Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
9f671e58 KC |
2 | menu "Kernel hardening options" |
3 | ||
4 | config GCC_PLUGIN_STRUCTLEAK | |
5 | bool | |
6 | help | |
7 | While the kernel is built with warnings enabled for any missed | |
8 | stack variable initializations, this warning is silenced for | |
9 | anything passed by reference to another function, under the | |
10 | occasionally misguided assumption that the function will do | |
11 | the initialization. As this regularly leads to exploitable | |
12 | flaws, this plugin is available to identify and zero-initialize | |
13 | such variables, depending on the chosen level of coverage. | |
14 | ||
15 | This plugin was originally ported from grsecurity/PaX. More | |
16 | information at: | |
17 | * https://grsecurity.net/ | |
18 | * https://pax.grsecurity.net/ | |
19 | ||
20 | menu "Memory initialization" | |
21 | ||
f0fe00d4 | 22 | config CC_HAS_AUTO_VAR_INIT_PATTERN |
709a972e KC |
23 | def_bool $(cc-option,-ftrivial-auto-var-init=pattern) |
24 | ||
f0fe00d4 | 25 | config CC_HAS_AUTO_VAR_INIT_ZERO |
26 | def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang) | |
27 | ||
9f671e58 KC |
28 | choice |
29 | prompt "Initialize kernel stack variables at function entry" | |
30 | default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS | |
f0fe00d4 | 31 | default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN |
9f671e58 KC |
32 | default INIT_STACK_NONE |
33 | help | |
34 | This option enables initialization of stack variables at | |
35 | function entry time. This has the possibility to have the | |
36 | greatest coverage (since all functions can have their | |
37 | variables initialized), but the performance impact depends | |
38 | on the function calling complexity of a given workload's | |
39 | syscalls. | |
40 | ||
41 | This chooses the level of coverage over classes of potentially | |
42 | uninitialized variables. The selected class will be | |
43 | initialized before use in a function. | |
44 | ||
45 | config INIT_STACK_NONE | |
46 | bool "no automatic initialization (weakest)" | |
47 | help | |
48 | Disable automatic stack variable initialization. | |
49 | This leaves the kernel vulnerable to the standard | |
50 | classes of uninitialized stack variable exploits | |
51 | and information exposures. | |
52 | ||
53 | config GCC_PLUGIN_STRUCTLEAK_USER | |
54 | bool "zero-init structs marked for userspace (weak)" | |
55 | depends on GCC_PLUGINS | |
56 | select GCC_PLUGIN_STRUCTLEAK | |
57 | help | |
58 | Zero-initialize any structures on the stack containing | |
59 | a __user attribute. This can prevent some classes of | |
60 | uninitialized stack variable exploits and information | |
61 | exposures, like CVE-2013-2141: | |
62 | https://git.kernel.org/linus/b9e146d8eb3b9eca | |
63 | ||
64 | config GCC_PLUGIN_STRUCTLEAK_BYREF | |
65 | bool "zero-init structs passed by reference (strong)" | |
66 | depends on GCC_PLUGINS | |
02c58773 | 67 | depends on !(KASAN && KASAN_STACK) |
9f671e58 KC |
68 | select GCC_PLUGIN_STRUCTLEAK |
69 | help | |
70 | Zero-initialize any structures on the stack that may | |
71 | be passed by reference and had not already been | |
72 | explicitly initialized. This can prevent most classes | |
73 | of uninitialized stack variable exploits and information | |
74 | exposures, like CVE-2017-1000410: | |
75 | https://git.kernel.org/linus/06e7e776ca4d3654 | |
76 | ||
173e6ee2 AB |
77 | As a side-effect, this keeps a lot of variables on the |
78 | stack that can otherwise be optimized out, so combining | |
79 | this with CONFIG_KASAN_STACK can lead to a stack overflow | |
80 | and is disallowed. | |
81 | ||
9f671e58 KC |
82 | config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |
83 | bool "zero-init anything passed by reference (very strong)" | |
84 | depends on GCC_PLUGINS | |
02c58773 | 85 | depends on !(KASAN && KASAN_STACK) |
9f671e58 KC |
86 | select GCC_PLUGIN_STRUCTLEAK |
87 | help | |
88 | Zero-initialize any stack variables that may be passed | |
89 | by reference and had not already been explicitly | |
90 | initialized. This is intended to eliminate all classes | |
91 | of uninitialized stack variable exploits and information | |
92 | exposures. | |
93 | ||
f0fe00d4 | 94 | config INIT_STACK_ALL_PATTERN |
709a972e | 95 | bool "0xAA-init everything on the stack (strongest)" |
f0fe00d4 | 96 | depends on CC_HAS_AUTO_VAR_INIT_PATTERN |
709a972e KC |
97 | help |
98 | Initializes everything on the stack with a 0xAA | |
99 | pattern. This is intended to eliminate all classes | |
100 | of uninitialized stack variable exploits and information | |
101 | exposures, even variables that were warned to have been | |
102 | left uninitialized. | |
103 | ||
f0fe00d4 | 104 | Pattern initialization is known to provoke many existing bugs |
105 | related to uninitialized locals, e.g. pointers receive | |
106 | non-NULL values, buffer sizes and indices are very big. | |
107 | ||
108 | config INIT_STACK_ALL_ZERO | |
109 | bool "zero-init everything on the stack (strongest and safest)" | |
110 | depends on CC_HAS_AUTO_VAR_INIT_ZERO | |
111 | help | |
112 | Initializes everything on the stack with a zero | |
113 | value. This is intended to eliminate all classes | |
114 | of uninitialized stack variable exploits and information | |
115 | exposures, even variables that were warned to have been | |
116 | left uninitialized. | |
