort -k 1b,1 >"$ur_safe" - -join -v 1 -j 1 "$ur_detected" "$ur_safe" | sed -s 's/[^ ]* *//' - -rm -f "$ur_detected" "$ur_safe" diff --git a/debian/scripts/retpoline-extract-one b/debian/scripts/retpoline-extract-one deleted file mode 100755 index b203bfbf8df5..000000000000 --- a/debian/scripts/retpoline-extract-one +++ /dev/null @@ -1,270 +0,0 @@ -#!/bin/bash - -exec &2 - exit 1 - fi -} - -# Form an associative lookup for the section numbers in the ELF symbol table. -# Uses 8 character 0 expanded hexadecimal key for ease of consumption. -__sectionmap_init() -{ - readelf -W --headers "$1" | \ - awk ' - { sub("\\[", ""); sub("\\]", ""); } - ($1 ~ /^[0-9][0-9]*/) { printf("%08x %s %s %s\n", int($1), $2, $3, $4); } - ' | \ - { - while read section_num section_name section_type section_vma - do - echo "sectionmap_$section_num='$section_name'" - echo "sectionvma_$section_num='$section_vma'" - case "$section_type" in - REL|RELA) section_relocation="$section_type" ;; - esac - done - echo "section_relocation='$section_relocation'" - } -} -sectionmap_init() -{ - eval $(__sectionmap_init "$1") -} -sectionmap() -{ - eval RET="\$sectionmap_$1" - if [ "$RET" = '' ]; then - echo "sectionmap: $1: invalid section" 1>&2 - exit 1 - fi -} -sectionvma() -{ - eval RET="\$sectionvma_$1" - if [ "$RET" = '' ]; then - echo "sectionvma: $1: invalid section" 1>&2 - exit 1 - fi -} - -# Read and parse the hex-dump output. -hex="[0-9a-f]" -hex_8="$hex$hex$hex$hex$hex$hex$hex$hex" -hexspc="[0-9a-f ]" -hexspc_8="$hexspc$hexspc$hexspc$hexspc$hexspc$hexspc$hexspc$hexspc" - -raw32() -{ - readelf --hex-dump "$2" "$1" 2>/dev/null | - sed \ - -e '/^Hex/d' -e '/^$/d' -e '/^ *NOTE/d' \ - -e 's/ *[^ ][^ ]* *\('"$hex_8"'\) \('"$hexspc_8"'\) \('"$hexspc_8"'\) \('"$hexspc_8"'\) .*/\1 \2 \3 \4 /' \ - -e 's/\('"$hex$hex"'\)\('"$hex$hex"'\)\('"$hex$hex"'\)\('"$hex$hex"'\) /\4\3\2\1 /g' \ - -e 's/ $//g' -e 's/ /\n/g' -} -#-e 's/\([^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ]\) \([^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ]\) /\2\1 /g' \ - -rela() -{ - #file="$(basename "$1")" - file="$1" - - # Read relocation information for a 64bit binary. Each relocation entry - # is 3 long longs so we collect 6 quads here. Note that the dump is in - # listed in increasing byte order not withstanding the quad split. - # - # The record says to take the value of add and - # shove that into in the segment of the . - # - # Format: - # 64 bits - # 32 bits - # 32 bits - # 64 bits - raw32 "$1" ".rela$SECTION" | \ - { - a1=''; a2=''; a3=''; a4=''; a5='' - while read a6 - do - [ "$a1" = '' ] && { a1="$a6"; continue; } - [ "$a2" = '' ] && { a2="$a6"; continue; } - [ "$a3" = '' ] && { a3="$a6"; continue; } - [ "$a4" = '' ] && { a4="$a6"; continue; } - [ "$a5" = '' ] && { a5="$a6"; continue; } - - #echo ">$a1< >$a2< >$a3< >$a4< >$a5< >$a6<" 1>&2 - #echo "type<$a3> symbol<$a4> offset<$a2$a1> addr<$a6a5>" 1>&2 - - symbolmap "$a4"; section_num="$RET" - #echo "section_num<$section_num>" 1>&2 - - sectionmap "$section_num"; section="$RET" - sectionvma "$section_num"; vma="$RET" - #echo "section<$section> vma<$vma>" 1>&2 - - # Adjust the segment addressing by the segment offset. - printf -v addr "%u" "0x$a6$a5" - printf -v vma "%u" "0x$vma" - let offset="$addr + $vma" - printf -v offset "%x" "$offset" - - echo "$file-$section-$offset" - - a1=''; a2=''; a3=''; a4=''; a5='' - done - } | sed -e 's/-00*\([0-9a-f]\)/-\1/' -} - -# Form an associative lookup for the raw contents for an ELF section. -# Uses 8 character 0 expanded hexadecimal key for ease of consumption. -contentmap_init() -{ - raw32 "$1" "$2" >"$tmp" - let offset=0 - while read value - do - printf -v offset_hex "%08x" $offset - eval contentmap_$offset_hex=\'$value\' - - let