Commit | Line | Data |
---|---|---|
9f671e58 KC |
1 | menu "Kernel hardening options" |
2 | ||
3 | config GCC_PLUGIN_STRUCTLEAK | |
4 | bool | |
5 | help | |
6 | While the kernel is built with warnings enabled for any missed | |
7 | stack variable initializations, this warning is silenced for | |
8 | anything passed by reference to another function, under the | |
9 | occasionally misguided assumption that the function will do | |
10 | the initialization. As this regularly leads to exploitable | |
11 | flaws, this plugin is available to identify and zero-initialize | |
12 | such variables, depending on the chosen level of coverage. | |
13 | ||
14 | This plugin was originally ported from grsecurity/PaX. More | |
15 | information at: | |
16 | * https://grsecurity.net/ | |
17 | * https://pax.grsecurity.net/ | |
18 | ||
19 | menu "Memory initialization" | |
20 | ||
21 | choice | |
22 | prompt "Initialize kernel stack variables at function entry" | |
23 | default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS | |
24 | default INIT_STACK_NONE | |
25 | help | |
26 | This option enables initialization of stack variables at | |
27 | function entry time. This has the possibility to have the | |
28 | greatest coverage (since all functions can have their | |
29 | variables initialized), but the performance impact depends | |
30 | on the function calling complexity of a given workload's | |
31 | syscalls. | |
32 | ||
33 | This chooses the level of coverage over classes of potentially | |
34 | uninitialized variables. The selected class will be | |
35 | initialized before use in a function. | |
36 | ||
37 | config INIT_STACK_NONE | |
38 | bool "no automatic initialization (weakest)" | |
39 | help | |
40 | Disable automatic stack variable initialization. | |
41 | This leaves the kernel vulnerable to the standard | |
42 | classes of uninitialized stack variable exploits | |
43 | and information exposures. | |
44 | ||
45 | config GCC_PLUGIN_STRUCTLEAK_USER | |
46 | bool "zero-init structs marked for userspace (weak)" | |
47 | depends on GCC_PLUGINS | |
48 | select GCC_PLUGIN_STRUCTLEAK | |
49 | help | |
50 | Zero-initialize any structures on the stack containing | |
51 | a __user attribute. This can prevent some classes of | |
52 | uninitialized stack variable exploits and information | |
53 | exposures, like CVE-2013-2141: | |
54 | https://git.kernel.org/linus/b9e146d8eb3b9eca | |
55 | ||
56 | config GCC_PLUGIN_STRUCTLEAK_BYREF | |
57 | bool "zero-init structs passed by reference (strong)" | |
58 | depends on GCC_PLUGINS | |
59 | select GCC_PLUGIN_STRUCTLEAK | |
60 | help | |
61 | Zero-initialize any structures on the stack that may | |
62 | be passed by reference and had not already been | |
63 | explicitly initialized. This can prevent most classes | |
64 | of uninitialized stack variable exploits and information | |
65 | exposures, like CVE-2017-1000410: | |
66 | https://git.kernel.org/linus/06e7e776ca4d3654 | |
67 | ||
68 | config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | |
69 | bool "zero-init anything passed by reference (very strong)" | |
70 | depends on GCC_PLUGINS | |
71 | select GCC_PLUGIN_STRUCTLEAK | |
72 | help | |
73 | Zero-initialize any stack variables that may be passed | |
74 | by reference and had not already been explicitly | |
75 | initialized. This is intended to eliminate all classes | |
76 | of uninitialized stack variable exploits and information | |
77 | exposures. | |
78 | ||
79 | endchoice | |
80 | ||
81 | config GCC_PLUGIN_STRUCTLEAK_VERBOSE | |
82 | bool "Report forcefully initialized variables" | |
83 | depends on GCC_PLUGIN_STRUCTLEAK | |
84 | depends on !COMPILE_TEST # too noisy | |
85 | help | |
86 | This option will cause a warning to be printed each time the | |
87 | structleak plugin finds a variable it thinks needs to be | |
88 | initialized. Since not all existing initializers are detected | |
89 | by the plugin, this can produce false positive warnings. | |
90 | ||
b6a6a377 KC |
91 | config GCC_PLUGIN_STACKLEAK |
92 | bool "Poison kernel stack before returning from syscalls" | |
93 | depends on GCC_PLUGINS | |
94 | depends on HAVE_ARCH_STACKLEAK | |
95 | help | |
96 | This option makes the kernel erase the kernel stack before | |
97 | returning from system calls. This has the effect of leaving | |
98 | the stack initialized to the poison value, which both reduces | |
99 | the lifetime of any sensitive stack contents and reduces | |
100 | potential for uninitialized stack variable exploits or information | |
101 | exposures (it does not cover functions reaching the same stack | |
102 | depth as prior functions during the same syscall). This blocks | |
103 | most uninitialized stack variable attacks, with the performance | |
104 | impact being driven by the depth of the stack usage, rather than | |
105 | the function calling complexity. | |
106 | ||
107 | The performance impact on a single CPU system kernel compilation | |
108 | sees a 1% slowdown, other systems and workloads may vary and you | |
109 | are advised to test this feature on your expected workload before | |
110 | deploying it. | |
111 | ||
112 | This plugin was ported from grsecurity/PaX. More information at: | |
113 | * https://grsecurity.net/ | |
114 | * https://pax.grsecurity.net/ | |
115 | ||
116 | config STACKLEAK_TRACK_MIN_SIZE | |
117 | int "Minimum stack frame size of functions tracked by STACKLEAK" | |
118 | default 100 | |
119 | range 0 4096 | |
120 | depends on GCC_PLUGIN_STACKLEAK | |
121 | help | |
122 | The STACKLEAK gcc plugin instruments the kernel code for tracking | |
123 | the lowest border of the kernel stack (and for some other purposes). | |
124 | It inserts the stackleak_track_stack() call for the functions with | |
125 | a stack frame size greater than or equal to this parameter. | |
126 | If unsure, leave the default value 100. | |
127 | ||
128 | config STACKLEAK_METRICS | |
129 | bool "Show STACKLEAK metrics in the /proc file system" | |
130 | depends on GCC_PLUGIN_STACKLEAK | |
131 | depends on PROC_FS | |
132 | help | |
133 | If this is set, STACKLEAK metrics for every task are available in | |
134 | the /proc file system. In particular, /proc/<pid>/stack_depth | |
135 | shows the maximum kernel stack consumption for the current and | |
136 | previous syscalls. Although this information is not precise, it | |
137 | can be useful for estimating the STACKLEAK performance impact for | |
138 | your workloads. | |
139 | ||
140 | config STACKLEAK_RUNTIME_DISABLE | |
141 | bool "Allow runtime disabling of kernel stack erasing" | |
142 | depends on GCC_PLUGIN_STACKLEAK | |
143 | help | |
144 | This option provides 'stack_erasing' sysctl, which can be used in | |
145 | runtime to control kernel stack erasing for kernels built with | |
146 | CONFIG_GCC_PLUGIN_STACKLEAK. | |
147 | ||
9f671e58 KC |
148 | endmenu |
149 | ||
150 | endmenu |