[linux-block.git] / lib / Kconfig.kasan

# SPDX-License-Identifier: GPL-2.0-only

# This config refers to the generic KASAN mode.
config HAVE_ARCH_KASAN
	bool

config HAVE_ARCH_KASAN_SW_TAGS
	bool

config HAVE_ARCH_KASAN_HW_TAGS
	bool

config HAVE_ARCH_KASAN_VMALLOC
	bool

config ARCH_DISABLE_KASAN_INLINE
	bool
	help
	  Disables both inline and stack instrumentation. Selected by
	  architectures that do not support these instrumentation types.

config CC_HAS_KASAN_GENERIC
	def_bool $(cc-option, -fsanitize=kernel-address)

config CC_HAS_KASAN_SW_TAGS
	def_bool $(cc-option, -fsanitize=kernel-hwaddress)

# This option is only required for software KASAN modes.
# Old GCC versions do not have proper support for no_sanitize_address.
# See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89124 for details.
config CC_HAS_WORKING_NOSANITIZE_ADDRESS
	def_bool !CC_IS_GCC || GCC_VERSION >= 80300

menuconfig KASAN
	bool "KASAN: dynamic memory safety error detector"
	depends on (((HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC) || \
		     (HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS)) && \
		    CC_HAS_WORKING_NOSANITIZE_ADDRESS) || \
		   HAVE_ARCH_KASAN_HW_TAGS
	depends on (SLUB && SYSFS && !SLUB_TINY) || (SLAB && !DEBUG_SLAB)
	select STACKDEPOT_ALWAYS_INIT
	help
	  Enables KASAN (Kernel Address Sanitizer) - a dynamic memory safety
	  error detector designed to find out-of-bounds and use-after-free bugs.

	  See Documentation/dev-tools/kasan.rst for details.

	  For better error reports, also enable CONFIG_STACKTRACE.

if KASAN

config CC_HAS_KASAN_MEMINTRINSIC_PREFIX
	def_bool (CC_IS_CLANG && $(cc-option,-fsanitize=kernel-address -mllvm -asan-kernel-mem-intrinsic-prefix=1)) || \
		 (CC_IS_GCC && $(cc-option,-fsanitize=kernel-address --param asan-kernel-mem-intrinsic-prefix=1))
	# Don't define it if we don't need it: compilation of the test uses
	# this variable to decide how the compiler should treat builtins.
	depends on !KASAN_HW_TAGS
	help
	  The compiler is able to prefix memintrinsics with __asan or __hwasan.

choice
	prompt "KASAN mode"
	default KASAN_GENERIC
	help
	  KASAN has three modes:

	  1. Generic KASAN (supported by many architectures, enabled with
	     CONFIG_KASAN_GENERIC, similar to userspace ASan),
	  2. Software Tag-Based KASAN (arm64 only, based on software memory
	     tagging, enabled with CONFIG_KASAN_SW_TAGS, similar to userspace
	     HWASan), and
	  3. Hardware Tag-Based KASAN (arm64 only, based on hardware memory
	     tagging, enabled with CONFIG_KASAN_HW_TAGS).

	  See Documentation/dev-tools/kasan.rst for details about each mode.

config KASAN_GENERIC
	bool "Generic KASAN"
	depends on HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC
	depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS
	select SLUB_DEBUG if SLUB
	select CONSTRUCTORS
	help
	  Enables Generic KASAN.

	  Requires GCC 8.3.0+ or Clang.

	  Consumes about 1/8th of available memory at kernel start and adds an
	  overhead of ~50% for dynamic allocations.
	  The performance slowdown is ~x3.

	  (Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.)

config KASAN_SW_TAGS
	bool "Software Tag-Based KASAN"
	depends on HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS
	depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS
	select SLUB_DEBUG if SLUB
	select CONSTRUCTORS
	help
	  Enables Software Tag-Based KASAN.