offset="$offset + 4" - done <"$tmp" - rm -f "$tmp" -} -contentmap() -{ - eval RET="\$contentmap_$1" - if [ "$RET" = '' ]; then - echo "contentmap: $1: invalid offset" 1>&2 - exit 1 - fi -} - -rel() -{ - # Load up the current contents of the $SECTION segment - # as the offsets (see below) are recorded there and we will need - # those to calculate the actuall address. - contentmap_init "$1" "$SECTION" - - #file="$(basename "$1")" - file="$1" - - # Read relocation information for a 32bit binary. Each relocation entry - # is 3 longs so we collect 3 quads here. Note that the dump is in - # listed in increasing byte order not withstanding the quad split. - # - # The record says to take the value of and add that to the - # existing contents of in the segment of the . - # - # Format: - # 32 bits - # 24 bits - # 8 bits - raw32 "$1" ".rel$SECTION" | \ - { - a1='' - while read a2 - do - [ "$a1" = '' ] && { a1="$a2"; continue; } - - #echo ">$a1< >$a2<" - contentmap "$a1"; offset="$RET" - symbolmap "00${a2%??}"; section_num="$RET" - - sectionmap "$section_num"; section="$RET" - sectionvma "$section_num"; vma="$RET" - #echo ">$a1< >$a2< >$offset< >$section<" - - echo "$file-$section-$offset" - - a1='' - done - } | sed -e 's/-00*\([0-9a-f]\)/-\1/' -} - -tmp=$(mktemp --tmpdir "retpoline-extract-XXXXXX") - -disassemble() -{ - local object="$1" - local src="$2" - local options="$3" - local selector="$4" - - objdump $options --disassemble --no-show-raw-insn "$object" | \ - awk -F' ' ' - BEGIN { file="'"$object"'"; src="'"$src"'"; } - /Disassembly of section/ { segment=$4; sub(":", "", segment); } - /^[0-9a-f][0-9a-f]* <.*>:/ { tag=$0; sub(".*<", "", tag); sub(">.*", "", tag); } - $0 ~ /(call|jmp)q? *\*0x[0-9a-f]*\(%rip\)/ { - next - } - $0 ~ /(call|jmp)q? *\*.*%/ { - sub(":", "", $1); - if ('"$selector"') { - offset=$1 - $1=tag - print(file "-" segment "-" offset " " src " " segment " " $0); - } - } - ' -} - -# Accumulate potentially vunerable indirect call/jmp sequences. We do this -# by examining the raw disassembly for affected forms, recording the location -# of each. -case "$bit16" in -'') disassemble "$object" "$src" '' 'segment != ".init.text"' ;; -*) disassemble "$object" "$src" '--disassembler-options=i8086' 'segment != ".init.text" && segment != ".text32" && segment != ".text64"' - disassemble "$object" "$src" '--disassembler-options=i386' 'segment == ".text32"' - disassemble "$object" "$src" '--disassembler-options=x86-64' 'segment == ".text64"' - ;; -esac | sort -k 1b,1 >"$object.ur-detected" -[ ! -s "$object.ur-detected" ] && rm -f "$object.ur-detected" - -# Load up the symbol table and section mappings. -symbolmap_init "$object" -sectionmap_init "$object" - -# Accumulate annotated safe indirect call/jmp sequences. We do this by examining -# the $SECTION sections (and their associated relocation information), -# each entry represents the address of an instruction which has been marked -# as ok. -case "$section_relocation" in -REL) rel "$object" ;; -RELA) rela "$object" ;; -esac | sort -k 1b,1 >"$object.ur-safe" -[ ! -s "$object.ur-safe" ] && rm -f "$object.ur-safe" - -# We will perform the below join on the summarised and sorted fragments -# formed above. This is performed in retpoline-check. -#join -v 1 -j 1 "$tmp.extracted" "$tmp.safe" | sed -s 's/[^ ]* *//' - -rm -f "$tmp" diff --git a/snapcraft.yaml b/snapcraft.yaml index 2452c4031066..2530be0a9d71 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -17,10 +17,6 @@ parts: kconfigflavour: generic kconfigs: - CONFIG_DEBUG_INFO=n - override-build: | - cp debian/scripts/retpoline-extract-one \ - $SNAPCRAFT_PART_BUILD/scripts/ubuntu-retpoline-extract-one - snapcraftctl build kernel-with-firmware: false firmware: plugin: nil