Thomas Gleixner | ec8f24b | 2019-05-19 13:07:45 +0100 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 2 | menu "Kernel hardening options" |
| 3 | |
| 4 | config GCC_PLUGIN_STRUCTLEAK |
| 5 | bool |
| 6 | help |
| 7 | While the kernel is built with warnings enabled for any missed |
| 8 | stack variable initializations, this warning is silenced for |
| 9 | anything passed by reference to another function, under the |
| 10 | occasionally misguided assumption that the function will do |
| 11 | the initialization. As this regularly leads to exploitable |
| 12 | flaws, this plugin is available to identify and zero-initialize |
| 13 | such variables, depending on the chosen level of coverage. |
| 14 | |
| 15 | This plugin was originally ported from grsecurity/PaX. More |
| 16 | information at: |
| 17 | * https://grsecurity.net/ |
| 18 | * https://pax.grsecurity.net/ |
| 19 | |
| 20 | menu "Memory initialization" |
| 21 | |
glider@google.com | f0fe00d | 2020-06-16 10:34:35 +0200 | [diff] [blame] | 22 | config CC_HAS_AUTO_VAR_INIT_PATTERN |
Kees Cook | 709a972 | 2019-04-10 08:48:31 -0700 | [diff] [blame] | 23 | def_bool $(cc-option,-ftrivial-auto-var-init=pattern) |
| 24 | |
glider@google.com | f0fe00d | 2020-06-16 10:34:35 +0200 | [diff] [blame] | 25 | config CC_HAS_AUTO_VAR_INIT_ZERO |
| 26 | def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang) |
| 27 | |
Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 28 | choice |
| 29 | prompt "Initialize kernel stack variables at function entry" |
| 30 | default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS |
glider@google.com | f0fe00d | 2020-06-16 10:34:35 +0200 | [diff] [blame] | 31 | default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN |
Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 32 | default INIT_STACK_NONE |
| 33 | help |
| 34 | This option enables initialization of stack variables at |
| 35 | function entry time. This has the possibility to have the |
| 36 | greatest coverage (since all functions can have their |
| 37 | variables initialized), but the performance impact depends |
| 38 | on the function calling complexity of a given workload's |
| 39 | syscalls. |
| 40 | |
| 41 | This chooses the level of coverage over classes of potentially |
| 42 | uninitialized variables. The selected class will be |
| 43 | initialized before use in a function. |
| 44 | |
| 45 | config INIT_STACK_NONE |
| 46 | bool "no automatic initialization (weakest)" |
| 47 | help |
| 48 | Disable automatic stack variable initialization. |
| 49 | This leaves the kernel vulnerable to the standard |
| 50 | classes of uninitialized stack variable exploits |
| 51 | and information exposures. |
| 52 | |
| 53 | config GCC_PLUGIN_STRUCTLEAK_USER |
| 54 | bool "zero-init structs marked for userspace (weak)" |
| 55 | depends on GCC_PLUGINS |
| 56 | select GCC_PLUGIN_STRUCTLEAK |
| 57 | help |
| 58 | Zero-initialize any structures on the stack containing |
| 59 | a __user attribute. This can prevent some classes of |
| 60 | uninitialized stack variable exploits and information |
| 61 | exposures, like CVE-2013-2141: |
| 62 | https://git.kernel.org/linus/b9e146d8eb3b9eca |
| 63 | |
| 64 | config GCC_PLUGIN_STRUCTLEAK_BYREF |
| 65 | bool "zero-init structs passed by reference (strong)" |
| 66 | depends on GCC_PLUGINS |
Arnd Bergmann | 173e6ee | 2019-07-22 13:41:20 +0200 | [diff] [blame] | 67 | depends on !(KASAN && KASAN_STACK=1) |
Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 68 | select GCC_PLUGIN_STRUCTLEAK |
| 69 | help |
| 70 | Zero-initialize any structures on the stack that may |
| 71 | be passed by reference and had not already been |
| 72 | explicitly initialized. This can prevent most classes |
| 73 | of uninitialized stack variable exploits and information |
| 74 | exposures, like CVE-2017-1000410: |
| 75 | https://git.kernel.org/linus/06e7e776ca4d3654 |
| 76 | |
Arnd Bergmann | 173e6ee | 2019-07-22 13:41:20 +0200 | [diff] [blame] | 77 | As a side-effect, this keeps a lot of variables on the |