	  Requires GCC 11+ or Clang.

	  Supported only on arm64 CPUs and relies on Top Byte Ignore.

	  Consumes about 1/16th of available memory at kernel start and
	  add an overhead of ~20% for dynamic allocations.

	  May potentially introduce problems related to pointer casting and
	  comparison, as it embeds a tag into the top byte of each pointer.

	  (Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.)

config KASAN_HW_TAGS
	bool "Hardware Tag-Based KASAN"
	depends on HAVE_ARCH_KASAN_HW_TAGS
	depends on SLUB
	help
	  Enables Hardware Tag-Based KASAN.

	  Requires GCC 10+ or Clang 12+.

	  Supported only on arm64 CPUs starting from ARMv8.5 and relies on
	  Memory Tagging Extension and Top Byte Ignore.

	  Consumes about 1/32nd of available memory.

	  May potentially introduce problems related to pointer casting and
	  comparison, as it embeds a tag into the top byte of each pointer.

endchoice

choice
	prompt "Instrumentation type"
	depends on KASAN_GENERIC || KASAN_SW_TAGS
	default KASAN_OUTLINE

config KASAN_OUTLINE
	bool "Outline instrumentation"
	help
	  Makes the compiler insert function calls that check whether the memory
	  is accessible before each memory access. Slower than KASAN_INLINE, but
	  does not bloat the size of the kernel's .text section so much.

config KASAN_INLINE
	bool "Inline instrumentation"
	depends on !ARCH_DISABLE_KASAN_INLINE
	help
	  Makes the compiler directly insert memory accessibility checks before
	  each memory access. Faster than KASAN_OUTLINE (gives ~x2 boost for
	  some workloads), but makes the kernel's .text size much bigger.

endchoice

config KASAN_STACK
	bool "Stack instrumentation (unsafe)" if CC_IS_CLANG && !COMPILE_TEST
	depends on KASAN_GENERIC || KASAN_SW_TAGS
	depends on !ARCH_DISABLE_KASAN_INLINE
	default y if CC_IS_GCC
	help
	  Disables stack instrumentation and thus KASAN's ability to detect
	  out-of-bounds bugs in stack variables.

	  With Clang, stack instrumentation has a problem that causes excessive
	  stack usage, see https://bugs.llvm.org/show_bug.cgi?id=38809. Thus,
	  with Clang, this option is deemed unsafe.

	  This option is always disabled when compile-testing with Clang to
	  avoid cluttering the log with stack overflow warnings.

	  With GCC, enabling stack instrumentation is assumed to be safe.

	  If the architecture disables inline instrumentation via
	  ARCH_DISABLE_KASAN_INLINE, stack instrumentation gets disabled
	  as well, as it adds inline-style instrumentation that is run
	  unconditionally.

config KASAN_VMALLOC
	bool "Check accesses to vmalloc allocations"
	depends on HAVE_ARCH_KASAN_VMALLOC
	help
	  Makes KASAN check the validity of accesses to vmalloc allocations.

	  With software KASAN modes, all types vmalloc allocations are
	  checked. Enabling this option leads to higher memory usage.

	  With Hardware Tag-Based KASAN, only non-executable VM_ALLOC mappings
	  are checked. There is no additional memory usage.

config KASAN_KUNIT_TEST
	tristate "KUnit-compatible tests of KASAN bug detection capabilities" if !KUNIT_ALL_TESTS
	depends on KASAN && KUNIT && TRACEPOINTS
	default KUNIT_ALL_TESTS
	help
	  A KUnit-based KASAN test suite. Triggers different kinds of
	  out-of-bounds and use-after-free accesses. Useful for testing whether
	  KASAN can detect certain bug types.

