libnvdimm/altmap: Track namespace boundaries in altmap

[linux-2.6-block.git] / security / Kconfig.hardening

diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index c6cb2d9b29059ff004391f7d43e155b0c91b03df..af4c979b38eedb80411654f140a11f6312861dc2 100644 (file)
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -61,6 +61,7 @@ choice
        config GCC_PLUGIN_STRUCTLEAK_BYREF
                bool "zero-init structs passed by reference (strong)"
                depends on GCC_PLUGINS
+               depends on !(KASAN && KASAN_STACK=1)
                select GCC_PLUGIN_STRUCTLEAK
                help
                  Zero-initialize any structures on the stack that may
@@ -70,9 +71,15 @@ choice
                  exposures, like CVE-2017-1000410:
                  https://git.kernel.org/linus/06e7e776ca4d3654
 
+                 As a side-effect, this keeps a lot of variables on the
+                 stack that can otherwise be optimized out, so combining
+                 this with CONFIG_KASAN_STACK can lead to a stack overflow
+                 and is disallowed.
+
        config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
                bool "zero-init anything passed by reference (very strong)"
                depends on GCC_PLUGINS
+               depends on !(KASAN && KASAN_STACK=1)
                select GCC_PLUGIN_STRUCTLEAK
                help
                  Zero-initialize any stack variables that may be passed
@@ -160,6 +167,35 @@ config STACKLEAK_RUNTIME_DISABLE
          runtime to control kernel stack erasing for kernels built with
          CONFIG_GCC_PLUGIN_STACKLEAK.
 
+config INIT_ON_ALLOC_DEFAULT_ON
+       bool "Enable heap memory zeroing on allocation by default"
+       help
+         This has the effect of setting "init_on_alloc=1" on the kernel
+         command line. This can be disabled with "init_on_alloc=0".
+         When "init_on_alloc" is enabled, all page allocator and slab
+         allocator memory will be zeroed when allocated, eliminating
+         many kinds of "uninitialized heap memory" flaws, especially
+         heap content exposures. The performance impact varies by
+         workload, but most cases see <1% impact. Some synthetic
+         workloads have measured as high as 7%.
+
+config INIT_ON_FREE_DEFAULT_ON
+       bool "Enable heap memory zeroing on free by default"
+       help
+         This has the effect of setting "init_on_free=1" on the kernel
+         command line. This can be disabled with "init_on_free=0".
+         Similar to "init_on_alloc", when "init_on_free" is enabled,
+         all page allocator and slab allocator memory will be zeroed
+         when freed, eliminating many kinds of "uninitialized heap memory"
+         flaws, especially heap content exposures. The primary difference
+         with "init_on_free" is that data lifetime in memory is reduced,
+         as anything freed is wiped immediately, making live forensics or
+         cold boot memory attacks unable to recover freed memory contents.
+         The performance impact varies by workload, but is more expensive
+         than "init_on_alloc" due to the negative cache effects of
+         touching "cold" memory areas. Most cases see 3-5% impact. Some
+         synthetic workloads have measured as high as 8%.
+
 endmenu
 
 endmenu