| 78 | stack that can otherwise be optimized out, so combining |
| 79 | this with CONFIG_KASAN_STACK can lead to a stack overflow |
| 80 | and is disallowed. |
| 81 | |
Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 82 | config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |
| 83 | bool "zero-init anything passed by reference (very strong)" |
| 84 | depends on GCC_PLUGINS |
Arnd Bergmann | 173e6ee | 2019-07-22 13:41:20 +0200 | [diff] [blame] | 85 | depends on !(KASAN && KASAN_STACK=1) |
Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 86 | select GCC_PLUGIN_STRUCTLEAK |
| 87 | help |
| 88 | Zero-initialize any stack variables that may be passed |
| 89 | by reference and had not already been explicitly |
| 90 | initialized. This is intended to eliminate all classes |
| 91 | of uninitialized stack variable exploits and information |
| 92 | exposures. |
| 93 | |
glider@google.com | f0fe00d | 2020-06-16 10:34:35 +0200 | [diff] [blame] | 94 | config INIT_STACK_ALL_PATTERN |
Kees Cook | 709a972 | 2019-04-10 08:48:31 -0700 | [diff] [blame] | 95 | bool "0xAA-init everything on the stack (strongest)" |
glider@google.com | f0fe00d | 2020-06-16 10:34:35 +0200 | [diff] [blame] | 96 | depends on CC_HAS_AUTO_VAR_INIT_PATTERN |
Kees Cook | 709a972 | 2019-04-10 08:48:31 -0700 | [diff] [blame] | 97 | help |
| 98 | Initializes everything on the stack with a 0xAA |
| 99 | pattern. This is intended to eliminate all classes |
| 100 | of uninitialized stack variable exploits and information |
| 101 | exposures, even variables that were warned to have been |
| 102 | left uninitialized. |
| 103 | |
glider@google.com | f0fe00d | 2020-06-16 10:34:35 +0200 | [diff] [blame] | 104 | Pattern initialization is known to provoke many existing bugs |
| 105 | related to uninitialized locals, e.g. pointers receive |
| 106 | non-NULL values, buffer sizes and indices are very big. |
| 107 | |
| 108 | config INIT_STACK_ALL_ZERO |
| 109 | bool "zero-init everything on the stack (strongest and safest)" |
| 110 | depends on CC_HAS_AUTO_VAR_INIT_ZERO |
| 111 | help |
| 112 | Initializes everything on the stack with a zero |
| 113 | value. This is intended to eliminate all classes |
| 114 | of uninitialized stack variable exploits and information |
| 115 | exposures, even variables that were warned to have been |
| 116 | left uninitialized. |
| 117 | |
| 118 | Zero initialization provides safe defaults for strings, |
| 119 | pointers, indices and sizes, and is therefore |
| 120 | more suitable as a security mitigation measure. |
| 121 | |
Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 122 | endchoice |
| 123 | |
| 124 | config GCC_PLUGIN_STRUCTLEAK_VERBOSE |
| 125 | bool "Report forcefully initialized variables" |
| 126 | depends on GCC_PLUGIN_STRUCTLEAK |
| 127 | depends on !COMPILE_TEST # too noisy |
| 128 | help |
| 129 | This option will cause a warning to be printed each time the |
| 130 | structleak plugin finds a variable it thinks needs to be |
| 131 | initialized. Since not all existing initializers are detected |
| 132 | by the plugin, this can produce false positive warnings. |
| 133 | |
Kees Cook | b6a6a37 | 2019-04-10 09:04:40 -0700 | [diff] [blame] | 134 | config GCC_PLUGIN_STACKLEAK |
| 135 | bool "Poison kernel stack before returning from syscalls" |
| 136 | depends on GCC_PLUGINS |
| 137 | depends on HAVE_ARCH_STACKLEAK |
| 138 | help |
| 139 | This option makes the kernel erase the kernel stack before |
| 140 | returning from system calls. This has the effect of leaving |
| 141 | the stack initialized to the poison value, which both reduces |
| 142 | the lifetime of any sensitive stack contents and reduces |
| 143 | potential for uninitialized stack variable exploits or information |
| 144 | exposures (it does not cover functions reaching the same stack |
| 145 | depth as prior functions during the same syscall). This blocks |
| 146 | most uninitialized stack variable attacks, with the performance |
