Trim unused exported kernel symbols (CONFIG_TRIM_UNUSED_KSYMS) #423
Comments
|
the risk is that out-of-tree kernel modules, like wireguard and (formerly?)
zfs won't be able to stop stripping of the symbols they need.
also any kernel modules you install as precompiled binaries are at risk of
missing symbols, unless you have other modules that need the same symbols.
for most users I betthe main risk would be nvidia drivers. it would be
interesting to see if they still work, and if not whether there are other
drivers that could be built to preserve the right dependencies (nouveau?).
alternatively there may be a list used for stripping we could add needed
symbols to.
…On Fri, Oct 11, 2019, 05:43 Ellison Patterson ***@***.***> wrote:
I'm tweaking my kernel config, when I ran across this option
CONFIG_TRIM_UNUSED_KSYMS.
The title is Trim unused exported kernel symbols with a snippit of the
description being:
This option allows for unused exported symbols to be dropped from the build. In turn, this provides the compiler more opportunities (especially when using LTO) for optimizing the code and reducing binary size. This might have some security advantages as well.
Anyone have any knowledge about the implications of this option?
Thanks!
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#423?email_source=notifications&email_token=AAAHXYSO4W547YLURRLNRVLQOBYGVA5CNFSM4I7ZJIP2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HRGLILA>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAHXYQBYZ4UKPBNXVI7XQTQOBYGVANCNFSM4I7ZJIPQ>
.
|
|
That was sudden closure. Why close it all of a sudden @ellisonpatterson? Also, I wonder if the option would affect VirtualBox's modules... |
It seems to affect various modules (ZFS for my build) and I'm not sure if it's worth pursuing since the feature itself could lead to issues. |
|
You can patch in the module like this for example. The reason ZFS isn't an in-kernel option is due to GPL licensing. For something as small as ZFS it should be simple, I'm not sure not sure how difficult it would be for NVIDIA. Ofc you shouldn't redistribute it if you do decide to do it for yourself. |
|
Hmm... I wonder if VirtualBox modules are affected. Those are the only modules I have, period. Yeah, I build everything in (instead of "M", I select "Y" in menuconfig). EditI just realized that I already said that (regarding VB modules). |
|
The mainline kernel (5.4-rc7) currently has It seems as if this option would you allow you to load external modules that are invalid due to their signatures/required symbols being stripped. Edit: didn't work..for now |
|
@ellisonpatterson Given that the discussion has sparked yet again, maybe you consider reopening the ticket? |
Sorry about that, I have reopened it for further discussion (thank you!) |
That's an unrelated option. The kernel is cleaning up the module source interface and this option will break ones that haven't been updated. It won't help with external modules that depend on some symbol that got dropped from the kernel though. Note that the LTO advantage isn't relevant unless you've got a patched kernel that you're compiling with LTO turned on. |
|
I'm staring at initial changes for CONFIG_TRIM_UNUSED_KSYMS support, and from what I understand we just need to add required symbols into support-trim-unused-ksyms-for-external-modules.patch--- a/scripts/adjust_autoksyms.sh
+++ b/scripts/adjust_autoksyms.sh
@@ -19,6 +19,7 @@
cur_ksyms_file="include/generated/autoksyms.h"
new_ksyms_file="include/generated/autoksyms.h.tmpnew"
+ext_ksyms_file="include/generated/autoksyms.h.extern"
info() {
if [ "$quiet" != "silent_" ]; then
@@ -49,7 +50,11 @@
sed 's/ko$/mod/' modules.order |
xargs -n1 sed -n -e '2{s/ /\n/g;/^$/!p;}' -- |
sort -u |
-sed -e 's/\(.*\)/#define __KSYM_\1 1/' >> "$new_ksyms_file"
+sed -e 's/\(.*\)/#define __KSYM_\1 1/' >> "$new_ksyms_file".tmp
+
+# Merge external and new ksym files
+sort -u "$new_ksyms_file".tmp "$ext_ksyms_file" >> "$new_ksyms_file"
+rm -f "$new_ksyms_file".tmp
# Special case for modversions (see modpost.c)
if [ -n "$CONFIG_MODVERSIONS" ]; then
@@ -82,7 +87,8 @@
# Replace the old list with tne new one
old=$(grep -c "^#define __KSYM_" "$cur_ksyms_file" || true)
new=$(grep -c "^#define __KSYM_" "$new_ksyms_file" || true)
- info "KSYMS" "symbols: before=$old, after=$new, changed=$changed"
+ ext=$(grep -c "^#define __KSYM_" "$ext_ksyms_file" || true)
+ info "KSYMS" "symbols: before=$old, after=$new, external=$ext, changed=$changed"
info "UPD" "$cur_ksyms_file"
mv -f "$new_ksyms_file" "$cur_ksyms_file"
# Then trigger a rebuild of affected source filesextern-ksym.sh#!/bin/sh
#CUR_KERNEL_VER=5.4.8-gentoo
CUR_KERNEL_VER=$(uname -r)
. /usr/src/linux-${CUR_KERNEL_VER}/include/config/auto.conf
list_required_ksyms() {
nm $1 |
sed -n 's/^ \+U //p' |
sed -ns -e '{s/ /\n/g;/^$/!p;}' |
sort -u |
while read sym; do
if [ -n "$CONFIG_HAVE_UNDERSCORE_SYMBOL_PREFIX" ]; then
sym="${sym#_}"
fi
echo "#define __KSYM_${sym} 1"
done
}
# Find all external modules
mod_dir_list=$(find /lib/modules/${CUR_KERNEL_VER} -mindepth 1 -maxdepth 1 -type d \! -name 'kernel' | xargs)
for mod_dir in $mod_dir_list; do
for ko in ${mod_dir}/*.ko; do
list_required_ksyms ${ko}
done
done | sort -uHere should be a clean-up, because some symbols are defined in neighbour *.ko modules, but no big deal for now. This will propose kernel to include unknown symbols, like Testcd /usr/src/linux
sh /path/to/extern-ksym.sh > include/generated/autoksyms.h.extern
patch -p1 < /path/to/support-trim-unused-ksyms-for-external-modules.patch
make nconfig # enable CONFIG_TRIM_UNUSED_KSYMS
make
# check output:
# CHK include/generated/autoksyms.h
# KSYMS symbols: before=0, after=2965, external=563, changed=2965
# UPD include/generated/autoksyms.hResult
Note
Status
|
|
So, it's hard to fully automate process, but I already built several kernel versions with this, and in general I just copy generated Some stats:
Probably placebo effect: very fast content (re)draw in Firefox. |
|
In what unit is the size? |
|
hi i compiled the new kernel 5.5 today and i was not able to compile VirtualBox Modules and get here and i dont know why ???? is this zcat /proc/config.gz | grep CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS enabled by default ..... im recompiling now Thanks for the info. |
|
nope i still cannot compile the modules even with CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS disabled |
|
Thks, |
|
Calling script updated, cf above link. |
|
Calling script updated, cf above link. |
|
Single script version, cf above link. |
Is there any reason I'm missing? Big up for your work, by the way ;) |
|
|
|
Indeed CONFIG_UNUSED_KSYMS_WHITELIST allows single pass kernel build once WHITELIST has been elaborated |
@Sherulez What symbols does nvidia-dkms use? |
|
@makierika For example (I don't do this now, so not sure):
|
I'm tweaking my kernel config, when I ran across this option
CONFIG_TRIM_UNUSED_KSYMS.The title is
Trim unused exported kernel symbolswith a snippit of the description being:Anyone have any knowledge about the implications of this option?
Thanks!
The text was updated successfully, but these errors were encountered: