projects / thirdparty / linux.git / blame
| Commit | Line | Data |
|---|---|---|
| 9f671e58 KC |
1 | menu "Kernel hardening options" |
| 2 | ||
| 3 | config GCC_PLUGIN_STRUCTLEAK | |
| 4 | bool | |
| 5 | help | |
| 6 | While the kernel is built with warnings enabled for any missed | |
| 7 | stack variable initializations, this warning is silenced for | |
| 8 | anything passed by reference to another function, under the | |
| 9 | occasionally misguided assumption that the function will do | |
| 10 | the initialization. As this regularly leads to exploitable | |
| 11 | flaws, this plugin is available to identify and zero-initialize | |
| 12 | such variables, depending on the chosen level of coverage. | |
| 13 | ||
| 14 | This plugin was originally ported from grsecurity/PaX. More | |
| 15 | information at: | |
| 16 | * https://grsecurity.net/ | |
| 17 | * https://pax.grsecurity.net/ | |
| 18 | ||
| 19 | menu "Memory initialization" | |
| 20 | ||
| 709a972e KC |
21 | config CC_HAS_AUTO_VAR_INIT |
| 22 | def_bool $(cc-option,-ftrivial-auto-var-init=pattern) | |
| 23 | ||
| 9f671e58 KC |
24 | choice |
| 25 | prompt "Initialize kernel stack variables at function entry" | |
| 26 | default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS | |
| 709a972e | 27 | default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT |
| 9f671e58 KC |
28 | default INIT_STACK_NONE |
| 29 | help | |
| 30 | This option enables initialization of stack variables at | |
| 31 | function entry time. This has the possibility to have the | |
| 32 | greatest coverage (since all functions can have their | |
| 33 | variables initialized), but the performance impact depends | |
| 34 | on the function calling complexity of a given workload's | |
| 35 | syscalls. | |
| 36 | ||
| 37 | This chooses the level of coverage over classes of potentially | |
| 38 | uninitialized variables. The selected class will be | |
| 39 | initialized before use in a function. | |
| 40 | ||
| 41 | config INIT_STACK_NONE | |
| 42 | bool "no automatic initialization (weakest)" | |
| 43 | help | |
| 44 | Disable automatic stack variable initialization. | |
| 45 | This leaves the kernel vulnerable to the standard | |
| 46 | classes of uninitialized stack variable exploits | |
| 47 | and information exposures. | |
| 48 | ||
| 49 | config GCC_PLUGIN_STRUCTLEAK_USER | |
| 50 | bool "zero-init structs marked for userspace (weak)" | |
| 51 | depends on GCC_PLUGINS | |
| 52 | select GCC_PLUGIN_STRUCTLEAK | |
| 53 | help | |
| 54 | Zero-initialize any structures on the stack containing | |
| 55 | a __user attribute. This can prevent some classes of | |
| 56 | uninitialized stack variable exploits and information | |
| 57 | exposures, like CVE-2013-2141: | |
| 58 | https://git.kernel.org/linus/b9e146d8eb3b9eca | |
| 59 | ||
| 60 | config GCC_PLUGIN_STRUCTLEAK_BYREF | |
| 61 | bool "zero-init structs passed by reference (strong)" | |
| 62 | depends on GCC_PLUGINS | |
| 63 | select GCC_PLUGIN_STRUCTLEAK | |
| 64 | help | |
| 65 | Zero-initialize any structures on the stack that may | |
| 66 | be passed by reference and had not already been | |
| 67 | explicitly initialized. This can prevent most classes | |
| 68 | of uninitialized stack variable exploits and information | |
| 69 | exposures, like CVE-2017-1000410: | |
| 70 | https://git.kernel.org/linus/06e7e776ca4d3654 | |
| 71 | ||
| 72 | config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | |
| 73 | bool "zero-init anything passed by reference (very strong)" | |
| 74 | depends on GCC_PLUGINS | |
| 75 | select GCC_PLUGIN_STRUCTLEAK | |
| 76 | help | |
| 77 | Zero-initialize any stack variables that may be passed | |
| 78 | by reference and had not already been explicitly | |
| 79 | initialized. This is intended to eliminate all classes | |
| 80 | of uninitialized stack variable exploits and information | |
| 81 | exposures. | |
| 82 | ||
| 709a972e KC |
83 | config INIT_STACK_ALL |
