[linux-2.6-block.git] / scripts / gcc-plugins / Kconfig

preferred-plugin-hostcc := $(if-success,[ $(gcc-version) -ge 40800 ],$(HOSTCXX),$(HOSTCC))

config PLUGIN_HOSTCC
	string
	default "$(shell,$(srctree)/scripts/gcc-plugin.sh "$(preferred-plugin-hostcc)" "$(HOSTCXX)" "$(CC)")" if CC_IS_GCC
	help
	  Host compiler used to build GCC plugins.  This can be $(HOSTCXX),
	  $(HOSTCC), or a null string if GCC plugin is unsupported.

config HAVE_GCC_PLUGINS
	bool
	help
	  An arch should select this symbol if it supports building with
	  GCC plugins.

menuconfig GCC_PLUGINS
	bool "GCC plugins"
	depends on HAVE_GCC_PLUGINS
	depends on PLUGIN_HOSTCC != ""
	help
	  GCC plugins are loadable modules that provide extra features to the
	  compiler. They are useful for runtime instrumentation and static analysis.

	  See Documentation/gcc-plugins.txt for details.

if GCC_PLUGINS

config GCC_PLUGIN_CYC_COMPLEXITY
	bool "Compute the cyclomatic complexity of a function" if EXPERT
	depends on !COMPILE_TEST	# too noisy
	help
	  The complexity M of a function's control flow graph is defined as:
	   M = E - N + 2P
	  where

	  E = the number of edges
	  N = the number of nodes
	  P = the number of connected components (exit nodes).

	  Enabling this plugin reports the complexity to stderr during the
	  build. It mainly serves as a simple example of how to create a
	  gcc plugin for the kernel.

config GCC_PLUGIN_SANCOV
	bool
	help
	  This plugin inserts a __sanitizer_cov_trace_pc() call at the start of
	  basic blocks. It supports all gcc versions with plugin support (from
	  gcc-4.5 on). It is based on the commit "Add fuzzing coverage support"
	  by Dmitry Vyukov <dvyukov@google.com>.

config GCC_PLUGIN_LATENT_ENTROPY
	bool "Generate some entropy during boot and runtime"
	help
	  By saying Y here the kernel will instrument some kernel code to
	  extract some entropy from both original and artificially created
	  program state.  This will help especially embedded systems where
	  there is little 'natural' source of entropy normally.  The cost
	  is some slowdown of the boot process (about 0.5%) and fork and
	  irq processing.

	  Note that entropy extracted this way is not cryptographically
	  secure!

	  This plugin was ported from grsecurity/PaX. More information at:
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

config GCC_PLUGIN_STRUCTLEAK
	bool "Zero initialize stack variables"
	help
	  While the kernel is built with warnings enabled for any missed
	  stack variable initializations, this warning is silenced for
	  anything passed by reference to another function, under the
	  occasionally misguided assumption that the function will do
	  the initialization. As this regularly leads to exploitable
	  flaws, this plugin is available to identify and zero-initialize
	  such variables, depending on the chosen level of coverage.

	  This plugin was originally ported from grsecurity/PaX. More
	  information at:
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

choice
	prompt "Coverage"
	depends on GCC_PLUGIN_STRUCTLEAK
	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
	help
	  This chooses the level of coverage over classes of potentially
	  uninitialized variables. The selected class will be
	  zero-initialized before use.

	config GCC_PLUGIN_STRUCTLEAK_USER
		bool "structs marked for userspace"
		help
		  Zero-initialize any structures on the stack containing
		  a __user attribute. This can prevent some classes of
		  uninitialized stack variable exploits and information
		  exposures, like CVE-2013-2141:
		  https://git.kernel.org/linus/b9e146d8eb3b9eca

	config GCC_PLUGIN_STRUCTLEAK_BYREF
		bool "structs passed by reference"
		help
		  Zero-initialize any structures on the stack that may
		  be passed by reference and had not already been
		  explicitly initialized. This can prevent most classes
		  of uninitialized stack variable exploits and information
		  exposures, like CVE-2017-1000410:
		  https://git.kernel.org/linus/06e7e776ca4d3654

	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
		bool "anything passed by reference"
		help
		  Zero-initialize any stack variables that may be passed
		  by reference and had not already been explicitly
		  initialized. This is intended to eliminate all classes
		  of uninitialized stack variable exploits and information
		  exposures.

endchoice

config GCC_PLUGIN_STRUCTLEAK_VERBOSE
	bool "Report forcefully initialized variables"
	depends on GCC_PLUGIN_STRUCTLEAK
	depends on !COMPILE_TEST	# too noisy
	help
	  This option will cause a warning to be printed each time the
	  structleak plugin finds a variable it thinks needs to be
	  initialized. Since not all existing initializers are detected
	  by the plugin, this can produce false positive warnings.

config GCC_PLUGIN_RANDSTRUCT
	bool "Randomize layout of sensitive kernel structures"
	select MODVERSIONS if MODULES
	help
	  If you say Y here, the layouts of structures that are entirely
	  function pointers (and have not been manually annotated with
	  __no_randomize_layout), or structures that have been explicitly
	  marked with __randomize_layout, will be randomized at compile-time.
	  This can introduce the requirement of an additional information
	  exposure vulnerability for exploits targeting these structure
	  types.

	  Enabling this feature will introduce some performance impact,
	  slightly increase memory usage, and prevent the use of forensic
	  tools like Volatility against the system (unless the kernel
	  source tree isn't cleaned after kernel installation).

	  The seed used for compilation is located at
	  scripts/gcc-plgins/randomize_layout_seed.h.  It remains after
	  a make clean to allow for external modules to be compiled with
	  the existing seed and will be removed by a make mrproper or
	  make distclean.

	  Note that the implementation requires gcc 4.7 or newer.

	  This plugin was ported from grsecurity/PaX. More information at:
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
	bool "Use cacheline-aware structure randomization"
	depends on GCC_PLUGIN_RANDSTRUCT
	depends on !COMPILE_TEST	# do not reduce test coverage
	help
	  If you say Y here, the RANDSTRUCT randomization will make a
	  best effort at restricting randomization to cacheline-sized
	  groups of elements.  It will further not randomize bitfields
	  in structures.  This reduces the performance hit of RANDSTRUCT
	  at the cost of weakened randomization.

config GCC_PLUGIN_STACKLEAK
	bool "Erase the kernel stack before returning from syscalls"
	depends on GCC_PLUGINS
	depends on HAVE_ARCH_STACKLEAK
	help
	  This option makes the kernel erase the kernel stack before
	  returning from system calls. That reduces the information which
	  kernel stack leak bugs can reveal and blocks some uninitialized
	  stack variable attacks.

	  The tradeoff is the performance impact: on a single CPU system kernel
	  compilation sees a 1% slowdown, other systems and workloads may vary
	  and you are advised to test this feature on your expected workload
	  before deploying it.

	  This plugin was ported from grsecurity/PaX. More information at:
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

config STACKLEAK_TRACK_MIN_SIZE
	int "Minimum stack frame size of functions tracked by STACKLEAK"
	default 100
	range 0 4096
	depends on GCC_PLUGIN_STACKLEAK
	help
	  The STACKLEAK gcc plugin instruments the kernel code for tracking
	  the lowest border of the kernel stack (and for some other purposes).
	  It inserts the stackleak_track_stack() call for the functions with
	  a stack frame size greater than or equal to this parameter.
	  If unsure, leave the default value 100.

config STACKLEAK_METRICS
	bool "Show STACKLEAK metrics in the /proc file system"
	depends on GCC_PLUGIN_STACKLEAK
	depends on PROC_FS
	help
	  If this is set, STACKLEAK metrics for every task are available in
	  the /proc file system. In particular, /proc/<pid>/stack_depth
	  shows the maximum kernel stack consumption for the current and
	  previous syscalls. Although this information is not precise, it
	  can be useful for estimating the STACKLEAK performance impact for
	  your workloads.

config STACKLEAK_RUNTIME_DISABLE
	bool "Allow runtime disabling of kernel stack erasing"
	depends on GCC_PLUGIN_STACKLEAK
	help
	  This option provides 'stack_erasing' sysctl, which can be used in
	  runtime to control kernel stack erasing for kernels built with
	  CONFIG_GCC_PLUGIN_STACKLEAK.

config GCC_PLUGIN_ARM_SSP_PER_TASK
	bool
	depends on GCC_PLUGINS && ARM

endif
Commit	Line	Data
45332b1b MY	1	preferred-plugin-hostcc := $(if-success,[ $(gcc-version) -ge 40800 ],$(HOSTCXX),$(HOSTCC))
	2
	3	config PLUGIN_HOSTCC
	4	string
b0441333	5	default "$(shell,$(srctree)/scripts/gcc-plugin.sh "$(preferred-plugin-hostcc)" "$(HOSTCXX)" "$(CC)")" if CC_IS_GCC
45332b1b MY	6	help
	7	Host compiler used to build GCC plugins. This can be $(HOSTCXX),
	8	$(HOSTCC), or a null string if GCC plugin is unsupported.
	9
	10	config HAVE_GCC_PLUGINS
	11	bool
	12	help
	13	An arch should select this symbol if it supports building with
	14	GCC plugins.
	15
	16	menuconfig GCC_PLUGINS
	17	bool "GCC plugins"
	18	depends on HAVE_GCC_PLUGINS
	19	depends on PLUGIN_HOSTCC != ""
	20	help
	21	GCC plugins are loadable modules that provide extra features to the
	22	compiler. They are useful for runtime instrumentation and static analysis.
	23
	24	See Documentation/gcc-plugins.txt for details.
	25
	26	if GCC_PLUGINS
	27
	28	config GCC_PLUGIN_CYC_COMPLEXITY
	29	bool "Compute the cyclomatic complexity of a function" if EXPERT
	30	depends on !COMPILE_TEST # too noisy
	31	help
	32	The complexity M of a function's control flow graph is defined as:
	33	M = E - N + 2P
	34	where
	35
	36	E = the number of edges
	37	N = the number of nodes
	38	P = the number of connected components (exit nodes).
	39
	40	Enabling this plugin reports the complexity to stderr during the
	41	build. It mainly serves as a simple example of how to create a
	42	gcc plugin for the kernel.
	43
	44	config GCC_PLUGIN_SANCOV
	45	bool
	46	help
	47	This plugin inserts a __sanitizer_cov_trace_pc() call at the start of
	48	basic blocks. It supports all gcc versions with plugin support (from
	49	gcc-4.5 on). It is based on the commit "Add fuzzing coverage support"
	50	by Dmitry Vyukov <dvyukov@google.com>.
	51
	52	config GCC_PLUGIN_LATENT_ENTROPY
	53	bool "Generate some entropy during boot and runtime"
	54	help
	55	By saying Y here the kernel will instrument some kernel code to
	56	extract some entropy from both original and artificially created
	57	program state. This will help especially embedded systems where
	58	there is little 'natural' source of entropy normally. The cost
	59	is some slowdown of the boot process (about 0.5%) and fork and
	60	irq processing.
	61
	62	Note that entropy extracted this way is not cryptographically
	63	secure!
	64
	65	This plugin was ported from grsecurity/PaX. More information at:
	66	* https://grsecurity.net/
	67	* https://pax.grsecurity.net/
	68
	69	config GCC_PLUGIN_STRUCTLEAK
81a56f6d	70	bool "Zero initialize stack variables"
45332b1b	71	help
81a56f6d KC	72	While the kernel is built with warnings enabled for any missed
	73	stack variable initializations, this warning is silenced for
	74	anything passed by reference to another function, under the
	75	occasionally misguided assumption that the function will do
	76	the initialization. As this regularly leads to exploitable
	77	flaws, this plugin is available to identify and zero-initialize
	78	such variables, depending on the chosen level of coverage.
	79
	80	This plugin was originally ported from grsecurity/PaX. More
	81	information at:
45332b1b MY	82	* https://grsecurity.net/
	83	* https://pax.grsecurity.net/
	84
81a56f6d KC	85	choice
81a56f6d KC	86	prompt "Coverage"
45332b1b	87	depends on GCC_PLUGIN_STRUCTLEAK
81a56f6d	88	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
45332b1b	89	help
81a56f6d KC	90	This chooses the level of coverage over classes of potentially
	91	uninitialized variables. The selected class will be
	92	zero-initialized before use.
	93
	94	config GCC_PLUGIN_STRUCTLEAK_USER
	95	bool "structs marked for userspace"
	96	help
	97	Zero-initialize any structures on the stack containing
	98	a __user attribute. This can prevent some classes of
	99	uninitialized stack variable exploits and information
	100	exposures, like CVE-2013-2141:
	101	https://git.kernel.org/linus/b9e146d8eb3b9eca
	102
	103	config GCC_PLUGIN_STRUCTLEAK_BYREF
	104	bool "structs passed by reference"
	105	help
	106	Zero-initialize any structures on the stack that may
	107	be passed by reference and had not already been
	108	explicitly initialized. This can prevent most classes
	109	of uninitialized stack variable exploits and information
	110	exposures, like CVE-2017-1000410:
	111	https://git.kernel.org/linus/06e7e776ca4d3654
	112
	113	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
	114	bool "anything passed by reference"
	115	help
	116	Zero-initialize any stack variables that may be passed
	117	by reference and had not already been explicitly
	118	initialized. This is intended to eliminate all classes
