| Kconfig.hardening (9a87ffc99ec8eb8d35eed7c4f816d75f5cc9662e) | Kconfig.hardening (aebc7b0d8d91bbc69e976909963046bc48bca4fd) |
|---|---|
| 1# SPDX-License-Identifier: GPL-2.0-only 2menu "Kernel hardening options" 3 4config GCC_PLUGIN_STRUCTLEAK 5 bool 6 help 7 While the kernel is built with warnings enabled for any missed 8 stack variable initializations, this warning is silenced for --- 265 unchanged lines hidden (view full) --- 274 generated "write-what-where" gadgets) in the resulting kernel 275 image. This has a less than 1% performance impact on most 276 workloads. Image size growth depends on architecture, and should 277 be evaluated for suitability. For example, x86_64 grows by less 278 than 1%, and arm64 grows by about 5%. 279 280endmenu 281 | 1# SPDX-License-Identifier: GPL-2.0-only 2menu "Kernel hardening options" 3 4config GCC_PLUGIN_STRUCTLEAK 5 bool 6 help 7 While the kernel is built with warnings enabled for any missed 8 stack variable initializations, this warning is silenced for --- 265 unchanged lines hidden (view full) --- 274 generated "write-what-where" gadgets) in the resulting kernel 275 image. This has a less than 1% performance impact on most 276 workloads. Image size growth depends on architecture, and should 277 be evaluated for suitability. For example, x86_64 grows by less 278 than 1%, and arm64 grows by about 5%. 279 280endmenu 281 |
| 282menu "Hardening of kernel data structures" 283 284config LIST_HARDENED 285 bool "Check integrity of linked list manipulation" 286 help 287 Minimal integrity checking in the linked-list manipulation routines 288 to catch memory corruptions that are not guaranteed to result in an 289 immediate access fault. 290 291 If unsure, say N. 292 293endmenu 294 |
|
| 282config CC_HAS_RANDSTRUCT 283 def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null) 284 # Randstruct was first added in Clang 15, but it isn't safe to use until 285 # Clang 16 due to https://github.com/llvm/llvm-project/issues/60349 286 depends on !CC_IS_CLANG || CLANG_VERSION >= 160000 287 288choice 289 prompt "Randomize layout of sensitive kernel structures" --- 69 unchanged lines hidden --- | 295config CC_HAS_RANDSTRUCT 296 def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null) 297 # Randstruct was first added in Clang 15, but it isn't safe to use until 298 # Clang 16 due to https://github.com/llvm/llvm-project/issues/60349 299 depends on !CC_IS_CLANG || CLANG_VERSION >= 160000 300 301choice 302 prompt "Randomize layout of sensitive kernel structures" --- 69 unchanged lines hidden --- |