~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/Kconfig.hardening

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/Kconfig.hardening (Version linux-6.12-rc7) and /security/Kconfig.hardening (Version linux-4.9.337)


  1 # SPDX-License-Identifier: GPL-2.0-only           
  2 menu "Kernel hardening options"                   
  3                                                   
  4 config GCC_PLUGIN_STRUCTLEAK                      
  5         bool                                      
  6         help                                      
  7           While the kernel is built with warni    
  8           stack variable initializations, this    
  9           anything passed by reference to anot    
 10           occasionally misguided assumption th    
 11           the initialization. As this regularl    
 12           flaws, this plugin is available to i    
 13           such variables, depending on the cho    
 14                                                   
 15           This plugin was originally ported fr    
 16           information at:                         
 17            * https://grsecurity.net/              
 18            * https://pax.grsecurity.net/          
 19                                                   
 20 menu "Memory initialization"                      
 21                                                   
 22 config CC_HAS_AUTO_VAR_INIT_PATTERN               
 23         def_bool $(cc-option,-ftrivial-auto-va    
 24                                                   
 25 config CC_HAS_AUTO_VAR_INIT_ZERO_BARE             
 26         def_bool $(cc-option,-ftrivial-auto-va    
 27                                                   
 28 config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER          
 29         # Clang 16 and later warn about using     
 30         # is required before then.                
 31         def_bool $(cc-option,-ftrivial-auto-va    
 32         depends on !CC_HAS_AUTO_VAR_INIT_ZERO_    
 33                                                   
 34 config CC_HAS_AUTO_VAR_INIT_ZERO                  
 35         def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BAR    
 36                                                   
 37 choice                                            
 38         prompt "Initialize kernel stack variab    
 39         default GCC_PLUGIN_STRUCTLEAK_BYREF_AL    
 40         default INIT_STACK_ALL_PATTERN if COMP    
 41         default INIT_STACK_ALL_ZERO if CC_HAS_    
 42         default INIT_STACK_NONE                   
 43         help                                      
 44           This option enables initialization o    
 45           function entry time. This has the po    
 46           greatest coverage (since all functio    
 47           variables initialized), but the perf    
 48           on the function calling complexity o    
 49           syscalls.                               
 50                                                   
 51           This chooses the level of coverage o    
 52           uninitialized variables. The selecte    
 53           initialized before use in a function    
 54                                                   
 55         config INIT_STACK_NONE                    
 56                 bool "no automatic stack varia    
 57                 help                              
 58                   Disable automatic stack vari    
 59                   This leaves the kernel vulne    
 60                   classes of uninitialized sta    
 61                   and information exposures.      
 62                                                   
 63         config GCC_PLUGIN_STRUCTLEAK_USER         
 64                 bool "zero-init structs marked    
 65                 # Plugin can be removed once t    
 66                 depends on GCC_PLUGINS && !CC_    
 67                 select GCC_PLUGIN_STRUCTLEAK      
 68                 help                              
 69                   Zero-initialize any structur    
 70                   a __user attribute. This can    
 71                   uninitialized stack variable    
 72                   exposures, like CVE-2013-214    
 73                   https://git.kernel.org/linus    
 74                                                   
 75         config GCC_PLUGIN_STRUCTLEAK_BYREF        
 76                 bool "zero-init structs passed    
 77                 # Plugin can be removed once t    
 78                 depends on GCC_PLUGINS && !CC_    
 79                 depends on !(KASAN && KASAN_ST    
 80                 select GCC_PLUGIN_STRUCTLEAK      
 81                 help                              
 82                   Zero-initialize any structur    
 83                   be passed by reference and h    
 84                   explicitly initialized. This    
 85                   of uninitialized stack varia    
 86                   exposures, like CVE-2017-100    
 87                   https://git.kernel.org/linus    
 88                                                   
 89                   As a side-effect, this keeps    
 90                   stack that can otherwise be     
 91                   this with CONFIG_KASAN_STACK    
 92                   and is disallowed.              
 93                                                   
 94         config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL    
 95                 bool "zero-init everything pas    
 96                 # Plugin can be removed once t    
 97                 depends on GCC_PLUGINS && !CC_    
 98                 depends on !(KASAN && KASAN_ST    
 99                 select GCC_PLUGIN_STRUCTLEAK      
100                 help                              
101                   Zero-initialize any stack va    
102                   by reference and had not alr    
103                   initialized. This is intende    
104                   of uninitialized stack varia    
105                   exposures.                      
106                                                   
107                   As a side-effect, this keeps    
108                   stack that can otherwise be     
109                   this with CONFIG_KASAN_STACK    
110                   and is disallowed.              
111                                                   
112         config INIT_STACK_ALL_PATTERN             
113                 bool "pattern-init everything     
114                 depends on CC_HAS_AUTO_VAR_INI    
115                 depends on !KMSAN                 
116                 help                              
117                   Initializes everything on th    
118                   with a specific debug value.    
