1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 29f671e58SKees Cookmenu "Kernel hardening options" 39f671e58SKees Cook 49f671e58SKees Cookconfig GCC_PLUGIN_STRUCTLEAK 59f671e58SKees Cook bool 69f671e58SKees Cook help 79f671e58SKees Cook While the kernel is built with warnings enabled for any missed 89f671e58SKees Cook stack variable initializations, this warning is silenced for 99f671e58SKees Cook anything passed by reference to another function, under the 109f671e58SKees Cook occasionally misguided assumption that the function will do 119f671e58SKees Cook the initialization. As this regularly leads to exploitable 129f671e58SKees Cook flaws, this plugin is available to identify and zero-initialize 139f671e58SKees Cook such variables, depending on the chosen level of coverage. 149f671e58SKees Cook 159f671e58SKees Cook This plugin was originally ported from grsecurity/PaX. More 169f671e58SKees Cook information at: 179f671e58SKees Cook * https://grsecurity.net/ 189f671e58SKees Cook * https://pax.grsecurity.net/ 199f671e58SKees Cook 209f671e58SKees Cookmenu "Memory initialization" 219f671e58SKees Cook 22709a972eSKees Cookconfig CC_HAS_AUTO_VAR_INIT 23709a972eSKees Cook def_bool $(cc-option,-ftrivial-auto-var-init=pattern) 24709a972eSKees Cook 259f671e58SKees Cookchoice 269f671e58SKees Cook prompt "Initialize kernel stack variables at function entry" 279f671e58SKees Cook default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS 28709a972eSKees Cook default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT 299f671e58SKees Cook default INIT_STACK_NONE 309f671e58SKees Cook help 319f671e58SKees Cook This option enables initialization of stack variables at 329f671e58SKees Cook function entry time. This has the possibility to have the 339f671e58SKees Cook greatest coverage (since all functions can have their 349f671e58SKees Cook variables initialized), but the performance impact depends 359f671e58SKees Cook on the function calling complexity of a given workload's 369f671e58SKees Cook syscalls. 379f671e58SKees Cook 389f671e58SKees Cook This chooses the level of coverage over classes of potentially 399f671e58SKees Cook uninitialized variables. The selected class will be 409f671e58SKees Cook initialized before use in a function. 419f671e58SKees Cook 429f671e58SKees Cook config INIT_STACK_NONE 439f671e58SKees Cook bool "no automatic initialization (weakest)" 449f671e58SKees Cook help 459f671e58SKees Cook Disable automatic stack variable initialization. 469f671e58SKees Cook This leaves the kernel vulnerable to the standard 479f671e58SKees Cook classes of uninitialized stack variable exploits 489f671e58SKees Cook and information exposures. 499f671e58SKees Cook 509f671e58SKees Cook config GCC_PLUGIN_STRUCTLEAK_USER 519f671e58SKees Cook bool "zero-init structs marked for userspace (weak)" 529f671e58SKees Cook depends on GCC_PLUGINS 539f671e58SKees Cook select GCC_PLUGIN_STRUCTLEAK 549f671e58SKees Cook help 559f671e58SKees Cook Zero-initialize any structures on the stack containing 569f671e58SKees Cook a __user attribute. This can prevent some classes of 579f671e58SKees Cook uninitialized stack variable exploits and information 589f671e58SKees Cook exposures, like CVE-2013-2141: 599f671e58SKees Cook https://git.kernel.org/linus/b9e146d8eb3b9eca 609f671e58SKees Cook 619f671e58SKees Cook config GCC_PLUGIN_STRUCTLEAK_BYREF 629f671e58SKees Cook bool "zero-init structs passed by reference (strong)" 639f671e58SKees Cook depends on GCC_PLUGINS 64*173e6ee2SArnd Bergmann depends on !(KASAN && KASAN_STACK=1) 659f671e58SKees Cook select GCC_PLUGIN_STRUCTLEAK 669f671e58SKees Cook help 679f671e58SKees Cook Zero-initialize any structures on the stack that may 689f671e58SKees Cook be passed by reference and had not already been 699f671e58SKees Cook explicitly initialized. This can prevent most classes 709f671e58SKees Cook of uninitialized stack variable exploits and information 719f671e58SKees Cook exposures, like CVE-2017-1000410: 729f671e58SKees Cook https://git.kernel.org/linus/06e7e776ca4d3654 739f671e58SKees Cook 74*173e6ee2SArnd Bergmann As a side-effect, this keeps a lot of variables on the 75*173e6ee2SArnd Bergmann stack that can otherwise be optimized out, so combining 76*173e6ee2SArnd Bergmann this with CONFIG_KASAN_STACK can lead to a stack overflow 77*173e6ee2SArnd Bergmann and is disallowed. 78*173e6ee2SArnd Bergmann 799f671e58SKees Cook config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL 809f671e58SKees Cook bool "zero-init anything passed by reference (very strong)" 819f671e58SKees Cook depends on GCC_PLUGINS 82*173e6ee2SArnd Bergmann depends on !(KASAN && KASAN_STACK=1) 839f671e58SKees Cook select GCC_PLUGIN_STRUCTLEAK 849f671e58SKees Cook help 859f671e58SKees Cook Zero-initialize any stack variables that may be passed 869f671e58SKees Cook by reference and had not already been explicitly 879f671e58SKees Cook initialized. This is intended to eliminate all classes 889f671e58SKees Cook of uninitialized stack variable exploits and information 899f671e58SKees Cook exposures. 