| 84 | bool "0xAA-init everything on the stack (strongest)" | |
| 85 | depends on CC_HAS_AUTO_VAR_INIT | |
| 86 | help | |
| 87 | Initializes everything on the stack with a 0xAA | |
| 88 | pattern. This is intended to eliminate all classes | |
| 89 | of uninitialized stack variable exploits and information | |
| 90 | exposures, even variables that were warned to have been | |
| 91 | left uninitialized. | |
| 92 | ||
| 9f671e58 KC |
93 | endchoice |
| 94 | ||
| 95 | config GCC_PLUGIN_STRUCTLEAK_VERBOSE | |
| 96 | bool "Report forcefully initialized variables" | |
| 97 | depends on GCC_PLUGIN_STRUCTLEAK | |
| 98 | depends on !COMPILE_TEST # too noisy | |
| 99 | help | |
| 100 | This option will cause a warning to be printed each time the | |
| 101 | structleak plugin finds a variable it thinks needs to be | |
| 102 | initialized. Since not all existing initializers are detected | |
| 103 | by the plugin, this can produce false positive warnings. | |
| 104 | ||
| b6a6a377 KC |
105 | config GCC_PLUGIN_STACKLEAK |
| 106 | bool "Poison kernel stack before returning from syscalls" | |
| 107 | depends on GCC_PLUGINS | |
| 108 | depends on HAVE_ARCH_STACKLEAK | |
| 109 | help | |
| 110 | This option makes the kernel erase the kernel stack before | |
| 111 | returning from system calls. This has the effect of leaving | |
| 112 | the stack initialized to the poison value, which both reduces | |
| 113 | the lifetime of any sensitive stack contents and reduces | |
| 114 | potential for uninitialized stack variable exploits or information | |
| 115 | exposures (it does not cover functions reaching the same stack | |
| 116 | depth as prior functions during the same syscall). This blocks | |
| 117 | most uninitialized stack variable attacks, with the performance | |
| 118 | impact being driven by the depth of the stack usage, rather than | |
| 119 | the function calling complexity. | |
| 120 | ||
| 121 | The performance impact on a single CPU system kernel compilation | |
| 122 | sees a 1% slowdown, other systems and workloads may vary and you | |
| 123 | are advised to test this feature on your expected workload before | |
| 124 | deploying it. | |
| 125 | ||
| 126 | This plugin was ported from grsecurity/PaX. More information at: | |
| 127 | * https://grsecurity.net/ | |
| 128 | * https://pax.grsecurity.net/ | |
| 129 | ||
| 130 | config STACKLEAK_TRACK_MIN_SIZE | |
| 131 | int "Minimum stack frame size of functions tracked by STACKLEAK" | |
| 132 | default 100 | |
| 133 | range 0 4096 | |
| 134 | depends on GCC_PLUGIN_STACKLEAK | |
| 135 | help | |
| 136 | The STACKLEAK gcc plugin instruments the kernel code for tracking | |
| 137 | the lowest border of the kernel stack (and for some other purposes). | |
| 138 | It inserts the stackleak_track_stack() call for the functions with | |
| 139 | a stack frame size greater than or equal to this parameter. | |
| 140 | If unsure, leave the default value 100. | |
| 141 | ||
| 142 | config STACKLEAK_METRICS | |
| 143 | bool "Show STACKLEAK metrics in the /proc file system" | |
| 144 | depends on GCC_PLUGIN_STACKLEAK | |
| 145 | depends on PROC_FS | |
| 146 | help | |
| 147 | If this is set, STACKLEAK metrics for every task are available in | |
| 148 | the /proc file system. In particular, /proc/<pid>/stack_depth | |
| 149 | shows the maximum kernel stack consumption for the current and | |
| 150 | previous syscalls. Although this information is not precise, it | |
| 151 | can be useful for estimating the STACKLEAK performance impact for | |
| 152 | your workloads. | |
| 153 | ||
| 154 | config STACKLEAK_RUNTIME_DISABLE | |
| 155 | bool "Allow runtime disabling of kernel stack erasing" | |
| 156 | depends on GCC_PLUGIN_STACKLEAK | |
| 157 | help | |
| 158 | This option provides 'stack_erasing' sysctl, which can be used in | |
| 159 | runtime to control kernel stack erasing for kernels built with | |
| 160 | CONFIG_GCC_PLUGIN_STACKLEAK. | |
| 161 | ||
| 9f671e58 KC |
162 | endmenu |
| 163 | ||
| 164 | endmenu |