| 147 | impact being driven by the depth of the stack usage, rather than |
| 148 | the function calling complexity. |
| 149 | |
| 150 | The performance impact on a single CPU system kernel compilation |
| 151 | sees a 1% slowdown, other systems and workloads may vary and you |
| 152 | are advised to test this feature on your expected workload before |
| 153 | deploying it. |
| 154 | |
| 155 | This plugin was ported from grsecurity/PaX. More information at: |
| 156 | * https://grsecurity.net/ |
| 157 | * https://pax.grsecurity.net/ |
| 158 | |
| 159 | config STACKLEAK_TRACK_MIN_SIZE |
| 160 | int "Minimum stack frame size of functions tracked by STACKLEAK" |
| 161 | default 100 |
| 162 | range 0 4096 |
| 163 | depends on GCC_PLUGIN_STACKLEAK |
| 164 | help |
| 165 | The STACKLEAK gcc plugin instruments the kernel code for tracking |
| 166 | the lowest border of the kernel stack (and for some other purposes). |
| 167 | It inserts the stackleak_track_stack() call for the functions with |
| 168 | a stack frame size greater than or equal to this parameter. |
| 169 | If unsure, leave the default value 100. |
| 170 | |
| 171 | config STACKLEAK_METRICS |
| 172 | bool "Show STACKLEAK metrics in the /proc file system" |
| 173 | depends on GCC_PLUGIN_STACKLEAK |
| 174 | depends on PROC_FS |
| 175 | help |
| 176 | If this is set, STACKLEAK metrics for every task are available in |
| 177 | the /proc file system. In particular, /proc/<pid>/stack_depth |
| 178 | shows the maximum kernel stack consumption for the current and |
| 179 | previous syscalls. Although this information is not precise, it |
| 180 | can be useful for estimating the STACKLEAK performance impact for |
| 181 | your workloads. |
| 182 | |
| 183 | config STACKLEAK_RUNTIME_DISABLE |
| 184 | bool "Allow runtime disabling of kernel stack erasing" |
| 185 | depends on GCC_PLUGIN_STACKLEAK |
| 186 | help |
| 187 | This option provides 'stack_erasing' sysctl, which can be used in |
| 188 | runtime to control kernel stack erasing for kernels built with |
| 189 | CONFIG_GCC_PLUGIN_STACKLEAK. |
| 190 | |
Alexander Potapenko | 6471384 | 2019-07-11 20:59:19 -0700 | [diff] [blame] | 191 | config INIT_ON_ALLOC_DEFAULT_ON |
| 192 | bool "Enable heap memory zeroing on allocation by default" |
| 193 | help |
| 194 | This has the effect of setting "init_on_alloc=1" on the kernel |
| 195 | command line. This can be disabled with "init_on_alloc=0". |
| 196 | When "init_on_alloc" is enabled, all page allocator and slab |
| 197 | allocator memory will be zeroed when allocated, eliminating |
| 198 | many kinds of "uninitialized heap memory" flaws, especially |
| 199 | heap content exposures. The performance impact varies by |
| 200 | workload, but most cases see <1% impact. Some synthetic |
| 201 | workloads have measured as high as 7%. |
| 202 | |
| 203 | config INIT_ON_FREE_DEFAULT_ON |
| 204 | bool "Enable heap memory zeroing on free by default" |
| 205 | help |
| 206 | This has the effect of setting "init_on_free=1" on the kernel |
| 207 | command line. This can be disabled with "init_on_free=0". |
| 208 | Similar to "init_on_alloc", when "init_on_free" is enabled, |
| 209 | all page allocator and slab allocator memory will be zeroed |
| 210 | when freed, eliminating many kinds of "uninitialized heap memory" |
| 211 | flaws, especially heap content exposures. The primary difference |
| 212 | with "init_on_free" is that data lifetime in memory is reduced, |
| 213 | as anything freed is wiped immediately, making live forensics or |
| 214 | cold boot memory attacks unable to recover freed memory contents. |
| 215 | The performance impact varies by workload, but is more expensive |
| 216 | than "init_on_alloc" due to the negative cache effects of |
| 217 | touching "cold" memory areas. Most cases see 3-5% impact. Some |
| 218 | synthetic workloads have measured as high as 8%. |
| 219 | |
Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 220 | endmenu |
| 221 | |
| 222 | endmenu |