1# SPDX-License-Identifier: GPL-2.0-only 2menu "Kernel hardening options" 3 4menu "Memory initialization" 5 6config CC_HAS_AUTO_VAR_INIT_PATTERN 7 def_bool $(cc-option,-ftrivial-auto-var-init=pattern) 8 9config CC_HAS_AUTO_VAR_INIT_ZERO_BARE 10 def_bool $(cc-option,-ftrivial-auto-var-init=zero) 11 12config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER 13 # Clang 16 and later warn about using the -enable flag, but it 14 # is required before then. 15 def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang) 16 depends on !CC_HAS_AUTO_VAR_INIT_ZERO_BARE 17 18config CC_HAS_AUTO_VAR_INIT_ZERO 19 def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BARE || CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER 20 21choice 22 prompt "Initialize kernel stack variables at function entry" 23 default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN 24 default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO 25 default INIT_STACK_NONE 26 help 27 This option enables initialization of stack variables at 28 function entry time. This has the possibility to have the 29 greatest coverage (since all functions can have their 30 variables initialized), but the performance impact depends 31 on the function calling complexity of a given workload's 32 syscalls. 33 34 This chooses the level of coverage over classes of potentially 35 uninitialized variables. The selected class of variable will be 36 initialized before use in a function. 37 38 config INIT_STACK_NONE 39 bool "no automatic stack variable initialization (weakest)" 40 help 41 Disable automatic stack variable initialization. 42 This leaves the kernel vulnerable to the standard 43 classes of uninitialized stack variable exploits 44 and information exposures. 45 46 config INIT_STACK_ALL_PATTERN 47 bool "pattern-init everything (strongest)" 48 depends on CC_HAS_AUTO_VAR_INIT_PATTERN 49 depends on !KMSAN 50 help 51 Initializes everything on the stack (including padding) 52 with a specific debug value. This is intended to eliminate 53 all classes of uninitialized stack variable exploits and 54 information exposures, even variables that were warned about 55 having been left uninitialized. 56 57 Pattern initialization is known to provoke many existing bugs 58 related to uninitialized locals, e.g. pointers receive 59 non-NULL values, buffer sizes and indices are very big. The 60 pattern is situation-specific; Clang on 64-bit uses 0xAA 61 repeating for all types and padding except float and double 62 which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF 63 repeating for all types and padding. 64 GCC uses 0xFE repeating for all types, and zero for padding. 65 66 config INIT_STACK_ALL_ZERO 67 bool "zero-init everything (strongest and safest)" 68 depends on CC_HAS_AUTO_VAR_INIT_ZERO 69 depends on !KMSAN 70 help 71 Initializes everything on the stack (including padding) 72 with a zero value. This is intended to eliminate all 73 classes of uninitialized stack variable exploits and 74 information exposures, even variables that were warned 75 about having been left uninitialized. 76 77 Zero initialization provides safe defaults for strings 78 (immediately NUL-terminated), pointers (NULL), indices 79 (index 0), and sizes (0 length), so it is therefore more 80 suitable as a production security mitigation than pattern 81 initialization. 82 83endchoice 84 85config CC_HAS_SANCOV_STACK_DEPTH_CALLBACK 86 def_bool $(cc-option,-fsanitize-coverage-stack-depth-callback-min=1) 87 88config KSTACK_ERASE 89 bool "Poison kernel stack before returning from syscalls" 90 depends on HAVE_ARCH_KSTACK_ERASE 91 depends on GCC_PLUGINS || CC_HAS_SANCOV_STACK_DEPTH_CALLBACK 92 help 93 This option makes the kernel erase the kernel stack before 94 returning from system calls. This has the effect of leaving 95 the stack initialized to the poison value, which both reduces 96 the lifetime of any sensitive stack contents and reduces 97 potential for uninitialized stack variable exploits or information 98 exposures (it does not cover functions reaching the same stack 99 depth as prior functions during the same syscall). This blocks 100 most uninitialized stack variable attacks, with the performance 101 impact being driven by the depth of the stack usage, rather than 102 the function calling complexity. 103 104 The performance impact on a single CPU system kernel compilation 105 sees a 1% slowdown, other systems and workloads may vary and you 106 are advised to test this feature on your expected workload before 107 deploying it. 108 109config GCC_PLUGIN_STACKLEAK 110 def_bool KSTACK_ERASE 111 depends on GCC_PLUGINS 112 help 113 This plugin was ported from grsecurity/PaX. More information at: 114 * https://grsecurity.net/ 115 * https://pax.grsecurity.net/ 116 117config GCC_PLUGIN_STACKLEAK_VERBOSE 118 bool "Report stack depth analysis instrumentation" if EXPERT 119 depends on GCC_PLUGIN_STACKLEAK 120 depends on !COMPILE_TEST # too noisy 121 help 122 This option will cause a warning to be printed each time the 123 stackleak plugin finds a function it thinks needs to be 124 instrumented. This is useful for comparing coverage between 125 builds. 