1*ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 245332b1bSMasahiro Yamadapreferred-plugin-hostcc := $(if-success,[ $(gcc-version) -ge 40800 ],$(HOSTCXX),$(HOSTCC)) 345332b1bSMasahiro Yamada 445332b1bSMasahiro Yamadaconfig PLUGIN_HOSTCC 545332b1bSMasahiro Yamada string 6b0441333SKees Cook default "$(shell,$(srctree)/scripts/gcc-plugin.sh "$(preferred-plugin-hostcc)" "$(HOSTCXX)" "$(CC)")" if CC_IS_GCC 745332b1bSMasahiro Yamada help 845332b1bSMasahiro Yamada Host compiler used to build GCC plugins. This can be $(HOSTCXX), 945332b1bSMasahiro Yamada $(HOSTCC), or a null string if GCC plugin is unsupported. 1045332b1bSMasahiro Yamada 1145332b1bSMasahiro Yamadaconfig HAVE_GCC_PLUGINS 1245332b1bSMasahiro Yamada bool 1345332b1bSMasahiro Yamada help 1445332b1bSMasahiro Yamada An arch should select this symbol if it supports building with 1545332b1bSMasahiro Yamada GCC plugins. 1645332b1bSMasahiro Yamada 179f671e58SKees Cookconfig GCC_PLUGINS 189f671e58SKees Cook bool 1945332b1bSMasahiro Yamada depends on HAVE_GCC_PLUGINS 2045332b1bSMasahiro Yamada depends on PLUGIN_HOSTCC != "" 219f671e58SKees Cook default y 2245332b1bSMasahiro Yamada help 2345332b1bSMasahiro Yamada GCC plugins are loadable modules that provide extra features to the 2445332b1bSMasahiro Yamada compiler. They are useful for runtime instrumentation and static analysis. 2545332b1bSMasahiro Yamada 2645332b1bSMasahiro Yamada See Documentation/gcc-plugins.txt for details. 2745332b1bSMasahiro Yamada 289f671e58SKees Cookmenu "GCC plugins" 299f671e58SKees Cook depends on GCC_PLUGINS 3045332b1bSMasahiro Yamada 3145332b1bSMasahiro Yamadaconfig GCC_PLUGIN_CYC_COMPLEXITY 3245332b1bSMasahiro Yamada bool "Compute the cyclomatic complexity of a function" if EXPERT 3345332b1bSMasahiro Yamada depends on !COMPILE_TEST # too noisy 3445332b1bSMasahiro Yamada help 3545332b1bSMasahiro Yamada The complexity M of a function's control flow graph is defined as: 3645332b1bSMasahiro Yamada M = E - N + 2P 3745332b1bSMasahiro Yamada where 3845332b1bSMasahiro Yamada 3945332b1bSMasahiro Yamada E = the number of edges 4045332b1bSMasahiro Yamada N = the number of nodes 4145332b1bSMasahiro Yamada P = the number of connected components (exit nodes). 4245332b1bSMasahiro Yamada 4345332b1bSMasahiro Yamada Enabling this plugin reports the complexity to stderr during the 4445332b1bSMasahiro Yamada build. It mainly serves as a simple example of how to create a 4545332b1bSMasahiro Yamada gcc plugin for the kernel. 4645332b1bSMasahiro Yamada 4745332b1bSMasahiro Yamadaconfig GCC_PLUGIN_SANCOV 4845332b1bSMasahiro Yamada bool 4945332b1bSMasahiro Yamada help 5045332b1bSMasahiro Yamada This plugin inserts a __sanitizer_cov_trace_pc() call at the start of 5145332b1bSMasahiro Yamada basic blocks. It supports all gcc versions with plugin support (from 5245332b1bSMasahiro Yamada gcc-4.5 on). It is based on the commit "Add fuzzing coverage support" 5345332b1bSMasahiro Yamada by Dmitry Vyukov <dvyukov@google.com>. 5445332b1bSMasahiro Yamada 5545332b1bSMasahiro Yamadaconfig GCC_PLUGIN_LATENT_ENTROPY 5645332b1bSMasahiro Yamada bool "Generate some entropy during boot and runtime" 5745332b1bSMasahiro Yamada help 5845332b1bSMasahiro Yamada By saying Y here the kernel will instrument some kernel code to 5945332b1bSMasahiro Yamada extract some entropy from both original and artificially created 6045332b1bSMasahiro Yamada program state. This will help especially embedded systems where 6145332b1bSMasahiro Yamada there is little 'natural' source of entropy normally. The cost 6245332b1bSMasahiro Yamada is some slowdown of the boot process (about 0.5%) and fork and 6345332b1bSMasahiro Yamada irq processing. 