119                   all classes of uninitialized    
120                   information exposures, even     
121                   having been left uninitializ    
122                                                   
123                   Pattern initialization is kn    
124                   related to uninitialized loc    
125                   non-NULL values, buffer size    
126                   pattern is situation-specifi    
127                   repeating for all types and     
128                   which use 0xFF repeating (-N    
129                   repeating for all types and     
130                                                   
131         config INIT_STACK_ALL_ZERO                
132                 bool "zero-init everything (st    
133                 depends on CC_HAS_AUTO_VAR_INI    
134                 depends on !KMSAN                 
135                 help                              
136                   Initializes everything on th    
137                   with a zero value. This is i    
138                   classes of uninitialized sta    
139                   information exposures, even     
140                   about having been left unini    
141                                                   
142                   Zero initialization provides    
143                   (immediately NUL-terminated)    
144                   (index 0), and sizes (0 leng    
145                   suitable as a production sec    
146                   initialization.                 
147                                                   
148 endchoice                                         
149                                                   
150 config GCC_PLUGIN_STRUCTLEAK_VERBOSE              
151         bool "Report forcefully initialized va    
152         depends on GCC_PLUGIN_STRUCTLEAK          
153         depends on !COMPILE_TEST        # too     
154         help                                      
155           This option will cause a warning to     
156           structleak plugin finds a variable i    
157           initialized. Since not all existing     
158           by the plugin, this can produce fals    
159                                                   
160 config GCC_PLUGIN_STACKLEAK                       
161         bool "Poison kernel stack before retur    
162         depends on GCC_PLUGINS                    
163         depends on HAVE_ARCH_STACKLEAK            
164         help                                      
165           This option makes the kernel erase t    
166           returning from system calls. This ha    
167           the stack initialized to the poison     
168           the lifetime of any sensitive stack     
169           potential for uninitialized stack va    
170           exposures (it does not cover functio    
171           depth as prior functions during the     
172           most uninitialized stack variable at    
173           impact being driven by the depth of     
174           the function calling complexity.        
175                                                   
176           The performance impact on a single C    
177           sees a 1% slowdown, other systems an    
178           are advised to test this feature on     
179           deploying it.                           
180                                                   
181           This plugin was ported from grsecuri    
182            * https://grsecurity.net/              
183            * https://pax.grsecurity.net/          
184                                                   
185 config GCC_PLUGIN_STACKLEAK_VERBOSE               
186         bool "Report stack depth analysis inst    
187         depends on GCC_PLUGIN_STACKLEAK           
188         depends on !COMPILE_TEST        # too     
189         help                                      
190           This option will cause a warning to     
191           stackleak plugin finds a function it    
192           instrumented. This is useful for com    
193           builds.                                 
194                                                   
195 config STACKLEAK_TRACK_MIN_SIZE                   
196         int "Minimum stack frame size of funct    
197         default 100                               
198         range 0 4096                              
199         depends on GCC_PLUGIN_STACKLEAK           
200         help                                      
201           The STACKLEAK gcc plugin instruments    
202           the lowest border of the kernel stac    
203           It inserts the stackleak_track_stack    
204           a stack frame size greater than or e    
205           If unsure, leave the default value 1    
206                                                   
207 config STACKLEAK_METRICS                          
208         bool "Show STACKLEAK metrics in the /p    
209         depends on GCC_PLUGIN_STACKLEAK           
210         depends on PROC_FS                        
211         help                                      
212           If this is set, STACKLEAK metrics fo    
213           the /proc file system. In particular    
214           shows the maximum kernel stack consu    
215           previous syscalls. Although this inf    
216           can be useful for estimating the STA    
217           your workloads.                         
