1# SPDX-License-Identifier: GPL-2.0-only 2 3# This config refers to the generic KASAN mode. 4config HAVE_ARCH_KASAN 5 bool 6 7config HAVE_ARCH_KASAN_SW_TAGS 8 bool 9 10config HAVE_ARCH_KASAN_HW_TAGS 11 bool 12 13config HAVE_ARCH_KASAN_VMALLOC 14 bool 15 16config ARCH_DISABLE_KASAN_INLINE 17 bool 18 help 19 Disables both inline and stack instrumentation. Selected by 20 architectures that do not support these instrumentation types. 21 22config CC_HAS_KASAN_GENERIC 23 def_bool $(cc-option, -fsanitize=kernel-address) 24 25config CC_HAS_KASAN_SW_TAGS 26 def_bool $(cc-option, -fsanitize=kernel-hwaddress) 27 28# This option is only required for software KASAN modes. 29# Old GCC versions do not have proper support for no_sanitize_address. 30# See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89124 for details. 31config CC_HAS_WORKING_NOSANITIZE_ADDRESS 32 def_bool !CC_IS_GCC || GCC_VERSION >= 80300 33 34menuconfig KASAN 35 bool "KASAN: dynamic memory safety error detector" 36 depends on (((HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC) || \ 37 (HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS)) && \ 38 CC_HAS_WORKING_NOSANITIZE_ADDRESS) || \ 39 HAVE_ARCH_KASAN_HW_TAGS 40 depends on (SLUB && SYSFS) || (SLAB && !DEBUG_SLAB) 41 select STACKDEPOT_ALWAYS_INIT 42 help 43 Enables KASAN (Kernel Address Sanitizer) - a dynamic memory safety 44 error detector designed to find out-of-bounds and use-after-free bugs. 45 46 See Documentation/dev-tools/kasan.rst for details. 47 48 For better error reports, also enable CONFIG_STACKTRACE. 49 50if KASAN 51 52choice 53 prompt "KASAN mode" 54 default KASAN_GENERIC 55 help 56 KASAN has three modes: 57 58 1. Generic KASAN (supported by many architectures, enabled with 59 CONFIG_KASAN_GENERIC, similar to userspace ASan), 60 2. Software Tag-Based KASAN (arm64 only, based on software memory 61 tagging, enabled with CONFIG_KASAN_SW_TAGS, similar to userspace 62 HWASan), and 63 3. Hardware Tag-Based KASAN (arm64 only, based on hardware memory 64 tagging, enabled with CONFIG_KASAN_HW_TAGS). 65 66 See Documentation/dev-tools/kasan.rst for details about each mode. 67 68config KASAN_GENERIC 69 bool "Generic KASAN" 70 depends on HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC 71 depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS 72 select SLUB_DEBUG if SLUB 73 select CONSTRUCTORS 74 help 75 Enables Generic KASAN. 76 77 Requires GCC 8.3.0+ or Clang. 78 79 Consumes about 1/8th of available memory at kernel start and adds an 80 overhead of ~50% for dynamic allocations. 81 The performance slowdown is ~x3. 82 83 (Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.) 84 85config KASAN_SW_TAGS 86 bool "Software Tag-Based KASAN" 87 depends on HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS 88 depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS 89 select SLUB_DEBUG if SLUB 90 select CONSTRUCTORS 91 help 92 Enables Software Tag-Based KASAN. 93 94 Requires GCC 11+ or Clang. 95 96 Supported only on arm64 CPUs and relies on Top Byte Ignore. 97 98 Consumes about 1/16th of available memory at kernel start and 99 add an overhead of ~20% for dynamic allocations. 100 101 May potentially introduce problems related to pointer casting and 102 comparison, as it embeds a tag into the top byte of each pointer. 103 104 (Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.) 105 106config KASAN_HW_TAGS 107 bool "Hardware Tag-Based KASAN" 108 depends on HAVE_ARCH_KASAN_HW_TAGS 109 depends on SLUB 110 help 111 Enables Hardware Tag-Based KASAN. 112 113 Requires GCC 10+ or Clang 12+. 