| Thomas Gleixner | ec8f24b | 2019-05-19 13:07:45 +0100 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
| Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 2 | menu "Kernel hardening options" |
| 3 | |
| 4 | config GCC_PLUGIN_STRUCTLEAK |
| 5 | bool |
| 6 | help |
| 7 | While the kernel is built with warnings enabled for any missed |
| 8 | stack variable initializations, this warning is silenced for |
| 9 | anything passed by reference to another function, under the |
| 10 | occasionally misguided assumption that the function will do |
| 11 | the initialization. As this regularly leads to exploitable |
| 12 | flaws, this plugin is available to identify and zero-initialize |
| 13 | such variables, depending on the chosen level of coverage. |
| 14 | |
| 15 | This plugin was originally ported from grsecurity/PaX. More |
| 16 | information at: |
| 17 | * https://grsecurity.net/ |
| 18 | * https://pax.grsecurity.net/ |
| 19 | |
| 20 | menu "Memory initialization" |
| 21 | |
| Kees Cook | 709a972 | 2019-04-10 08:48:31 -0700 | [diff] [blame] | 22 | config CC_HAS_AUTO_VAR_INIT |
| 23 | def_bool $(cc-option,-ftrivial-auto-var-init=pattern) |
| 24 | |
| Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 25 | choice |
| 26 | prompt "Initialize kernel stack variables at function entry" |
| 27 | default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS |
| Kees Cook | 709a972 | 2019-04-10 08:48:31 -0700 | [diff] [blame] | 28 | default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT |
| Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 29 | default INIT_STACK_NONE |
| 30 | help |
| 31 | This option enables initialization of stack variables at |
| 32 | function entry time. This has the possibility to have the |
| 33 | greatest coverage (since all functions can have their |
| 34 | variables initialized), but the performance impact depends |
| 35 | on the function calling complexity of a given workload's |
| 36 | syscalls. |
| 37 | |
| 38 | This chooses the level of coverage over classes of potentially |
| 39 | uninitialized variables. The selected class will be |
| 40 | initialized before use in a function. |
| 41 | |
| 42 | config INIT_STACK_NONE |
| 43 | bool "no automatic initialization (weakest)" |
| 44 | help |
| 45 | Disable automatic stack variable initialization. |
| 46 | This leaves the kernel vulnerable to the standard |
| 47 | classes of uninitialized stack variable exploits |
| 48 | and information exposures. |
| 49 | |
| 50 | config GCC_PLUGIN_STRUCTLEAK_USER |
| 51 | bool "zero-init structs marked for userspace (weak)" |
| 52 | depends on GCC_PLUGINS |
| 53 | select GCC_PLUGIN_STRUCTLEAK |
| 54 | help |
| 55 | Zero-initialize any structures on the stack containing |
| 56 | a __user attribute. This can prevent some classes of |
| 57 | uninitialized stack variable exploits and information |
| 58 | exposures, like CVE-2013-2141: |
| 59 | https://git.kernel.org/linus/b9e146d8eb3b9eca |
| 60 | |
| 61 | config GCC_PLUGIN_STRUCTLEAK_BYREF |
| 62 | bool "zero-init structs passed by reference (strong)" |
| 63 | depends on GCC_PLUGINS |
| 64 | select GCC_PLUGIN_STRUCTLEAK |
| 65 | help |
| 66 | Zero-initialize any structures on the stack that may |
| 67 | be passed by reference and had not already been |
| 68 | explicitly initialized. This can prevent most classes |
| 69 | of uninitialized stack variable exploits and information |
| 70 | exposures, like CVE-2017-1000410: |
| 71 | https://git.kernel.org/linus/06e7e776ca4d3654 |
| 72 | |
| 73 | config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |
| 74 | bool "zero-init anything passed by reference (very strong)" |
| 75 | depends on GCC_PLUGINS |
| 76 | select GCC_PLUGIN_STRUCTLEAK |
| 77 | help |
| 78 | Zero-initialize any stack variables that may be passed |
| 79 | by reference and had not already been explicitly |
| 80 | initialized. This is intended to eliminate all classes |
| 81 | of uninitialized stack variable exploits and information |
| 82 | exposures. |
| 83 | |
