1 # SPDX-License-Identifier: GPL-2.0-only
2 menu "Kernel hardening options"
3
4 config GCC_PLUGIN_STRUCTLEAK
5 bool
6 help
7 While the kernel is built with warni
8 stack variable initializations, this
9 anything passed by reference to anot
10 occasionally misguided assumption th
11 the initialization. As this regularl
12 flaws, this plugin is available to i
13 such variables, depending on the cho
14
15 This plugin was originally ported fr
16 information at:
17 * https://grsecurity.net/
18 * https://pax.grsecurity.net/
19
20 menu "Memory initialization"
21
22 config CC_HAS_AUTO_VAR_INIT_PATTERN
23 def_bool $(cc-option,-ftrivial-auto-va
24
25 config CC_HAS_AUTO_VAR_INIT_ZERO_BARE
26 def_bool $(cc-option,-ftrivial-auto-va
27
28 config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
29 # Clang 16 and later warn about using
30 # is required before then.
31 def_bool $(cc-option,-ftrivial-auto-va
32 depends on !CC_HAS_AUTO_VAR_INIT_ZERO_
33
34 config CC_HAS_AUTO_VAR_INIT_ZERO
35 def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BAR
36
37 choice
38 prompt "Initialize kernel stack variab
39 default GCC_PLUGIN_STRUCTLEAK_BYREF_AL
40 default INIT_STACK_ALL_PATTERN if COMP
41 default INIT_STACK_ALL_ZERO if CC_HAS_
42 default INIT_STACK_NONE
43 help
44 This option enables initialization o
45 function entry time. This has the po
46 greatest coverage (since all functio
47 variables initialized), but the perf
48 on the function calling complexity o
49 syscalls.
50
51 This chooses the level of coverage o
52 uninitialized variables. The selecte
53 initialized before use in a function
54
55 config INIT_STACK_NONE
56 bool "no automatic stack varia
57 help
58 Disable automatic stack vari
59 This leaves the kernel vulne
60 classes of uninitialized sta
61 and information exposures.
62
63 config GCC_PLUGIN_STRUCTLEAK_USER
64 bool "zero-init structs marked
65 # Plugin can be removed once t
66 depends on GCC_PLUGINS && !CC_
67 select GCC_PLUGIN_STRUCTLEAK
68 help
69 Zero-initialize any structur
70 a __user attribute. This can
71 uninitialized stack variable
72 exposures, like CVE-2013-214
73 https://git.kernel.org/linus
74
75 config GCC_PLUGIN_STRUCTLEAK_BYREF
76 bool "zero-init structs passed
77 # Plugin can be removed once t
78 depends on GCC_PLUGINS && !CC_
79 depends on !(KASAN && KASAN_ST
80 select GCC_PLUGIN_STRUCTLEAK
81 help
82 Zero-initialize any structur
83 be passed by reference and h
84 explicitly initialized. This
85 of uninitialized stack varia
86 exposures, like CVE-2017-100
87 https://git.kernel.org/linus
88
89 As a side-effect, this keeps
90 stack that can otherwise be
91 this with CONFIG_KASAN_STACK
92 and is disallowed.
93
94 config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
95 bool "zero-init everything pas
96 # Plugin can be removed once t
97 depends on GCC_PLUGINS && !CC_
98 depends on !(KASAN && KASAN_ST
99 select GCC_PLUGIN_STRUCTLEAK
100 help
101 Zero-initialize any stack va
102 by reference and had not alr
103 initialized. This is intende
104 of uninitialized stack varia
105 exposures.
106
107 As a side-effect, this keeps
108 stack that can otherwise be
109 this with CONFIG_KASAN_STACK
110 and is disallowed.
111
112 config INIT_STACK_ALL_PATTERN
113 bool "pattern-init everything
114 depends on CC_HAS_AUTO_VAR_INI
115 depends on !KMSAN
116 help
117 Initializes everything on th
118 with a specific debug value.
