| Alexander Potapenko | e0c6791 | 2019-05-29 16:55:48 +0200 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
| 2 | menu "Kernel hardening options" |
| 3 | |
| 4 | config GCC_PLUGIN_STRUCTLEAK |
| 5 | bool "Force initialization of variables containing userspace addresses" |
| Alexander Potapenko | e0c6791 | 2019-05-29 16:55:48 +0200 | [diff] [blame] | 6 | help |
| 7 | This plugin zero-initializes any structures containing a |
| 8 | __user attribute. This can prevent some classes of information |
| 9 | exposures. |
| 10 | |
| 11 | This plugin was ported from grsecurity/PaX. More information at: |
| 12 | * https://grsecurity.net/ |
| 13 | * https://pax.grsecurity.net/ |
| 14 | |
| 15 | menu "Memory initialization" |
| 16 | |
| Kees Cook | 90169c0 | 2019-04-10 08:48:31 -0700 | [diff] [blame] | 17 | config CC_HAS_AUTO_VAR_INIT |
| 18 | def_bool $(cc-option,-ftrivial-auto-var-init=pattern) |
| 19 | |
| Alexander Potapenko | e0c6791 | 2019-05-29 16:55:48 +0200 | [diff] [blame] | 20 | choice |
| 21 | prompt "Initialize kernel stack variables at function entry" |
| 22 | default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS |
| Kees Cook | 90169c0 | 2019-04-10 08:48:31 -0700 | [diff] [blame] | 23 | default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT |
| Alexander Potapenko | e0c6791 | 2019-05-29 16:55:48 +0200 | [diff] [blame] | 24 | default INIT_STACK_NONE |
| 25 | help |
| 26 | This option enables initialization of stack variables at |
| 27 | function entry time. This has the possibility to have the |
| 28 | greatest coverage (since all functions can have their |
| 29 | variables initialized), but the performance impact depends |
| 30 | on the function calling complexity of a given workload's |
| 31 | syscalls. |
| 32 | |
| 33 | This chooses the level of coverage over classes of potentially |
| 34 | uninitialized variables. The selected class will be |
| 35 | initialized before use in a function. |
| 36 | |
| 37 | config INIT_STACK_NONE |
| 38 | bool "no automatic initialization (weakest)" |
| 39 | help |
| 40 | Disable automatic stack variable initialization. |
| 41 | This leaves the kernel vulnerable to the standard |
| 42 | classes of uninitialized stack variable exploits |
| 43 | and information exposures. |
| 44 | |
| 45 | config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |
| 46 | bool "Force initialize all struct type variables passed by reference" |
| 47 | depends on GCC_PLUGIN_STRUCTLEAK |
| 48 | depends on !COMPILE_TEST |
| 49 | help |
| 50 | Zero initialize any struct type local variable that may |
| 51 | be passed by reference without having been initialized. |
| 52 | |
| Kees Cook | 90169c0 | 2019-04-10 08:48:31 -0700 | [diff] [blame] | 53 | config INIT_STACK_ALL |
| 54 | bool "0xAA-init everything on the stack (strongest)" |
| 55 | depends on CC_HAS_AUTO_VAR_INIT |
| 56 | help |
| 57 | Initializes everything on the stack with a 0xAA |
| 58 | pattern. This is intended to eliminate all classes |
| 59 | of uninitialized stack variable exploits and information |
| 60 | exposures, even variables that were warned to have been |
| 61 | left uninitialized. |
| 62 | |
| Alexander Potapenko | e0c6791 | 2019-05-29 16:55:48 +0200 | [diff] [blame] | 63 | endchoice |
| 64 | |
| 65 | config GCC_PLUGIN_STRUCTLEAK_VERBOSE |
| 66 | bool "Report forcefully initialized variables" |
| 67 | depends on GCC_PLUGIN_STRUCTLEAK |
| 68 | depends on !COMPILE_TEST # too noisy |
| 69 | help |
| 70 | This option will cause a warning to be printed each time the |
| 71 | structleak plugin finds a variable it thinks needs to be |
| 72 | initialized. Since not all existing initializers are detected |
| 73 | by the plugin, this can produce false positive warnings. |
| 74 | |
| Alexander Potapenko | a5587d8 | 2019-07-11 20:59:19 -0700 | [diff] [blame] | 75 | config INIT_ON_ALLOC_DEFAULT_ON |
| 76 | bool "Enable heap memory zeroing on allocation by default" |
| 77 | help |
| 78 | This has the effect of setting "init_on_alloc=1" on the kernel |
| 79 | command line. This can be disabled with "init_on_alloc=0". |
| 80 | When "init_on_alloc" is enabled, all page allocator and slab |
| 81 | allocator memory will be zeroed when allocated, eliminating |
| 82 | many kinds of "uninitialized heap memory" flaws, especially |
| 83 | heap content exposures. The performance impact varies by |
| 84 | workload, but most cases see <1% impact. Some synthetic |
| 85 | workloads have measured as high as 7%. |
| 86 | |
| 87 | config INIT_ON_FREE_DEFAULT_ON |
| 88 | bool "Enable heap memory zeroing on free by default" |
| 89 | help |
| 90 | This has the effect of setting "init_on_free=1" on the kernel |
| 91 | command line. This can be disabled with "init_on_free=0". |
| 92 | Similar to "init_on_alloc", when "init_on_free" is enabled, |
| 93 | all page allocator and slab allocator memory will be zeroed |
| 94 | when freed, eliminating many kinds of "uninitialized heap memory" |
| 95 | flaws, especially heap content exposures. The primary difference |
| 96 | with "init_on_free" is that data lifetime in memory is reduced, |
| 97 | as anything freed is wiped immediately, making live forensics or |
| 98 | cold boot memory attacks unable to recover freed memory contents. |
| 99 | The performance impact varies by workload, but is more expensive |
| 100 | than "init_on_alloc" due to the negative cache effects of |
| 101 | touching "cold" memory areas. Most cases see 3-5% impact. Some |
| 102 | synthetic workloads have measured as high as 8%. |
| 103 | |
| Alexander Potapenko | e0c6791 | 2019-05-29 16:55:48 +0200 | [diff] [blame] | 104 | endmenu |
| 105 | |
| 106 | endmenu |