security/Kconfig.hardening - kernel/msm-4.19 - Gitiles

 # SPDX-License-Identifier: GPL-2.0-only
 menu "Kernel hardening options"

 config GCC_PLUGIN_STRUCTLEAK
 	bool "Force initialization of variables containing userspace addresses"
 	help
 	  This plugin zero-initializes any structures containing a
 	  __user attribute. This can prevent some classes of information
 	  exposures.

 	  This plugin was ported from grsecurity/PaX. More information at:
 	   * https://grsecurity.net/
 	   * https://pax.grsecurity.net/

 menu "Memory initialization"

 config CC_HAS_AUTO_VAR_INIT
 	def_bool $(cc-option,-ftrivial-auto-var-init=pattern)

 choice
 	prompt "Initialize kernel stack variables at function entry"
 	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
 	default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT
 	default INIT_STACK_NONE
 	help
 	  This option enables initialization of stack variables at
 	  function entry time. This has the possibility to have the
 	  greatest coverage (since all functions can have their
 	  variables initialized), but the performance impact depends
 	  on the function calling complexity of a given workload's
 	  syscalls.

 	  This chooses the level of coverage over classes of potentially
 	  uninitialized variables. The selected class will be
 	  initialized before use in a function.

 	config INIT_STACK_NONE
 		bool "no automatic initialization (weakest)"
 		help
 		  Disable automatic stack variable initialization.
 		  This leaves the kernel vulnerable to the standard
 		  classes of uninitialized stack variable exploits
 		  and information exposures.

 	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
 		bool "Force initialize all struct type variables passed by reference"
 		depends on GCC_PLUGIN_STRUCTLEAK
 		depends on !COMPILE_TEST
 		help
 		  Zero initialize any struct type local variable that may
 		  be passed by reference without having been initialized.

 	config INIT_STACK_ALL
 		bool "0xAA-init everything on the stack (strongest)"
 		depends on CC_HAS_AUTO_VAR_INIT
 		help
 		  Initializes everything on the stack with a 0xAA
 		  pattern. This is intended to eliminate all classes
 		  of uninitialized stack variable exploits and information
 		  exposures, even variables that were warned to have been
 		  left uninitialized.

 endchoice

 config GCC_PLUGIN_STRUCTLEAK_VERBOSE
 	bool "Report forcefully initialized variables"
 	depends on GCC_PLUGIN_STRUCTLEAK
 	depends on !COMPILE_TEST	# too noisy
 	help
 	  This option will cause a warning to be printed each time the
 	  structleak plugin finds a variable it thinks needs to be
 	  initialized. Since not all existing initializers are detected
 	  by the plugin, this can produce false positive warnings.

 config INIT_ON_ALLOC_DEFAULT_ON
 	bool "Enable heap memory zeroing on allocation by default"
 	help
 	  This has the effect of setting "init_on_alloc=1" on the kernel
 	  command line. This can be disabled with "init_on_alloc=0".
 	  When "init_on_alloc" is enabled, all page allocator and slab
 	  allocator memory will be zeroed when allocated, eliminating
 	  many kinds of "uninitialized heap memory" flaws, especially
 	  heap content exposures. The performance impact varies by
 	  workload, but most cases see <1% impact. Some synthetic
 	  workloads have measured as high as 7%.

 config INIT_ON_FREE_DEFAULT_ON
 	bool "Enable heap memory zeroing on free by default"
 	help
 	  This has the effect of setting "init_on_free=1" on the kernel
 	  command line. This can be disabled with "init_on_free=0".
 	  Similar to "init_on_alloc", when "init_on_free" is enabled,
 	  all page allocator and slab allocator memory will be zeroed
 	  when freed, eliminating many kinds of "uninitialized heap memory"
 	  flaws, especially heap content exposures. The primary difference
 	  with "init_on_free" is that data lifetime in memory is reduced,
 	  as anything freed is wiped immediately, making live forensics or
 	  cold boot memory attacks unable to recover freed memory contents.
 	  The performance impact varies by workload, but is more expensive
 	  than "init_on_alloc" due to the negative cache effects of
 	  touching "cold" memory areas. Most cases see 3-5% impact. Some
 	  synthetic workloads have measured as high as 8%.

 endmenu

 endmenu
	# SPDX-License-Identifier: GPL-2.0-only
	menu "Kernel hardening options"

	config GCC_PLUGIN_STRUCTLEAK
	bool "Force initialization of variables containing userspace addresses"
	help
	This plugin zero-initializes any structures containing a
	__user attribute. This can prevent some classes of information
	exposures.