114 115 Supported only on arm64 CPUs starting from ARMv8.5 and relies on 116 Memory Tagging Extension and Top Byte Ignore. 117 118 Consumes about 1/32nd of available memory. 119 120 May potentially introduce problems related to pointer casting and 121 comparison, as it embeds a tag into the top byte of each pointer. 122 123endchoice 124 125choice 126 prompt "Instrumentation type" 127 depends on KASAN_GENERIC || KASAN_SW_TAGS 128 default KASAN_OUTLINE 129 130config KASAN_OUTLINE 131 bool "Outline instrumentation" 132 help 133 Makes the compiler insert function calls that check whether the memory 134 is accessible before each memory access. Slower than KASAN_INLINE, but 135 does not bloat the size of the kernel's .text section so much. 136 137config KASAN_INLINE 138 bool "Inline instrumentation" 139 depends on !ARCH_DISABLE_KASAN_INLINE 140 help 141 Makes the compiler directly insert memory accessibility checks before 142 each memory access. Faster than KASAN_OUTLINE (gives ~x2 boost for 143 some workloads), but makes the kernel's .text size much bigger. 144 145endchoice 146 147config KASAN_STACK 148 bool "Stack instrumentation (unsafe)" if CC_IS_CLANG && !COMPILE_TEST 149 depends on KASAN_GENERIC || KASAN_SW_TAGS 150 depends on !ARCH_DISABLE_KASAN_INLINE 151 default y if CC_IS_GCC 152 help 153 Disables stack instrumentation and thus KASAN's ability to detect 154 out-of-bounds bugs in stack variables. 155 156 With Clang, stack instrumentation has a problem that causes excessive 157 stack usage, see https://bugs.llvm.org/show_bug.cgi?id=38809. Thus, 158 with Clang, this option is deemed unsafe. 159 160 This option is always disabled when compile-testing with Clang to 161 avoid cluttering the log with stack overflow warnings. 162 163 With GCC, enabling stack instrumentation is assumed to be safe. 164 165 If the architecture disables inline instrumentation via 166 ARCH_DISABLE_KASAN_INLINE, stack instrumentation gets disabled 167 as well, as it adds inline-style instrumentation that is run 168 unconditionally. 169 170config KASAN_TAGS_IDENTIFY 171 bool "Memory corruption type identification" 172 depends on KASAN_SW_TAGS || KASAN_HW_TAGS 173 help 174 Enables best-effort identification of the bug types (use-after-free 175 or out-of-bounds) at the cost of increased memory consumption. 176 Only applicable for the tag-based KASAN modes. 177 178config KASAN_VMALLOC 179 bool "Check accesses to vmalloc allocations" 180 depends on HAVE_ARCH_KASAN_VMALLOC 181 help 182 Makes KASAN check the validity of accesses to vmalloc allocations. 183 184 With software KASAN modes, all types vmalloc allocations are 185 checked. Enabling this option leads to higher memory usage. 186 187 With Hardware Tag-Based KASAN, only non-executable VM_ALLOC mappings 188 are checked. There is no additional memory usage. 189 190config KASAN_KUNIT_TEST 191 tristate "KUnit-compatible tests of KASAN bug detection capabilities" if !KUNIT_ALL_TESTS 192 depends on KASAN && KUNIT 193 default KUNIT_ALL_TESTS 194 help 195 A KUnit-based KASAN test suite. Triggers different kinds of 196 out-of-bounds and use-after-free accesses. Useful for testing whether 197 KASAN can detect certain bug types. 198 199 For more information on KUnit and unit tests in general, please refer 200 to the KUnit documentation in Documentation/dev-tools/kunit/. 201 202config KASAN_MODULE_TEST 203 tristate "KUnit-incompatible tests of KASAN bug detection capabilities" 204 depends on m && KASAN && !KASAN_HW_TAGS 205 help 206 A part of the KASAN test suite that is not integrated with KUnit. 207 Incompatible with Hardware Tag-Based KASAN. 208 209endif # KASAN 210