| Kees Cook | 709a972 | 2019-04-10 08:48:31 -0700 | [diff] [blame] | 84 | config INIT_STACK_ALL |
| 85 | bool "0xAA-init everything on the stack (strongest)" |
| 86 | depends on CC_HAS_AUTO_VAR_INIT |
| 87 | help |
| 88 | Initializes everything on the stack with a 0xAA |
| 89 | pattern. This is intended to eliminate all classes |
| 90 | of uninitialized stack variable exploits and information |
| 91 | exposures, even variables that were warned to have been |
| 92 | left uninitialized. |
| 93 | |
| Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 94 | endchoice |
| 95 | |
| 96 | config GCC_PLUGIN_STRUCTLEAK_VERBOSE |
| 97 | bool "Report forcefully initialized variables" |
| 98 | depends on GCC_PLUGIN_STRUCTLEAK |
| 99 | depends on !COMPILE_TEST # too noisy |
| 100 | help |
| 101 | This option will cause a warning to be printed each time the |
| 102 | structleak plugin finds a variable it thinks needs to be |
| 103 | initialized. Since not all existing initializers are detected |
| 104 | by the plugin, this can produce false positive warnings. |
| 105 | |
| Kees Cook | b6a6a37 | 2019-04-10 09:04:40 -0700 | [diff] [blame] | 106 | config GCC_PLUGIN_STACKLEAK |
| 107 | bool "Poison kernel stack before returning from syscalls" |
| 108 | depends on GCC_PLUGINS |
| 109 | depends on HAVE_ARCH_STACKLEAK |
| 110 | help |
| 111 | This option makes the kernel erase the kernel stack before |
| 112 | returning from system calls. This has the effect of leaving |
| 113 | the stack initialized to the poison value, which both reduces |
| 114 | the lifetime of any sensitive stack contents and reduces |
| 115 | potential for uninitialized stack variable exploits or information |
| 116 | exposures (it does not cover functions reaching the same stack |
| 117 | depth as prior functions during the same syscall). This blocks |
| 118 | most uninitialized stack variable attacks, with the performance |
| 119 | impact being driven by the depth of the stack usage, rather than |
| 120 | the function calling complexity. |
| 121 | |
| 122 | The performance impact on a single CPU system kernel compilation |
| 123 | sees a 1% slowdown, other systems and workloads may vary and you |
| 124 | are advised to test this feature on your expected workload before |
| 125 | deploying it. |
| 126 | |
| 127 | This plugin was ported from grsecurity/PaX. More information at: |
| 128 | * https://grsecurity.net/ |
| 129 | * https://pax.grsecurity.net/ |
| 130 | |
| 131 | config STACKLEAK_TRACK_MIN_SIZE |
| 132 | int "Minimum stack frame size of functions tracked by STACKLEAK" |
| 133 | default 100 |
| 134 | range 0 4096 |
| 135 | depends on GCC_PLUGIN_STACKLEAK |
| 136 | help |
| 137 | The STACKLEAK gcc plugin instruments the kernel code for tracking |
| 138 | the lowest border of the kernel stack (and for some other purposes). |
| 139 | It inserts the stackleak_track_stack() call for the functions with |
| 140 | a stack frame size greater than or equal to this parameter. |
| 141 | If unsure, leave the default value 100. |
| 142 | |
| 143 | config STACKLEAK_METRICS |
| 144 | bool "Show STACKLEAK metrics in the /proc file system" |
| 145 | depends on GCC_PLUGIN_STACKLEAK |
| 146 | depends on PROC_FS |
| 147 | help |
| 148 | If this is set, STACKLEAK metrics for every task are available in |
| 149 | the /proc file system. In particular, /proc/<pid>/stack_depth |
| 150 | shows the maximum kernel stack consumption for the current and |
| 151 | previous syscalls. Although this information is not precise, it |
| 152 | can be useful for estimating the STACKLEAK performance impact for |
| 153 | your workloads. |
| 154 | |
| 155 | config STACKLEAK_RUNTIME_DISABLE |
| 156 | bool "Allow runtime disabling of kernel stack erasing" |
| 157 | depends on GCC_PLUGIN_STACKLEAK |
| 158 | help |
| 159 | This option provides 'stack_erasing' sysctl, which can be used in |
| 160 | runtime to control kernel stack erasing for kernels built with |
| 161 | CONFIG_GCC_PLUGIN_STACKLEAK. |
| 162 | |
| Kees Cook | 9f671e5 | 2019-04-10 08:23:44 -0700 | [diff] [blame] | 163 | endmenu |
| 164 | |
| 165 | endmenu |