117 | ||
118 | Zero initialization provides safe defaults for strings, | |
119 | pointers, indices and sizes, and is therefore | |
120 | more suitable as a security mitigation measure. | |
121 | ||
9f671e58 KC |
122 | endchoice |
123 | ||
124 | config GCC_PLUGIN_STRUCTLEAK_VERBOSE | |
125 | bool "Report forcefully initialized variables" | |
126 | depends on GCC_PLUGIN_STRUCTLEAK | |
127 | depends on !COMPILE_TEST # too noisy | |
128 | help | |
129 | This option will cause a warning to be printed each time the | |
130 | structleak plugin finds a variable it thinks needs to be | |
131 | initialized. Since not all existing initializers are detected | |
132 | by the plugin, this can produce false positive warnings. | |
133 | ||
b6a6a377 KC |
134 | config GCC_PLUGIN_STACKLEAK |
135 | bool "Poison kernel stack before returning from syscalls" | |
136 | depends on GCC_PLUGINS | |
137 | depends on HAVE_ARCH_STACKLEAK | |
138 | help | |
139 | This option makes the kernel erase the kernel stack before | |
140 | returning from system calls. This has the effect of leaving | |
141 | the stack initialized to the poison value, which both reduces | |
142 | the lifetime of any sensitive stack contents and reduces | |
143 | potential for uninitialized stack variable exploits or information | |
144 | exposures (it does not cover functions reaching the same stack | |
145 | depth as prior functions during the same syscall). This blocks | |
146 | most uninitialized stack variable attacks, with the performance | |
147 | impact being driven by the depth of the stack usage, rather than | |
148 | the function calling complexity. | |
149 | ||
150 | The performance impact on a single CPU system kernel compilation | |
151 | sees a 1% slowdown, other systems and workloads may vary and you | |
152 | are advised to test this feature on your expected workload before | |
153 | deploying it. | |
154 | ||
155 | This plugin was ported from grsecurity/PaX. More information at: | |
156 | * https://grsecurity.net/ | |
157 | * https://pax.grsecurity.net/ | |
158 | ||
159 | config STACKLEAK_TRACK_MIN_SIZE | |
160 | int "Minimum stack frame size of functions tracked by STACKLEAK" | |
161 | default 100 | |
162 | range 0 4096 | |
163 | depends on GCC_PLUGIN_STACKLEAK | |
164 | help | |
165 | The STACKLEAK gcc plugin instruments the kernel code for tracking | |
166 | the lowest border of the kernel stack (and for some other purposes). | |
167 | It inserts the stackleak_track_stack() call for the functions with | |
168 | a stack frame size greater than or equal to this parameter. | |
169 | If unsure, leave the default value 100. | |
170 | ||
171 | config STACKLEAK_METRICS | |
172 | bool "Show STACKLEAK metrics in the /proc file system" | |
173 | depends on GCC_PLUGIN_STACKLEAK | |
174 | depends on PROC_FS | |
175 | help | |
176 | If this is set, STACKLEAK metrics for every task are available in | |
177 | the /proc file system. In particular, /proc/<pid>/stack_depth | |
178 | shows the maximum kernel stack consumption for the current and | |
179 | previous syscalls. Although this information is not precise, it | |
180 | can be useful for estimating the STACKLEAK performance impact for | |
181 | your workloads. | |
182 | ||
183 | config STACKLEAK_RUNTIME_DISABLE | |
184 | bool "Allow runtime disabling of kernel stack erasing" | |
185 | depends on GCC_PLUGIN_STACKLEAK | |
186 | help | |
187 | This option provides 'stack_erasing' sysctl, which can be used in | |
188 | runtime to control kernel stack erasing for kernels built with | |
189 | CONFIG_GCC_PLUGIN_STACKLEAK. | |
190 | ||
6471384a AP |
191 | config INIT_ON_ALLOC_DEFAULT_ON |
192 | bool "Enable heap memory zeroing on allocation by default" | |
193 | help | |
194 | This has the effect of setting "init_on_alloc=1" on the kernel | |
195 | command line. This can be disabled with "init_on_alloc=0". | |
196 | When "init_on_alloc" is enabled, all page allocator and slab | |
197 | allocator memory will be zeroed when allocated, eliminating | |
198 | many kinds of "uninitialized heap memory" flaws, especially | |
199 | heap content exposures. The performance impact varies by | |
200 | workload, but most cases see <1% impact. Some synthetic | |
201 | workloads have measured as high as 7%. | |
202 | ||
203 | config INIT_ON_FREE_DEFAULT_ON | |
204 | bool "Enable heap memory zeroing on free by default" | |
205 | help | |
206 | This has the effect of setting "init_on_free=1" on the kernel | |
207 | command line. This can be disabled with "init_on_free=0". | |
208 | Similar to "init_on_alloc", when "init_on_free" is enabled, | |
209 | all page allocator and slab allocator memory will be zeroed | |
210 | when freed, eliminating many kinds of "uninitialized heap memory" | |
211 | flaws, especially heap content exposures. The primary difference | |
212 | with "init_on_free" is that data lifetime in memory is reduced, | |
213 | as anything freed is wiped immediately, making live forensics or | |
214 | cold boot memory attacks unable to recover freed memory contents. | |
215 | The performance impact varies by workload, but is more expensive | |
216 | than "init_on_alloc" due to the negative cache effects of | |
217 | touching "cold" memory areas. Most cases see 3-5% impact. Some | |
218 | synthetic workloads have measured as high as 8%. | |
219 | ||
9f671e58 KC |
220 | endmenu |
221 | ||
222 | endmenu |