From 76b60ec6b3642f93b3879419d232002f5d9285f9 Mon Sep 17 00:00:00 2001 From: Zhiqiang Liu Date: Mon, 13 Sep 2021 21:40:45 +0800 Subject: [PATCH 1/4] spdk: use -fstack-protector-strong instead of -fstack-protector for stronger security. Signed-off-by: Zhiqiang Liu --- ...protector-strong-instead-of-fstack-p.patch | 30 +++++++++++++++++++ spdk.spec | 7 ++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 0029-spdk-use-fstack-protector-strong-instead-of-fstack-p.patch diff --git a/0029-spdk-use-fstack-protector-strong-instead-of-fstack-p.patch b/0029-spdk-use-fstack-protector-strong-instead-of-fstack-p.patch new file mode 100644 index 0000000..d00dff6 --- /dev/null +++ b/0029-spdk-use-fstack-protector-strong-instead-of-fstack-p.patch @@ -0,0 +1,30 @@ +From b1959244d8178975119606e9fc1323dbee06c18f Mon Sep 17 00:00:00 2001 +From: Zhiqiang Liu +Date: Mon, 13 Sep 2021 21:36:51 +0800 +Subject: [PATCH] spdk: use -fstack-protector-strong instead of + -fstack-protector + +use -fstack-protector-strong instead of -fstack-protector for +stronger security. + +Signed-off-by: Zhiqiang Liu +--- + mk/spdk.common.mk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mk/spdk.common.mk b/mk/spdk.common.mk +index f3fe5c2..dc8ed69 100644 +--- a/mk/spdk.common.mk ++++ b/mk/spdk.common.mk +@@ -120,7 +120,7 @@ COMMON_CFLAGS += -D_GNU_SOURCE + COMMON_CFLAGS += -fPIC + + # Enable stack buffer overflow checking +-COMMON_CFLAGS += -fstack-protector ++COMMON_CFLAGS += -fstack-protector-strong + + # Prevent accidental multiple definitions of global variables + COMMON_CFLAGS += -fno-common +-- +1.8.3.1 + diff --git a/spdk.spec b/spdk.spec index 98fcbd4..5add438 100644 --- a/spdk.spec +++ b/spdk.spec @@ -3,7 +3,7 @@ Name: spdk Version: 21.01 -Release: 4 +Release: 5 Summary: Set of libraries and utilities for high performance user-mode storage License: BSD and MIT URL: http://spdk.io @@ -36,6 +36,7 @@ Patch25: 0025-nvmf-fix-fd-leakage-problem-in-nvmf_vfio_user_listen.patch Patch26: 0026-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch Patch27: 0027-spdk_top-check-return-value-of-strdup-in-store_last_.patch Patch28: 0028-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch +Patch29: 0029-spdk-use-fstack-protector-strong-instead-of-fstack-p.patch %define package_version %{version}-%{release} @@ -196,6 +197,10 @@ mv doc/output/html/ %{install_docdir} %changelog +* Mon Sep 13 2021 Zhiqiang Liu - 21.01-5 +- use -fstack-protector-strong instead of -fstack-protector for +stronger security. + * Sat Jul 24 2021 Zhiqiang Liu - 21.01-4 - backport 13 bugfix from upstream -- Gitee From e9ca0568af7f5f978f364412470406fad91e22a2 Mon Sep 17 00:00:00 2001 From: Weifeng Su Date: Mon, 10 Jan 2022 20:19:55 +0800 Subject: [PATCH 2/4] Adapt for dpdk 21.11 Signed-off-by: Weifeng Su --- ...host-Fix-compilation-with-dpdk-21.11.patch | 80 +++++++++++++++++++ spdk.spec | 16 ++-- 2 files changed, 87 insertions(+), 9 deletions(-) create mode 100644 0013-lib-vhost-Fix-compilation-with-dpdk-21.11.patch diff --git a/0013-lib-vhost-Fix-compilation-with-dpdk-21.11.patch b/0013-lib-vhost-Fix-compilation-with-dpdk-21.11.patch new file mode 100644 index 0000000..a775823 --- /dev/null +++ b/0013-lib-vhost-Fix-compilation-with-dpdk-21.11.patch @@ -0,0 +1,80 @@ +From f72cab94dd35d7b45ec5a4f35967adf3184ca616 Mon Sep 17 00:00:00 2001 +From: Alexey Marchuk +Date: Mon, 15 Nov 2021 11:01:14 +0300 +Subject: [PATCH] lib/vhost: Fix compilation with dpdk 21.11 + +Structure vhost_device_ops was renamed to +rte_vhost_device_ops + +Signed-off-by: Alexey Marchuk +Change-Id: Ie9601099d47465536500aa37fc113aeae03a8254 +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/10223 +Tested-by: SPDK CI Jenkins +Community-CI: Mellanox Build Bot +Community-CI: Broadcom CI +Reviewed-by: John Kariuki +Reviewed-by: Changpeng Liu +Reviewed-by: Tomasz Zawadzki +--- + lib/vhost/rte_vhost_compat.c | 5 +++++ + test/unit/lib/vhost/vhost.c/vhost_ut.c | 7 +++++++ + 2 files changed, 12 insertions(+) + +diff --git a/lib/vhost/rte_vhost_compat.c b/lib/vhost/rte_vhost_compat.c +index 3c9f691883a..08574cfad07 100644 +--- a/lib/vhost/rte_vhost_compat.c ++++ b/lib/vhost/rte_vhost_compat.c +@@ -3,6 +3,7 @@ + * + * Copyright (c) Intel Corporation. + * All rights reserved. ++ * Copyright (c) 2021 Mellanox Technologies LTD. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -134,7 +135,11 @@ destroy_connection(int vid) + vhost_destroy_connection_cb(vid); + } + ++#if RTE_VERSION >= RTE_VERSION_NUM(21, 11, 0, 0) ++static const struct rte_vhost_device_ops g_spdk_vhost_ops = { ++#else + static const struct vhost_device_ops g_spdk_vhost_ops = { ++#endif + .new_device = start_device, + .destroy_device = stop_device, + .new_connection = new_connection, +diff --git a/test/unit/lib/vhost/vhost.c/vhost_ut.c b/test/unit/lib/vhost/vhost.c/vhost_ut.c +index df1c32d28e6..e62da334688 100644 +--- a/test/unit/lib/vhost/vhost.c/vhost_ut.c ++++ b/test/unit/lib/vhost/vhost.c/vhost_ut.c +@@ -3,6 +3,7 @@ + * + * Copyright (c) Intel Corporation. + * All rights reserved. ++ * Copyright (c) 2021 Mellanox Technologies LTD. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -41,6 +42,7 @@ + #include "unit/lib/json_mock.c" + + #include "vhost/vhost.c" ++#include + + DEFINE_STUB(rte_vhost_set_vring_base, int, (int vid, uint16_t queue_id, + uint16_t last_avail_idx, uint16_t last_used_idx), 0); +@@ -65,8 +67,13 @@ DEFINE_STUB(rte_vhost_enable_guest_notification, int, + (int vid, uint16_t queue_id, int enable), 0); + DEFINE_STUB(rte_vhost_get_ifname, int, (int vid, char *buf, size_t len), 0); + DEFINE_STUB(rte_vhost_driver_start, int, (const char *name), 0); ++#if RTE_VERSION >= RTE_VERSION_NUM(21, 11, 0, 0) ++DEFINE_STUB(rte_vhost_driver_callback_register, int, ++ (const char *path, struct rte_vhost_device_ops const *const ops), 0); ++#else + DEFINE_STUB(rte_vhost_driver_callback_register, int, + (const char *path, struct vhost_device_ops const *const ops), 0); ++#endif + DEFINE_STUB(rte_vhost_driver_disable_features, int, (const char *path, uint64_t features), 0); + DEFINE_STUB(rte_vhost_driver_set_features, int, (const char *path, uint64_t features), 0); + DEFINE_STUB(rte_vhost_driver_register, int, (const char *path, uint64_t flags), 0); diff --git a/spdk.spec b/spdk.spec index 33d2c2c..5f6d798 100644 --- a/spdk.spec +++ b/spdk.spec @@ -3,7 +3,7 @@ Name: spdk Version: 21.01.1 -Release: 1 +Release: 2 Summary: Set of libraries and utilities for high performance user-mode storage License: BSD and MIT URL: http://spdk.io @@ -20,6 +20,7 @@ Patch9: 0009-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch Patch10: 0010-spdk_top-check-return-value-of-strdup-in-store_last_.patch Patch11: 0011-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch Patch12: 0012-spdk-use-fstack-protector-strong-instead-of-fstack-p.patch +Patch13: 0013-lib-vhost-Fix-compilation-with-dpdk-21.11.patch %define package_version %{version}-%{release} @@ -44,14 +45,8 @@ BuildRequires: libibverbs-devel, librdmacm-devel BuildRequires: doxygen mscgen graphviz %endif -%ifarch aarch64 -%global config arm64-armv8a-linux-gcc -%else -%global config x86_64-native-linux-gcc -%endif - # Install dependencies -Requires: dpdk >= 19.11, numactl-libs, openssl-libs +Requires: dpdk >= 21.11, numactl-libs, openssl-libs Requires: libiscsi, libaio, libuuid # NVMe over Fabrics Requires: librdmacm, librdmacm @@ -107,7 +102,7 @@ BuildArch: noarch --disable-unit-tests \ --without-crypto \ --without-isal \ - --with-dpdk=/usr/share/dpdk/%{config} \ + --with-dpdk=/usr/lib64/dpdk/pmds-22.0 \ --without-fio \ --with-vhost \ --without-pmdk \ @@ -179,6 +174,9 @@ mv doc/output/html/ %{install_docdir} %changelog +* Mon Jan 10 2022 Weifeng Su - 21.01.1-2 +- Adapt for dpdk 21.11 + * Tue Nov 23 2021 Weifeng Su - 21.01.1-1 - rebase to v21.01.1 Maintenance LTS Version -- Gitee From ab73e4e18aeb2d4c58ab531225216245498716fb Mon Sep 17 00:00:00 2001 From: Hongtao Zhang Date: Fri, 25 Feb 2022 10:03:21 +0800 Subject: [PATCH 3/4] Fix build error on ARM ThunderX2 and neoverse N1 platform Signed-off-by: Hongtao Zhang (cherry picked from commit c3a727d7b66ed6491d48adb53c8c2b87ef2f019e) --- ...M-ThunderX2-and-neoverse_N1_platform.patch | 47 ++++++++++++++++ ...n-check-for-ARM-Neoverse-N1_platform.patch | 53 +++++++++++++++++++ spdk.spec | 7 ++- 3 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 0014-mk-Fix-debug-build-error-on-ARM-ThunderX2-and-neoverse_N1_platform.patch create mode 100644 0015-configure-add-gcc-version-check-for-ARM-Neoverse-N1_platform.patch diff --git a/0014-mk-Fix-debug-build-error-on-ARM-ThunderX2-and-neoverse_N1_platform.patch b/0014-mk-Fix-debug-build-error-on-ARM-ThunderX2-and-neoverse_N1_platform.patch new file mode 100644 index 0000000..ca6534d --- /dev/null +++ b/0014-mk-Fix-debug-build-error-on-ARM-ThunderX2-and-neoverse_N1_platform.patch @@ -0,0 +1,47 @@ +From de8f3a50ee33c8218ba59bc16297e953121206d7 Mon Sep 17 00:00:00 2001 +From: root +Date: Fri, 19 Mar 2021 15:38:55 +0800 +Subject: [PATCH] mk: Fix debug build error on ARM ThunderX2 and neoverse N1 + platform + +When building spdk on ARM platform like thunderx2 with --enable-debug, +there are following error: + +/tmp/ccOBb4AF.s: Assembler messages: +/tmp/ccOBb4AF.s:45: Error: selected processor does not support `casp x0,x1,x2,x3,[x4]' +/tmp/ccOBb4AF.s:77: Error: selected processor does not support `caspa x0,x1,x2,x3,[x4]' +/tmp/ccOBb4AF.s:109: Error: selected processor does not support `caspl x0,x1,x2,x3,[x4]' +/tmp/ccOBb4AF.s:141: Error: selected processor does not support `caspal x0,x1,x2,x3,[x4]' + +The reason is that DPDK is built with -march=armv8.1-a or -march=armv8.2-a+lse which +have these instructions while SPDK is built with -march=armv8-a+crc which does not support +them. Change spdk build machine to native can fix this. + +Signed-off-by: Rui Chang +Change-Id: I759d4ce2c557ce5ff73a802d7a4b6579c4ba64f7 +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/7025 +Community-CI: Mellanox Build Bot +Reviewed-by: Ziye Yang +Reviewed-by: Changpeng Liu +Reviewed-by: Aleksey Marchuk +Tested-by: SPDK CI Jenkins +--- + mk/spdk.common.mk | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/mk/spdk.common.mk b/mk/spdk.common.mk +index 633a05bda79..897be4d2150 100644 +--- a/mk/spdk.common.mk ++++ b/mk/spdk.common.mk +@@ -77,11 +77,7 @@ + ifneq ($(filter powerpc%,$(TARGET_MACHINE)),) + COMMON_CFLAGS += -mcpu=$(TARGET_ARCHITECTURE) + else ifeq ($(TARGET_MACHINE),aarch64) +-ifeq ($(TARGET_ARCHITECTURE),native) +-COMMON_CFLAGS += -march=armv8-a+crc +-else + COMMON_CFLAGS += -march=$(TARGET_ARCHITECTURE) +-endif + COMMON_CFLAGS += -DPAGE_SIZE=$(shell getconf PAGESIZE) + else + COMMON_CFLAGS += -march=$(TARGET_ARCHITECTURE) diff --git a/0015-configure-add-gcc-version-check-for-ARM-Neoverse-N1_platform.patch b/0015-configure-add-gcc-version-check-for-ARM-Neoverse-N1_platform.patch new file mode 100644 index 0000000..7b4d6ef --- /dev/null +++ b/0015-configure-add-gcc-version-check-for-ARM-Neoverse-N1_platform.patch @@ -0,0 +1,53 @@ +From fcc389490a4abe26c1efe6cc624dc2925ed6b670 Mon Sep 17 00:00:00 2001 +From: Rui Chang +Date: Tue, 18 May 2021 15:32:56 +0800 +Subject: [PATCH] configure: add gcc version check for ARM Neoverse-N1 platform + +When doing debug build on ARM Neoverse-N1 platform, if gcc version is +lower than 8.4.0, we may met following errors: + +/tmp/cc24qua1.s: Assembler messages: +/tmp/cc24qua1.s:53: Error: selected processor does not support `casp x0,x1,x2,x3,[x4]' +/tmp/cc24qua1.s:85: Error: selected processor does not support `caspa x0,x1,x2,x3,[x4]' +/tmp/cc24qua1.s:117: Error: selected processor does not support `caspl x0,x1,x2,x3,[x4]' +/tmp/cc24qua1.s:149: Error: selected processor does not support `caspal x0,x1,x2,x3,[x4]' + +The change also fix the problem by pass armv8.2-a+crypto as target architecture. + +Signed-off-by: Rui Chang +Change-Id: I2053b9440e06873066480d63e471802df2e69d4e +Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/7949 +Reviewed-by: Changpeng Liu +Reviewed-by: Aleksey Marchuk +Reviewed-by: Ziye Yang +Tested-by: SPDK CI Jenkins +Community-CI: Mellanox Build Bot +--- + configure | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/configure b/configure +index 7d063f4ef3b..a2d0c5a62fb 100755 +--- a/configure ++++ b/configure +@@ -786,6 +786,20 @@ exit 1 + fi + fi + ++# For ARM Neoverse-N1 platform, debug build needs gcc version newer than 8.4 ++if [[ "${CONFIG[DEBUG]}" = "y" && $arch = aarch64* && "$CC_TYPE" = "gcc" ]]; then ++ GCC_VERSION=$($CC -dumpfullversion) ++ PART_NUM=$(grep -i -m 1 "CPU part" /proc/cpuinfo | awk '{print $4}') ++ ++ if [[ "$(printf '%s\n' "8.4.0" "$GCC_VERSION" | sort -V | head -n1)" != "8.4.0" ]]; then ++ if [[ $PART_NUM = 0xd0c ]]; then ++ echo "WARNING: For ARM Neoverse-N1 platform, debug build needs GCC version newer than 8.4." ++ echo " Will work around this by using armv8.2-a+crypto as target architecture for now." ++ CONFIG[ARCH]=armv8.2-a+crypto ++ fi ++ fi ++fi ++ + # We are now ready to generate final configuration. But first do sanity + # check to see if all keys in CONFIG array have its reflection in CONFIG file. + if [ $(egrep -c "^\s*CONFIG_[[:alnum:]_]+=" $rootdir/CONFIG) -ne ${#CONFIG[@]} ]; then diff --git a/spdk.spec b/spdk.spec index 5f6d798..bb17a36 100644 --- a/spdk.spec +++ b/spdk.spec @@ -3,7 +3,7 @@ Name: spdk Version: 21.01.1 -Release: 2 +Release: 3 Summary: Set of libraries and utilities for high