126 127config KSTACK_ERASE_TRACK_MIN_SIZE 128 int "Minimum stack frame size of functions tracked by KSTACK_ERASE" 129 default 100 130 range 0 4096 131 depends on KSTACK_ERASE 132 help 133 The KSTACK_ERASE option instruments the kernel code for tracking 134 the lowest border of the kernel stack (and for some other purposes). 135 It inserts the __sanitizer_cov_stack_depth() call for the functions 136 with a stack frame size greater than or equal to this parameter. 137 If unsure, leave the default value 100. 138 139config KSTACK_ERASE_METRICS 140 bool "Show KSTACK_ERASE metrics in the /proc file system" 141 depends on KSTACK_ERASE 142 depends on PROC_FS 143 help 144 If this is set, KSTACK_ERASE metrics for every task are available 145 in the /proc file system. In particular, /proc/<pid>/stack_depth 146 shows the maximum kernel stack consumption for the current and 147 previous syscalls. Although this information is not precise, it 148 can be useful for estimating the KSTACK_ERASE performance impact 149 for your workloads. 150 151config KSTACK_ERASE_RUNTIME_DISABLE 152 bool "Allow runtime disabling of kernel stack erasing" 153 depends on KSTACK_ERASE 154 help 155 This option provides 'stack_erasing' sysctl, which can be used in 156 runtime to control kernel stack erasing for kernels built with 157 CONFIG_KSTACK_ERASE. 158 159config INIT_ON_ALLOC_DEFAULT_ON 160 bool "Enable heap memory zeroing on allocation by default" 161 depends on !KMSAN 162 help 163 This has the effect of setting "init_on_alloc=1" on the kernel 164 command line. This can be disabled with "init_on_alloc=0". 165 When "init_on_alloc" is enabled, all page allocator and slab 166 allocator memory will be zeroed when allocated, eliminating 167 many kinds of "uninitialized heap memory" flaws, especially 168 heap content exposures. The performance impact varies by 169 workload, but most cases see <1% impact. Some synthetic 170 workloads have measured as high as 7%. 171 172config INIT_ON_FREE_DEFAULT_ON 173 bool "Enable heap memory zeroing on free by default" 174 depends on !KMSAN 175 help 176 This has the effect of setting "init_on_free=1" on the kernel 177 command line. This can be disabled with "init_on_free=0". 178 Similar to "init_on_alloc", when "init_on_free" is enabled, 179 all page allocator and slab allocator memory will be zeroed 180 when freed, eliminating many kinds of "uninitialized heap memory" 181 flaws, especially heap content exposures. The primary difference 182 with "init_on_free" is that data lifetime in memory is reduced, 183 as anything freed is wiped immediately, making live forensics or 184 cold boot memory attacks unable to recover freed memory contents. 185 The performance impact varies by workload, but is more expensive 186 than "init_on_alloc" due to the negative cache effects of 187 touching "cold" memory areas. Most cases see 3-5% impact. Some 188 synthetic workloads have measured as high as 8%. 189 190config CC_HAS_ZERO_CALL_USED_REGS 191 def_bool $(cc-option,-fzero-call-used-regs=used-gpr) 192 # https://github.com/ClangBuiltLinux/linux/issues/1766 193 # https://github.com/llvm/llvm-project/issues/59242 194 depends on !CC_IS_CLANG || CLANG_VERSION > 150006 195 196config ZERO_CALL_USED_REGS 197 bool "Enable register zeroing on function exit" 198 depends on CC_HAS_ZERO_CALL_USED_REGS 199 help 200 At the end of functions, always zero any caller-used register 201 contents. This helps ensure that temporary values are not 202 leaked beyond the function boundary. This means that register 203 contents are less likely to be available for side channels 204 and information exposures. Additionally, this helps reduce the 205 number of useful ROP gadgets by about 20% (and removes compiler 206 generated "write-what-where" gadgets) in the resulting kernel 207 image. This has a less than 1% performance impact on most 208 workloads. Image size growth depends on architecture, and should 209 be evaluated for suitability. For example, x86_64 grows by less 210 than 1%, and arm64 grows by about 5%. 211 212endmenu 213 214menu "Bounds checking" 215 216config FORTIFY_SOURCE 217 bool "Harden common str/mem functions against buffer overflows" 218 depends on ARCH_HAS_FORTIFY_SOURCE 219 # https://github.com/llvm/llvm-project/issues/53645 220 depends on !X86_32 || !CC_IS_CLANG || CLANG_VERSION >= 160000 221 help 222 Detect overflows of buffers in common string and memory functions 223 where the compiler can determine and validate the buffer sizes. 