218                                                   
219 config STACKLEAK_RUNTIME_DISABLE                  
220         bool "Allow runtime disabling of kerne    
221         depends on GCC_PLUGIN_STACKLEAK           
222         help                                      
223           This option provides 'stack_erasing'    
224           runtime to control kernel stack eras    
225           CONFIG_GCC_PLUGIN_STACKLEAK.            
226                                                   
227 config INIT_ON_ALLOC_DEFAULT_ON                   
228         bool "Enable heap memory zeroing on al    
229         depends on !KMSAN                         
230         help                                      
231           This has the effect of setting "init    
232           command line. This can be disabled w    
233           When "init_on_alloc" is enabled, all    
234           allocator memory will be zeroed when    
235           many kinds of "uninitialized heap me    
236           heap content exposures. The performa    
237           workload, but most cases see <1% imp    
238           workloads have measured as high as 7    
239                                                   
240 config INIT_ON_FREE_DEFAULT_ON                    
241         bool "Enable heap memory zeroing on fr    
242         depends on !KMSAN                         
243         help                                      
244           This has the effect of setting "init    
245           command line. This can be disabled w    
246           Similar to "init_on_alloc", when "in    
247           all page allocator and slab allocato    
248           when freed, eliminating many kinds o    
249           flaws, especially heap content expos    
250           with "init_on_free" is that data lif    
251           as anything freed is wiped immediate    
252           cold boot memory attacks unable to r    
253           The performance impact varies by wor    
254           than "init_on_alloc" due to the nega    
255           touching "cold" memory areas. Most c    
256           synthetic workloads have measured as    
257                                                   
258 config CC_HAS_ZERO_CALL_USED_REGS                 
259         def_bool $(cc-option,-fzero-call-used-    
260         # https://github.com/ClangBuiltLinux/l    
261         # https://github.com/llvm/llvm-project    
262         depends on !CC_IS_CLANG || CLANG_VERSI    
263                                                   
264 config ZERO_CALL_USED_REGS                        
265         bool "Enable register zeroing on funct    
266         depends on CC_HAS_ZERO_CALL_USED_REGS     
267         help                                      
268           At the end of functions, always zero    
269           contents. This helps ensure that tem    
270           leaked beyond the function boundary.    
271           contents are less likely to be avail    
272           and information exposures. Additiona    
273           number of useful ROP gadgets by abou    
274           generated "write-what-where" gadgets    
275           image. This has a less than 1% perfo    
276           workloads. Image size growth depends    
277           be evaluated for suitability. For ex    
278           than 1%, and arm64 grows by about 5%    
279                                                   
280 endmenu                                           
281                                                   
282 menu "Hardening of kernel data structures"        
283                                                   
284 config LIST_HARDENED                              
285         bool "Check integrity of linked list m    
286         help                                      
287           Minimal integrity checking in the li    
288           to catch memory corruptions that are    
289           immediate access fault.                 
290                                                   
291           If unsure, say N.                       
292                                                   
293 config BUG_ON_DATA_CORRUPTION                     
294         bool "Trigger a BUG when data corrupti    
295         select LIST_HARDENED                      
296         help                                      
297           Select this option if the kernel sho    
298           data corruption in kernel memory str    
299           for validity.                           
300                                                   
301           If unsure, say N.                       
302                                                   
303 endmenu                                           
304                                                   
305 config CC_HAS_RANDSTRUCT                          
306         def_bool $(cc-option,-frandomize-layou    
307         # Randstruct was first added in Clang     
308         # Clang 16 due to https://github.com/l    
309         depends on !CC_IS_CLANG || CLANG_VERSI    
310                                                   
311 choice                                            
312         prompt "Randomize layout of sensitive     
313         default RANDSTRUCT_FULL if COMPILE_TES    
314         default RANDSTRUCT_NONE                   
315         help                                      
316           If you enable this, the layouts of s    
317           function pointers (and have not been    
318           __no_randomize_layout), or structure    
319           marked with __randomize_layout, will    
320           This can introduce the requirement o    
321           exposure vulnerability for exploits     
322           types.                                  
323                                                   
324           Enabling this feature will introduce    
325           slightly increase memory usage, and     
326           tools like Volatility against the sy    
327           source tree isn't cleaned after kern    
328                                                   
329           The seed used for compilation is in     
330           It remains after a "make clean" to a    
331           be compiled with the existing seed a    
332           "make mrproper" or "make distclean".    
333           public, or the structure layout can     
334                                                   
335         config RANDSTRUCT_NONE                    
336                 bool "Disable structure layout    
337                 help                              
338                   Build normally: no structure    
339                                                   
340         config RANDSTRUCT_FULL                    
341                 bool "Fully randomize structur    
342                 depends on CC_HAS_RANDSTRUCT |    
343                 select MODVERSIONS if MODULES     
344                 help                              
345                   Fully randomize the member l    
346                   structures as much as possib    
347                   memory size and performance     
348                                                   
349                   One difference between the C    
350                   implementations is the handl    
351                   plugin treats them as fully     
352                   introducing sometimes signif    
353                   to keep adjacent bitfields t    
354                   ordering randomized.            
355                                                   
356         config RANDSTRUCT_PERFORMANCE             
357                 bool "Limit randomization of s    
358                 depends on GCC_PLUGINS            
359                 select MODVERSIONS if MODULES     
360                 help                              
361                   Randomization of sensitive k    
362                   best effort at restricting r    
363                   groups of members. It will f    
364                   in structures. This reduces     
365                   at the cost of weakened rand    
366 endchoice                                         
367                                                   
368 config RANDSTRUCT                                 
369         def_bool !RANDSTRUCT_NONE                 
370                                                   
371 config GCC_PLUGIN_RANDSTRUCT                      
372         def_bool GCC_PLUGINS && RANDSTRUCT        
373         help                                      
374           Use GCC plugin to randomize structur    
375                                                   
376           This plugin was ported from grsecuri    
377           information at:                         
378            * https://grsecurity.net/              
379            * https://pax.grsecurity.net/          
380                                                   
381 endmenu                                           
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php