6445332b1bSMasahiro Yamada 6545332b1bSMasahiro Yamada Note that entropy extracted this way is not cryptographically 6645332b1bSMasahiro Yamada secure! 6745332b1bSMasahiro Yamada 6845332b1bSMasahiro Yamada This plugin was ported from grsecurity/PaX. More information at: 6945332b1bSMasahiro Yamada * https://grsecurity.net/ 7045332b1bSMasahiro Yamada * https://pax.grsecurity.net/ 7145332b1bSMasahiro Yamada 7245332b1bSMasahiro Yamadaconfig GCC_PLUGIN_RANDSTRUCT 7345332b1bSMasahiro Yamada bool "Randomize layout of sensitive kernel structures" 7445332b1bSMasahiro Yamada select MODVERSIONS if MODULES 7545332b1bSMasahiro Yamada help 7645332b1bSMasahiro Yamada If you say Y here, the layouts of structures that are entirely 7745332b1bSMasahiro Yamada function pointers (and have not been manually annotated with 7845332b1bSMasahiro Yamada __no_randomize_layout), or structures that have been explicitly 7945332b1bSMasahiro Yamada marked with __randomize_layout, will be randomized at compile-time. 8045332b1bSMasahiro Yamada This can introduce the requirement of an additional information 8145332b1bSMasahiro Yamada exposure vulnerability for exploits targeting these structure 8245332b1bSMasahiro Yamada types. 8345332b1bSMasahiro Yamada 8445332b1bSMasahiro Yamada Enabling this feature will introduce some performance impact, 8545332b1bSMasahiro Yamada slightly increase memory usage, and prevent the use of forensic 8645332b1bSMasahiro Yamada tools like Volatility against the system (unless the kernel 8745332b1bSMasahiro Yamada source tree isn't cleaned after kernel installation). 8845332b1bSMasahiro Yamada 8945332b1bSMasahiro Yamada The seed used for compilation is located at 9045332b1bSMasahiro Yamada scripts/gcc-plgins/randomize_layout_seed.h. It remains after 9145332b1bSMasahiro Yamada a make clean to allow for external modules to be compiled with 9245332b1bSMasahiro Yamada the existing seed and will be removed by a make mrproper or 9345332b1bSMasahiro Yamada make distclean. 9445332b1bSMasahiro Yamada 9545332b1bSMasahiro Yamada Note that the implementation requires gcc 4.7 or newer. 9645332b1bSMasahiro Yamada 9745332b1bSMasahiro Yamada This plugin was ported from grsecurity/PaX. More information at: 9845332b1bSMasahiro Yamada * https://grsecurity.net/ 9945332b1bSMasahiro Yamada * https://pax.grsecurity.net/ 10045332b1bSMasahiro Yamada 10145332b1bSMasahiro Yamadaconfig GCC_PLUGIN_RANDSTRUCT_PERFORMANCE 10245332b1bSMasahiro Yamada bool "Use cacheline-aware structure randomization" 10345332b1bSMasahiro Yamada depends on GCC_PLUGIN_RANDSTRUCT 10445332b1bSMasahiro Yamada depends on !COMPILE_TEST # do not reduce test coverage 10545332b1bSMasahiro Yamada help 10645332b1bSMasahiro Yamada If you say Y here, the RANDSTRUCT randomization will make a 10745332b1bSMasahiro Yamada best effort at restricting randomization to cacheline-sized 10845332b1bSMasahiro Yamada groups of elements. It will further not randomize bitfields 10945332b1bSMasahiro Yamada in structures. This reduces the performance hit of RANDSTRUCT 11045332b1bSMasahiro Yamada at the cost of weakened randomization. 11145332b1bSMasahiro Yamada 112189af465SArd Biesheuvelconfig GCC_PLUGIN_ARM_SSP_PER_TASK 113189af465SArd Biesheuvel bool 114189af465SArd Biesheuvel depends on GCC_PLUGINS && ARM 115189af465SArd Biesheuvel 1169f671e58SKees Cookendmenu 117