119 all classes of uninitialized
120 information exposures, even
121 having been left uninitializ
122
123 Pattern initialization is kn
124 related to uninitialized loc
125 non-NULL values, buffer size
126 pattern is situation-specifi
127 repeating for all types and
128 which use 0xFF repeating (-N
129 repeating for all types and
130
131 config INIT_STACK_ALL_ZERO
132 bool "zero-init everything (st
133 depends on CC_HAS_AUTO_VAR_INI
134 depends on !KMSAN
135 help
136 Initializes everything on th
137 with a zero value. This is i
138 classes of uninitialized sta
139 information exposures, even
140 about having been left unini
141
142 Zero initialization provides
143 (immediately NUL-terminated)
144 (index 0), and sizes (0 leng
145 suitable as a production sec
146 initialization.
147
148 endchoice
149
150 config GCC_PLUGIN_STRUCTLEAK_VERBOSE
151 bool "Report forcefully initialized va
152 depends on GCC_PLUGIN_STRUCTLEAK
153 depends on !COMPILE_TEST # too
154 help
155 This option will cause a warning to
156 structleak plugin finds a variable i
157 initialized. Since not all existing
158 by the plugin, this can produce fals
159
160 config GCC_PLUGIN_STACKLEAK
161 bool "Poison kernel stack before retur
162 depends on GCC_PLUGINS
163 depends on HAVE_ARCH_STACKLEAK
164 help
165 This option makes the kernel erase t
166 returning from system calls. This ha
167 the stack initialized to the poison
168 the lifetime of any sensitive stack
169 potential for uninitialized stack va
170 exposures (it does not cover functio
171 depth as prior functions during the
172 most uninitialized stack variable at
173 impact being driven by the depth of
174 the function calling complexity.
175
176 The performance impact on a single C
177 sees a 1% slowdown, other systems an
178 are advised to test this feature on
179 deploying it.
180
181 This plugin was ported from grsecuri
182 * https://grsecurity.net/
183 * https://pax.grsecurity.net/
184
185 config GCC_PLUGIN_STACKLEAK_VERBOSE
186 bool "Report stack depth analysis inst
187 depends on GCC_PLUGIN_STACKLEAK
188 depends on !COMPILE_TEST # too
189 help
190 This option will cause a warning to
191 stackleak plugin finds a function it
192 instrumented. This is useful for com
193 builds.
194
195 config STACKLEAK_TRACK_MIN_SIZE
196 int "Minimum stack frame size of funct
197 default 100
198 range 0 4096
199 depends on GCC_PLUGIN_STACKLEAK
200 help
201 The STACKLEAK gcc plugin instruments
202 the lowest border of the kernel stac
203 It inserts the stackleak_track_stack
204 a stack frame size greater than or e
205 If unsure, leave the default value 1
206
207 config STACKLEAK_METRICS
208 bool "Show STACKLEAK metrics in the /p
209 depends on GCC_PLUGIN_STACKLEAK
210 depends on PROC_FS
211 help
212 If this is set, STACKLEAK metrics fo
213 the /proc file system. In particular
214 shows the maximum kernel stack consu
215 previous syscalls. Although this inf
216 can be useful for estimating the STA
217 your workloads.