	  For more information on KUnit and unit tests in general, please refer
	  to the KUnit documentation in Documentation/dev-tools/kunit/.

config KASAN_MODULE_TEST
	tristate "KUnit-incompatible tests of KASAN bug detection capabilities"
	depends on m && KASAN && !KASAN_HW_TAGS
	help
	  A part of the KASAN test suite that is not integrated with KUnit.
	  Incompatible with Hardware Tag-Based KASAN.

endif # KASAN
Commit	Line	Data
ec8f24b7	1	# SPDX-License-Identifier: GPL-2.0-only
fe30ddca	2
2bd926b4	3	# This config refers to the generic KASAN mode.
0b24becc AR	4	config HAVE_ARCH_KASAN
	5	bool
	6
2bd926b4 AK	7	config HAVE_ARCH_KASAN_SW_TAGS
	8	bool
	9
6a63a63f AK	10	config HAVE_ARCH_KASAN_HW_TAGS
	11	bool
	12
	13	config HAVE_ARCH_KASAN_VMALLOC
3c5c3cfb DA	14	bool
3c5c3cfb DA	15
158f2552 DA	16	config ARCH_DISABLE_KASAN_INLINE
	17	bool
	18	help
fe30ddca AK	19	Disables both inline and stack instrumentation. Selected by
fe30ddca AK	20	architectures that do not support these instrumentation types.
158f2552	21
2bd926b4 AK	22	config CC_HAS_KASAN_GENERIC
	23	def_bool $(cc-option, -fsanitize=kernel-address)
	24
	25	config CC_HAS_KASAN_SW_TAGS
	26	def_bool $(cc-option, -fsanitize=kernel-hwaddress)
0b24becc	27
6a63a63f	28	# This option is only required for software KASAN modes.
fe30ddca	29	# Old GCC versions do not have proper support for no_sanitize_address.
6a63a63f	30	# See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89124 for details.
7b861a53	31	config CC_HAS_WORKING_NOSANITIZE_ADDRESS
acf7b0bf	32	def_bool !CC_IS_GCC \|\| GCC_VERSION >= 80300
7b861a53	33
7a3767f8	34	menuconfig KASAN
fe30ddca	35	bool "KASAN: dynamic memory safety error detector"
6a63a63f AK	36	depends on (((HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC) \|\| \
	37	(HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS)) && \
	38	CC_HAS_WORKING_NOSANITIZE_ADDRESS) \|\| \
	39	HAVE_ARCH_KASAN_HW_TAGS
e240e53a	40	depends on (SLUB && SYSFS && !SLUB_TINY) \|\| (SLAB && !DEBUG_SLAB)
2dba5eb1	41	select STACKDEPOT_ALWAYS_INIT
2bd926b4	42	help
fe30ddca AK	43	Enables KASAN (Kernel Address Sanitizer) - a dynamic memory safety
	44	error detector designed to find out-of-bounds and use-after-free bugs.
	45
2bd926b4 AK	46	See Documentation/dev-tools/kasan.rst for details.
2bd926b4 AK	47
fe30ddca AK	48	For better error reports, also enable CONFIG_STACKTRACE.
fe30ddca AK	49
7a3767f8 ME	50	if KASAN
7a3767f8 ME	51
36be5cba ME	52	config CC_HAS_KASAN_MEMINTRINSIC_PREFIX
	53	def_bool (CC_IS_CLANG && $(cc-option,-fsanitize=kernel-address -mllvm -asan-kernel-mem-intrinsic-prefix=1)) \|\| \
	54	(CC_IS_GCC && $(cc-option,-fsanitize=kernel-address --param asan-kernel-mem-intrinsic-prefix=1))
	55	# Don't define it if we don't need it: compilation of the test uses
	56	# this variable to decide how the compiler should treat builtins.
	57	depends on !KASAN_HW_TAGS
	58	help
	59	The compiler is able to prefix memintrinsics with __asan or __hwasan.
	60
2bd926b4 AK	61	choice
2bd926b4 AK	62	prompt "KASAN mode"
2bd926b4 AK	63	default KASAN_GENERIC
2bd926b4 AK	64	help
6a63a63f	65	KASAN has three modes:
6a63a63f	66