224 225config HARDENED_USERCOPY 226 bool "Harden memory copies between kernel and userspace" 227 imply STRICT_DEVMEM 228 help 229 This option checks for obviously wrong memory regions when 230 copying memory to/from the kernel (via copy_to_user() and 231 copy_from_user() functions) by rejecting memory ranges that 232 are larger than the specified heap object, span multiple 233 separately allocated pages, are not on the process stack, 234 or are part of the kernel text. This prevents entire classes 235 of heap overflow exploits and similar kernel memory exposures. 236 237config HARDENED_USERCOPY_DEFAULT_ON 238 bool "Harden memory copies by default" 239 depends on HARDENED_USERCOPY 240 default HARDENED_USERCOPY 241 help 242 This has the effect of setting "hardened_usercopy=on" on the kernel 243 command line. This can be disabled with "hardened_usercopy=off". 244 245endmenu 246 247menu "Hardening of kernel data structures" 248 249config LIST_HARDENED 250 bool "Check integrity of linked list manipulation" 251 help 252 Minimal integrity checking in the linked-list manipulation routines 253 to catch memory corruptions that are not guaranteed to result in an 254 immediate access fault. 255 256 If unsure, say N. 257 258config BUG_ON_DATA_CORRUPTION 259 bool "Trigger a BUG when data corruption is detected" 260 select LIST_HARDENED 261 help 262 Select this option if the kernel should BUG when it encounters 263 data corruption in kernel memory structures when they get checked 264 for validity. 265 266 If unsure, say N. 267 268endmenu 269 270config CC_HAS_RANDSTRUCT 271 def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null) 272 # Randstruct was first added in Clang 15, but it isn't safe to use until 273 # Clang 16 due to https://github.com/llvm/llvm-project/issues/60349 274 depends on !CC_IS_CLANG || CLANG_VERSION >= 160000 275 276choice 277 prompt "Randomize layout of sensitive kernel structures" 278 default RANDSTRUCT_FULL if COMPILE_TEST && (GCC_PLUGINS || CC_HAS_RANDSTRUCT) 279 default RANDSTRUCT_NONE 280 help 281 If you enable this, the layouts of structures that are entirely 282 function pointers (and have not been manually annotated with 283 __no_randomize_layout), or structures that have been explicitly 284 marked with __randomize_layout, will be randomized at compile-time. 285 This can introduce the requirement of an additional information 286 exposure vulnerability for exploits targeting these structure 287 types. 288 289 Enabling this feature will introduce some performance impact, 290 slightly increase memory usage, and prevent the use of forensic 291 tools like Volatility against the system (unless the kernel 292 source tree isn't cleaned after kernel installation). 293 294 The seed used for compilation is in scripts/basic/randomize.seed. 295 It remains after a "make clean" to allow for external modules to 296 be compiled with the existing seed and will be removed by a 297 "make mrproper" or "make distclean". This file should not be made 298 public, or the structure layout can be determined. 299 300 config RANDSTRUCT_NONE 301 bool "Disable structure layout randomization" 302 help 303 Build normally: no structure layout randomization. 304 305 config RANDSTRUCT_FULL 306 bool "Fully randomize structure layout" 307 depends on CC_HAS_RANDSTRUCT || GCC_PLUGINS 308 select MODVERSIONS if MODULES && !COMPILE_TEST 309 help 310 Fully randomize the member layout of sensitive 311 structures as much as possible, which may have both a 312 memory size and performance impact. 313 314 One difference between the Clang and GCC plugin 315 implementations is the handling of bitfields. The GCC 316 plugin treats them as fully separate variables, 317 introducing sometimes significant padding. Clang tries 318 to keep adjacent bitfields together, but with their bit 319 ordering randomized. 320 321 config RANDSTRUCT_PERFORMANCE 322 bool "Limit randomization of structure layout to cache-lines" 323 depends on GCC_PLUGINS 324 select MODVERSIONS if MODULES && !COMPILE_TEST 325 help 326 Randomization of sensitive kernel structures will make a 327 best effort at restricting randomization to cacheline-sized 328 groups of members. It will further not randomize bitfields 329 in structures. This reduces the performance hit of RANDSTRUCT 330 at the cost of weakened randomization. 331endchoice 332 333config RANDSTRUCT 334 def_bool !RANDSTRUCT_NONE 335 336config GCC_PLUGIN_RANDSTRUCT 337 def_bool GCC_PLUGINS && RANDSTRUCT 338 help 339 Use GCC plugin to randomize structure layout. 340 341 This plugin was ported from grsecurity/PaX. More 342 information at: 343 * https://grsecurity.net/ 344 * https://pax.grsecurity.net/ 345 346endmenu 347