218
219 config STACKLEAK_RUNTIME_DISABLE
220 bool "Allow runtime disabling of kerne
221 depends on GCC_PLUGIN_STACKLEAK
222 help
223 This option provides 'stack_erasing'
224 runtime to control kernel stack eras
225 CONFIG_GCC_PLUGIN_STACKLEAK.
226
227 config INIT_ON_ALLOC_DEFAULT_ON
228 bool "Enable heap memory zeroing on al
229 depends on !KMSAN
230 help
231 This has the effect of setting "init
232 command line. This can be disabled w
233 When "init_on_alloc" is enabled, all
234 allocator memory will be zeroed when
235 many kinds of "uninitialized heap me
236 heap content exposures. The performa
237 workload, but most cases see <1% imp
238 workloads have measured as high as 7
239
240 config INIT_ON_FREE_DEFAULT_ON
241 bool "Enable heap memory zeroing on fr
242 depends on !KMSAN
243 help
244 This has the effect of setting "init
245 command line. This can be disabled w
246 Similar to "init_on_alloc", when "in
247 all page allocator and slab allocato
248 when freed, eliminating many kinds o
249 flaws, especially heap content expos
250 with "init_on_free" is that data lif
251 as anything freed is wiped immediate
252 cold boot memory attacks unable to r
253 The performance impact varies by wor
254 than "init_on_alloc" due to the nega
255 touching "cold" memory areas. Most c
256 synthetic workloads have measured as
257
258 config CC_HAS_ZERO_CALL_USED_REGS
259 def_bool $(cc-option,-fzero-call-used-
260 # https://github.com/ClangBuiltLinux/l
261 # https://github.com/llvm/llvm-project
262 depends on !CC_IS_CLANG || CLANG_VERSI
263
264 config ZERO_CALL_USED_REGS
265 bool "Enable register zeroing on funct
266 depends on CC_HAS_ZERO_CALL_USED_REGS
267 help
268 At the end of functions, always zero
269 contents. This helps ensure that tem
270 leaked beyond the function boundary.
271 contents are less likely to be avail
272 and information exposures. Additiona
273 number of useful ROP gadgets by abou
274 generated "write-what-where" gadgets
275 image. This has a less than 1% perfo
276 workloads. Image size growth depends
277 be evaluated for suitability. For ex
278 than 1%, and arm64 grows by about 5%
279
280 endmenu
281
282 menu "Hardening of kernel data structures"
283
284 config LIST_HARDENED
285 bool "Check integrity of linked list m
286 help
287 Minimal integrity checking in the li
288 to catch memory corruptions that are
289 immediate access fault.
290
291 If unsure, say N.
292
293 config BUG_ON_DATA_CORRUPTION
294 bool "Trigger a BUG when data corrupti
295 select LIST_HARDENED
296 help
297 Select this option if the kernel sho
298 data corruption in kernel memory str
299 for validity.
300
301 If unsure, say N.
302
303 endmenu
304
305 config CC_HAS_RANDSTRUCT
306 def_bool $(cc-option,-frandomize-layou
307 # Randstruct was first added in Clang
308 # Clang 16 due to https://github.com/l
309 depends on !CC_IS_CLANG || CLANG_VERSI
310
311 choice
312 prompt "Randomize layout of sensitive
313 default RANDSTRUCT_FULL if COMPILE_TES
314 default RANDSTRUCT_NONE
315 help
316 If you enable this, the layouts of s
317 function pointers (and have not been
318 __no_randomize_layout), or structure
319 marked with __randomize_layout, will
320 This can introduce the requirement o
321 exposure vulnerability for exploits
322 types.
323
324 Enabling this feature will introduce
325 slightly increase memory usage, and
326 tools like Volatility against the sy
327 source tree isn't cleaned after kern
328
329 The seed used for compilation is in
330 It remains after a "make clean" to a
331 be compiled with the existing seed a
332 "make mrproper" or "make distclean".
333 public, or the structure layout can
334
335 config RANDSTRUCT_NONE
336 bool "Disable structure layout
337 help
338 Build normally: no structure
339
340 config RANDSTRUCT_FULL
341 bool "Fully randomize structur
342 depends on CC_HAS_RANDSTRUCT |
343 select MODVERSIONS if MODULES
344 help
345 Fully randomize the member l
346 structures as much as possib
347 memory size and performance
348
349 One difference between the C
350 implementations is the handl
351 plugin treats them as fully
352 introducing sometimes signif
353 to keep adjacent bitfields t
354 ordering randomized.
355
356 config RANDSTRUCT_PERFORMANCE
357 bool "Limit randomization of s
358 depends on GCC_PLUGINS
359 select MODVERSIONS if MODULES
360 help
361 Randomization of sensitive k
362 best effort at restricting r
363 groups of members. It will f
364 in structures. This reduces
365 at the cost of weakened rand
366 endchoice
367
368 config RANDSTRUCT
369 def_bool !RANDSTRUCT_NONE
370
371 config GCC_PLUGIN_RANDSTRUCT
372 def_bool GCC_PLUGINS && RANDSTRUCT
373 help
374 Use GCC plugin to randomize structur
375
376 This plugin was ported from grsecuri
377 information at:
378 * https://grsecurity.net/
379 * https://pax.grsecurity.net/
380
381 endmenu
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.