	119	of uninitialized stack variable exploits and information
	120	exposures.
	121
	122	endchoice
45332b1b MY	123
	124	config GCC_PLUGIN_STRUCTLEAK_VERBOSE
	125	bool "Report forcefully initialized variables"
	126	depends on GCC_PLUGIN_STRUCTLEAK
	127	depends on !COMPILE_TEST # too noisy
	128	help
	129	This option will cause a warning to be printed each time the
	130	structleak plugin finds a variable it thinks needs to be
	131	initialized. Since not all existing initializers are detected
	132	by the plugin, this can produce false positive warnings.
	133
	134	config GCC_PLUGIN_RANDSTRUCT
	135	bool "Randomize layout of sensitive kernel structures"
	136	select MODVERSIONS if MODULES
	137	help
	138	If you say Y here, the layouts of structures that are entirely
	139	function pointers (and have not been manually annotated with
	140	__no_randomize_layout), or structures that have been explicitly
	141	marked with __randomize_layout, will be randomized at compile-time.
	142	This can introduce the requirement of an additional information
	143	exposure vulnerability for exploits targeting these structure
	144	types.
	145
	146	Enabling this feature will introduce some performance impact,
	147	slightly increase memory usage, and prevent the use of forensic
	148	tools like Volatility against the system (unless the kernel
	149	source tree isn't cleaned after kernel installation).
	150
	151	The seed used for compilation is located at
	152	scripts/gcc-plgins/randomize_layout_seed.h. It remains after
	153	a make clean to allow for external modules to be compiled with
	154	the existing seed and will be removed by a make mrproper or
	155	make distclean.
	156
	157	Note that the implementation requires gcc 4.7 or newer.
	158
	159	This plugin was ported from grsecurity/PaX. More information at:
	160	* https://grsecurity.net/
	161	* https://pax.grsecurity.net/
	162
	163	config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
	164	bool "Use cacheline-aware structure randomization"
	165	depends on GCC_PLUGIN_RANDSTRUCT
	166	depends on !COMPILE_TEST # do not reduce test coverage
	167	help
	168	If you say Y here, the RANDSTRUCT randomization will make a
	169	best effort at restricting randomization to cacheline-sized
	170	groups of elements. It will further not randomize bitfields
	171	in structures. This reduces the performance hit of RANDSTRUCT
	172	at the cost of weakened randomization.
	173
afaef01c AP	174	config GCC_PLUGIN_STACKLEAK
	175	bool "Erase the kernel stack before returning from syscalls"
	176	depends on GCC_PLUGINS
	177	depends on HAVE_ARCH_STACKLEAK
	178	help
	179	This option makes the kernel erase the kernel stack before
	180	returning from system calls. That reduces the information which
	181	kernel stack leak bugs can reveal and blocks some uninitialized
	182	stack variable attacks.
	183
	184	The tradeoff is the performance impact: on a single CPU system kernel
	185	compilation sees a 1% slowdown, other systems and workloads may vary
	186	and you are advised to test this feature on your expected workload
	187	before deploying it.
	188
	189	This plugin was ported from grsecurity/PaX. More information at:
	190	* https://grsecurity.net/
	191	* https://pax.grsecurity.net/
	192
10e9ae9f AP	193	config STACKLEAK_TRACK_MIN_SIZE
	194	int "Minimum stack frame size of functions tracked by STACKLEAK"
	195	default 100
	196	range 0 4096
	197	depends on GCC_PLUGIN_STACKLEAK
	198	help
	199	The STACKLEAK gcc plugin instruments the kernel code for tracking
	200	the lowest border of the kernel stack (and for some other purposes).
	201	It inserts the stackleak_track_stack() call for the functions with
	202	a stack frame size greater than or equal to this parameter.
	203	If unsure, leave the default value 100.
	204
c8d12627 AP	205	config STACKLEAK_METRICS
	206	bool "Show STACKLEAK metrics in the /proc file system"
	207	depends on GCC_PLUGIN_STACKLEAK
	208	depends on PROC_FS
	209	help
	210	If this is set, STACKLEAK metrics for every task are available in
	211	the /proc file system. In particular, /proc/<pid>/stack_depth
	212	shows the maximum kernel stack consumption for the current and
	213	previous syscalls. Although this information is not precise, it
	214	can be useful for estimating the STACKLEAK performance impact for
	215	your workloads.
	216
964c9dff AP	217	config STACKLEAK_RUNTIME_DISABLE
	218	bool "Allow runtime disabling of kernel stack erasing"
	219	depends on GCC_PLUGIN_STACKLEAK
	220	help
	221	This option provides 'stack_erasing' sysctl, which can be used in
	222	runtime to control kernel stack erasing for kernels built with
	223	CONFIG_GCC_PLUGIN_STACKLEAK.
	224
189af465 AB	225	config GCC_PLUGIN_ARM_SSP_PER_TASK
	226	bool
	227	depends on GCC_PLUGINS && ARM
	228
45332b1b	229	endif