fe30ddca AK	67	1. Generic KASAN (supported by many architectures, enabled with
	68	CONFIG_KASAN_GENERIC, similar to userspace ASan),
	69	2. Software Tag-Based KASAN (arm64 only, based on software memory
	70	tagging, enabled with CONFIG_KASAN_SW_TAGS, similar to userspace
	71	HWASan), and
	72	3. Hardware Tag-Based KASAN (arm64 only, based on hardware memory
	73	tagging, enabled with CONFIG_KASAN_HW_TAGS).
ac4766be	74
fe30ddca	75	See Documentation/dev-tools/kasan.rst for details about each mode.
2bd926b4 AK	76
2bd926b4 AK	77	config KASAN_GENERIC
fe30ddca	78	bool "Generic KASAN"
2bd926b4	79	depends on HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC
fa360bea	80	depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS
dd275caf	81	select SLUB_DEBUG if SLUB
6a63a63f	82	select CONSTRUCTORS
0b24becc	83	help
fe30ddca	84	Enables Generic KASAN.
ac4766be	85
fe30ddca	86	Requires GCC 8.3.0+ or Clang.
ac4766be	87
fe30ddca AK	88	Consumes about 1/8th of available memory at kernel start and adds an
fe30ddca AK	89	overhead of ~50% for dynamic allocations.
2bd926b4	90	The performance slowdown is ~x3.
ac4766be	91
fe30ddca	92	(Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.)
0b24becc	93
2bd926b4	94	config KASAN_SW_TAGS
fe30ddca	95	bool "Software Tag-Based KASAN"
2bd926b4	96	depends on HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS
fa360bea	97	depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS
2bd926b4	98	select SLUB_DEBUG if SLUB
6a63a63f	99	select CONSTRUCTORS
2bd926b4	100	help
fe30ddca	101	Enables Software Tag-Based KASAN.
ac4766be	102
fe30ddca	103	Requires GCC 11+ or Clang.
6a63a63f	104
fe30ddca	105	Supported only on arm64 CPUs and relies on Top Byte Ignore.
ac4766be	106
fe30ddca AK	107	Consumes about 1/16th of available memory at kernel start and
fe30ddca AK	108	add an overhead of ~20% for dynamic allocations.
ac4766be	109
fe30ddca AK	110	May potentially introduce problems related to pointer casting and
	111	comparison, as it embeds a tag into the top byte of each pointer.
	112
	113	(Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.)
2bd926b4	114
6a63a63f	115	config KASAN_HW_TAGS
fe30ddca	116	bool "Hardware Tag-Based KASAN"
6a63a63f AK	117	depends on HAVE_ARCH_KASAN_HW_TAGS
	118	depends on SLUB
	119	help
fe30ddca AK	120	Enables Hardware Tag-Based KASAN.
	121
	122	Requires GCC 10+ or Clang 12+.
6a63a63f	123
fe30ddca AK	124	Supported only on arm64 CPUs starting from ARMv8.5 and relies on
fe30ddca AK	125	Memory Tagging Extension and Top Byte Ignore.
6a63a63f	126
fe30ddca AK	127	Consumes about 1/32nd of available memory.
	128
	129	May potentially introduce problems related to pointer casting and
	130	comparison, as it embeds a tag into the top byte of each pointer.
6a63a63f	131
2bd926b4 AK	132	endchoice
2bd926b4 AK	133
0b24becc AR	134	choice
0b24becc AR	135	prompt "Instrumentation type"
6a63a63f	136	depends on KASAN_GENERIC \|\| KASAN_SW_TAGS
0b24becc AR	137	default KASAN_OUTLINE
	138
	139	config KASAN_OUTLINE
	140	bool "Outline instrumentation"
	141	help
fe30ddca AK	142	Makes the compiler insert function calls that check whether the memory
	143	is accessible before each memory access. Slower than KASAN_INLINE, but