	This plugin was ported from grsecurity/PaX. More information at:
	* https://grsecurity.net/
	* https://pax.grsecurity.net/

	menu "Memory initialization"

	config CC_HAS_AUTO_VAR_INIT
	def_bool $(cc-option,-ftrivial-auto-var-init=pattern)

	choice
	prompt "Initialize kernel stack variables at function entry"
	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
	default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT
	default INIT_STACK_NONE
	help
	This option enables initialization of stack variables at
	function entry time. This has the possibility to have the
	greatest coverage (since all functions can have their
	variables initialized), but the performance impact depends
	on the function calling complexity of a given workload's
	syscalls.

	This chooses the level of coverage over classes of potentially
	uninitialized variables. The selected class will be
	initialized before use in a function.

	config INIT_STACK_NONE
	bool "no automatic initialization (weakest)"
	help
	Disable automatic stack variable initialization.
	This leaves the kernel vulnerable to the standard
	classes of uninitialized stack variable exploits
	and information exposures.

	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
	bool "Force initialize all struct type variables passed by reference"
	depends on GCC_PLUGIN_STRUCTLEAK
	depends on !COMPILE_TEST
	help
	Zero initialize any struct type local variable that may
	be passed by reference without having been initialized.

	config INIT_STACK_ALL
	bool "0xAA-init everything on the stack (strongest)"
	depends on CC_HAS_AUTO_VAR_INIT
	help
	Initializes everything on the stack with a 0xAA
	pattern. This is intended to eliminate all classes
	of uninitialized stack variable exploits and information
	exposures, even variables that were warned to have been
	left uninitialized.

	endchoice

	config GCC_PLUGIN_STRUCTLEAK_VERBOSE
	bool "Report forcefully initialized variables"
	depends on GCC_PLUGIN_STRUCTLEAK
	depends on !COMPILE_TEST # too noisy
	help
	This option will cause a warning to be printed each time the
	structleak plugin finds a variable it thinks needs to be
	initialized. Since not all existing initializers are detected
	by the plugin, this can produce false positive warnings.

	config INIT_ON_ALLOC_DEFAULT_ON
	bool "Enable heap memory zeroing on allocation by default"
	help
	This has the effect of setting "init_on_alloc=1" on the kernel
	command line. This can be disabled with "init_on_alloc=0".
	When "init_on_alloc" is enabled, all page allocator and slab
	allocator memory will be zeroed when allocated, eliminating
	many kinds of "uninitialized heap memory" flaws, especially
	heap content exposures. The performance impact varies by
	workload, but most cases see <1% impact. Some synthetic
	workloads have measured as high as 7%.

	config INIT_ON_FREE_DEFAULT_ON
	bool "Enable heap memory zeroing on free by default"
	help
	This has the effect of setting "init_on_free=1" on the kernel
	command line. This can be disabled with "init_on_free=0".
	Similar to "init_on_alloc", when "init_on_free" is enabled,
	all page allocator and slab allocator memory will be zeroed
	when freed, eliminating many kinds of "uninitialized heap memory"
	flaws, especially heap content exposures. The primary difference
	with "init_on_free" is that data lifetime in memory is reduced,
	as anything freed is wiped immediately, making live forensics or
	cold boot memory attacks unable to recover freed memory contents.
	The performance impact varies by workload, but is more expensive
	than "init_on_alloc" due to the negative cache effects of
	touching "cold" memory areas. Most cases see 3-5% impact. Some
	synthetic workloads have measured as high as 8%.

	endmenu

	endmenu