909f671e58SKees Cook 91709a972eSKees Cook config INIT_STACK_ALL 92709a972eSKees Cook bool "0xAA-init everything on the stack (strongest)" 93709a972eSKees Cook depends on CC_HAS_AUTO_VAR_INIT 94709a972eSKees Cook help 95709a972eSKees Cook Initializes everything on the stack with a 0xAA 96709a972eSKees Cook pattern. This is intended to eliminate all classes 97709a972eSKees Cook of uninitialized stack variable exploits and information 98709a972eSKees Cook exposures, even variables that were warned to have been 99709a972eSKees Cook left uninitialized. 100709a972eSKees Cook 1019f671e58SKees Cookendchoice 1029f671e58SKees Cook 1039f671e58SKees Cookconfig GCC_PLUGIN_STRUCTLEAK_VERBOSE 1049f671e58SKees Cook bool "Report forcefully initialized variables" 1059f671e58SKees Cook depends on GCC_PLUGIN_STRUCTLEAK 1069f671e58SKees Cook depends on !COMPILE_TEST # too noisy 1079f671e58SKees Cook help 1089f671e58SKees Cook This option will cause a warning to be printed each time the 1099f671e58SKees Cook structleak plugin finds a variable it thinks needs to be 1109f671e58SKees Cook initialized. Since not all existing initializers are detected 1119f671e58SKees Cook by the plugin, this can produce false positive warnings. 1129f671e58SKees Cook 113b6a6a377SKees Cookconfig GCC_PLUGIN_STACKLEAK 114b6a6a377SKees Cook bool "Poison kernel stack before returning from syscalls" 115b6a6a377SKees Cook depends on GCC_PLUGINS 116b6a6a377SKees Cook depends on HAVE_ARCH_STACKLEAK 117b6a6a377SKees Cook help 118b6a6a377SKees Cook This option makes the kernel erase the kernel stack before 119b6a6a377SKees Cook returning from system calls. This has the effect of leaving 120b6a6a377SKees Cook the stack initialized to the poison value, which both reduces 121b6a6a377SKees Cook the lifetime of any sensitive stack contents and reduces 122b6a6a377SKees Cook potential for uninitialized stack variable exploits or information 123b6a6a377SKees Cook exposures (it does not cover functions reaching the same stack 124b6a6a377SKees Cook depth as prior functions during the same syscall). This blocks 125b6a6a377SKees Cook most uninitialized stack variable attacks, with the performance 126b6a6a377SKees Cook impact being driven by the depth of the stack usage, rather than 127b6a6a377SKees Cook the function calling complexity. 128b6a6a377SKees Cook 129b6a6a377SKees Cook The performance impact on a single CPU system kernel compilation 130b6a6a377SKees Cook sees a 1% slowdown, other systems and workloads may vary and you 131b6a6a377SKees Cook are advised to test this feature on your expected workload before 132b6a6a377SKees Cook deploying it. 133b6a6a377SKees Cook 134b6a6a377SKees Cook This plugin was ported from grsecurity/PaX. More information at: 135b6a6a377SKees Cook * https://grsecurity.net/ 136b6a6a377SKees Cook * https://pax.grsecurity.net/ 137b6a6a377SKees Cook 138b6a6a377SKees Cookconfig STACKLEAK_TRACK_MIN_SIZE 139b6a6a377SKees Cook int "Minimum stack frame size of functions tracked by STACKLEAK" 140b6a6a377SKees Cook default 100 141b6a6a377SKees Cook range 0 4096 142b6a6a377SKees Cook depends on GCC_PLUGIN_STACKLEAK 143b6a6a377SKees Cook help 144b6a6a377SKees Cook The STACKLEAK gcc plugin instruments the kernel code for tracking 145b6a6a377SKees Cook the lowest border of the kernel stack (and for some other purposes). 146b6a6a377SKees Cook It inserts the stackleak_track_stack() call for the functions with 147b6a6a377SKees Cook a stack frame size greater than or equal to this parameter. 148b6a6a377SKees Cook If unsure, leave the default value 100. 149b6a6a377SKees Cook 150b6a6a377SKees Cookconfig STACKLEAK_METRICS 151b6a6a377SKees Cook bool "Show STACKLEAK metrics in the /proc file system" 152b6a6a377SKees Cook depends on GCC_PLUGIN_STACKLEAK 153b6a6a377SKees Cook depends on PROC_FS 154b6a6a377SKees Cook help 155b6a6a377SKees Cook If this is set, STACKLEAK metrics for every task are available in 156b6a6a377SKees Cook the /proc file system. In particular, /proc/<pid>/stack_depth 157b6a6a377SKees Cook shows the maximum kernel stack consumption for the current and 158b6a6a377SKees Cook previous syscalls. Although this information is not precise, it 159b6a6a377SKees Cook can be useful for estimating the STACKLEAK performance impact for 160b6a6a377SKees Cook your workloads. 161b6a6a377SKees Cook 162b6a6a377SKees Cookconfig STACKLEAK_RUNTIME_DISABLE 163b6a6a377SKees Cook bool "Allow runtime disabling of kernel stack erasing" 164b6a6a377SKees Cook depends on GCC_PLUGIN_STACKLEAK 165b6a6a377SKees Cook help 166b6a6a377SKees Cook This option provides 'stack_erasing' sysctl, which can be used in 167b6a6a377SKees Cook runtime to control kernel stack erasing for kernels built with 168b6a6a377SKees Cook CONFIG_GCC_PLUGIN_STACKLEAK. 169b6a6a377SKees Cook 1709f671e58SKees Cookendmenu 1719f671e58SKees Cook 1729f671e58SKees Cookendmenu 173