	144	does not bloat the size of the kernel's .text section so much.
0b24becc AR	145
	146	config KASAN_INLINE
	147	bool "Inline instrumentation"
158f2552	148	depends on !ARCH_DISABLE_KASAN_INLINE
0b24becc	149	help
fe30ddca AK	150	Makes the compiler directly insert memory accessibility checks before
	151	each memory access. Faster than KASAN_OUTLINE (gives ~x2 boost for
	152	some workloads), but makes the kernel's .text size much bigger.
0b24becc AR	153
	154	endchoice
	155
02c58773	156	config KASAN_STACK
fe30ddca	157	bool "Stack instrumentation (unsafe)" if CC_IS_CLANG && !COMPILE_TEST
6a63a63f	158	depends on KASAN_GENERIC \|\| KASAN_SW_TAGS
158f2552	159	depends on !ARCH_DISABLE_KASAN_INLINE
02c58773	160	default y if CC_IS_GCC
6baec880	161	help
fe30ddca AK	162	Disables stack instrumentation and thus KASAN's ability to detect
	163	out-of-bounds bugs in stack variables.
	164
	165	With Clang, stack instrumentation has a problem that causes excessive
	166	stack usage, see https://bugs.llvm.org/show_bug.cgi?id=38809. Thus,
	167	with Clang, this option is deemed unsafe.
	168
	169	This option is always disabled when compile-testing with Clang to
	170	avoid cluttering the log with stack overflow warnings.
	171
	172	With GCC, enabling stack instrumentation is assumed to be safe.
	173
	174	If the architecture disables inline instrumentation via
	175	ARCH_DISABLE_KASAN_INLINE, stack instrumentation gets disabled
	176	as well, as it adds inline-style instrumentation that is run
	177	unconditionally.
6baec880	178
3c5c3cfb	179	config KASAN_VMALLOC
fbefb423 AK	180	bool "Check accesses to vmalloc allocations"
fbefb423 AK	181	depends on HAVE_ARCH_KASAN_VMALLOC
3c5c3cfb	182	help
fe30ddca	183	Makes KASAN check the validity of accesses to vmalloc allocations.
fbefb423	184
fe30ddca AK	185	With software KASAN modes, all types vmalloc allocations are
fe30ddca AK	186	checked. Enabling this option leads to higher memory usage.
fbefb423	187
fe30ddca AK	188	With Hardware Tag-Based KASAN, only non-executable VM_ALLOC mappings
fe30ddca AK	189	are checked. There is no additional memory usage.
3c5c3cfb	190
73228c7e PA	191	config KASAN_KUNIT_TEST
73228c7e PA	192	tristate "KUnit-compatible tests of KASAN bug detection capabilities" if !KUNIT_ALL_TESTS
7ce0ea19	193	depends on KASAN && KUNIT && TRACEPOINTS
73228c7e	194	default KUNIT_ALL_TESTS
3f15801c	195	help
fe30ddca AK	196	A KUnit-based KASAN test suite. Triggers different kinds of
	197	out-of-bounds and use-after-free accesses. Useful for testing whether
	198	KASAN can detect certain bug types.
7a3767f8	199
73228c7e	200	For more information on KUnit and unit tests in general, please refer
fe30ddca	201	to the KUnit documentation in Documentation/dev-tools/kunit/.
73228c7e	202
5d92bdff	203	config KASAN_MODULE_TEST
73228c7e	204	tristate "KUnit-incompatible tests of KASAN bug detection capabilities"
f05842cf	205	depends on m && KASAN && !KASAN_HW_TAGS
73228c7e	206	help
fe30ddca AK	207	A part of the KASAN test suite that is not integrated with KUnit.
fe30ddca AK	208	Incompatible with Hardware Tag-Based KASAN.
73228c7e	209
7a3767f8	210	endif # KASAN