performance user-mode storage License: BSD and MIT URL: http://spdk.io @@ -21,6 +21,8 @@ Patch10: 0010-spdk_top-check-return-value-of-strdup-in-store_last_.patch Patch11: 0011-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch Patch12: 0012-spdk-use-fstack-protector-strong-instead-of-fstack-p.patch Patch13: 0013-lib-vhost-Fix-compilation-with-dpdk-21.11.patch +Patch14: 0014-mk-Fix-debug-build-error-on-ARM-ThunderX2-and-neoverse_N1_platform.patch +Patch15: 0015-configure-add-gcc-version-check-for-ARM-Neoverse-N1_platform.patch %define package_version %{version}-%{release} @@ -174,6 +176,9 @@ mv doc/output/html/ %{install_docdir} %changelog +* Fri Feb 25 2022 Hongtao Zhang - 21.01.1-3 +- Fix build error on ARM ThunderX2 and neoverse N1 platform + * Mon Jan 10 2022 Weifeng Su - 21.01.1-2 - Adapt for dpdk 21.11 -- Gitee From 7ce6099e09277a2414eb726bac16d947174af593 Mon Sep 17 00:00:00 2001 From: Weifeng Su Date: Tue, 15 Mar 2022 11:43:25 +0000 Subject: [PATCH 4/4] Enhance security for share library Remove rpath link option, Due to it's easy for attacher to construct 'rpath' attacks. Signed-off-by: Weifeng Su --- 0016-Enhance-security-for-share-library.patch | 28 +++++++++++++++++++ spdk.spec | 6 +++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 0016-Enhance-security-for-share-library.patch diff --git a/0016-Enhance-security-for-share-library.patch b/0016-Enhance-security-for-share-library.patch new file mode 100644 index 0000000..8fa21d4 --- /dev/null +++ b/0016-Enhance-security-for-share-library.patch @@ -0,0 +1,28 @@ +From 56b3831310673beeb0b7d5121cf36b1993ebe322 Mon Sep 17 00:00:00 2001 +From: Weifeng Su +Date: Tue, 15 Mar 2022 11:25:02 +0000 +Subject: [PATCH] Enhance security for share library + +Remove rpath link option, Due to it's easy for attacher to +construct 'rpath' attacks. + +Signed-off-by: Weifeng Su +--- + mk/spdk.common.mk | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/mk/spdk.common.mk b/mk/spdk.common.mk +index f9409c4..8569687 100644 +--- a/mk/spdk.common.mk ++++ b/mk/spdk.common.mk +@@ -293,7 +293,6 @@ LINK_CXX=\ + # Provide function to ease build of a shared lib + define spdk_build_realname_shared_lib + $(CC) -o $@ -shared $(CPPFLAGS) $(LDFLAGS) \ +- -Wl,-rpath=$(DESTDIR)/$(libdir) \ + -Wl,--soname,$(notdir $@) \ + -Wl,--whole-archive $(1) -Wl,--no-whole-archive \ + -Wl,--version-script=$(2) \ +-- +2.27.0 + diff --git a/spdk.spec b/spdk.spec index bb17a36..dfba624 100644 --- a/spdk.spec +++ b/spdk.spec @@ -3,7 +3,7 @@ Name: spdk Version: 21.01.1 -Release: 3 +Release: 4 Summary: Set of libraries and utilities for high performance user-mode storage License: BSD and MIT URL: http://spdk.io @@ -23,6 +23,7 @@ Patch12: 0012-spdk-use-fstack-protector-strong-instead-of-fstack-p.patch Patch13: 0013-lib-vhost-Fix-compilation-with-dpdk-21.11.patch Patch14: 0014-mk-Fix-debug-build-error-on-ARM-ThunderX2-and-neoverse_N1_platform.patch Patch15: 0015-configure-add-gcc-version-check-for-ARM-Neoverse-N1_platform.patch +Patch16: 0016-Enhance-security-for-share-library.patch %define package_version %{version}-%{release} @@ -176,6 +177,9 @@ mv doc/output/html/ %{install_docdir} %changelog +* Tue Mar 15 2022 Weifeng Su - 21.01.1-4 +- Enhance security for share library + * Fri Feb 25 2022 Hongtao Zhang - 21.01.1-3 - Fix build error on ARM ThunderX2 and neoverse N1 platform -- Gitee