xref: /linux/security/Kconfig.hardening (revision 709a972efb01efaeb97cad1adc87fe400119c8ab) 
19f671e58SKees Cookmenu "Kernel hardening options"
29f671e58SKees Cook
39f671e58SKees Cookconfig GCC_PLUGIN_STRUCTLEAK
49f671e58SKees Cook	bool
59f671e58SKees Cook	help
69f671e58SKees Cook	  While the kernel is built with warnings enabled for any missed
79f671e58SKees Cook	  stack variable initializations, this warning is silenced for
89f671e58SKees Cook	  anything passed by reference to another function, under the
99f671e58SKees Cook	  occasionally misguided assumption that the function will do
109f671e58SKees Cook	  the initialization. As this regularly leads to exploitable
119f671e58SKees Cook	  flaws, this plugin is available to identify and zero-initialize
129f671e58SKees Cook	  such variables, depending on the chosen level of coverage.
139f671e58SKees Cook
149f671e58SKees Cook	  This plugin was originally ported from grsecurity/PaX. More
159f671e58SKees Cook	  information at:
169f671e58SKees Cook	   * https://grsecurity.net/
179f671e58SKees Cook	   * https://pax.grsecurity.net/
189f671e58SKees Cook
199f671e58SKees Cookmenu "Memory initialization"
209f671e58SKees Cook
21*709a972eSKees Cookconfig CC_HAS_AUTO_VAR_INIT
22*709a972eSKees Cook	def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
23*709a972eSKees Cook
249f671e58SKees Cookchoice
259f671e58SKees Cook	prompt "Initialize kernel stack variables at function entry"
269f671e58SKees Cook	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
27*709a972eSKees Cook	default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT
289f671e58SKees Cook	default INIT_STACK_NONE
299f671e58SKees Cook	help
309f671e58SKees Cook	  This option enables initialization of stack variables at
319f671e58SKees Cook	  function entry time. This has the possibility to have the
329f671e58SKees Cook	  greatest coverage (since all functions can have their
339f671e58SKees Cook	  variables initialized), but the performance impact depends
349f671e58SKees Cook	  on the function calling complexity of a given workload's
359f671e58SKees Cook	  syscalls.
369f671e58SKees Cook
379f671e58SKees Cook	  This chooses the level of coverage over classes of potentially
389f671e58SKees Cook	  uninitialized variables. The selected class will be
399f671e58SKees Cook	  initialized before use in a function.
409f671e58SKees Cook
419f671e58SKees Cook	config INIT_STACK_NONE
429f671e58SKees Cook		bool "no automatic initialization (weakest)"
439f671e58SKees Cook		help
449f671e58SKees Cook		  Disable automatic stack variable initialization.
459f671e58SKees Cook		  This leaves the kernel vulnerable to the standard
469f671e58SKees Cook		  classes of uninitialized stack variable exploits
479f671e58SKees Cook		  and information exposures.
489f671e58SKees Cook
499f671e58SKees Cook	config GCC_PLUGIN_STRUCTLEAK_USER
509f671e58SKees Cook		bool "zero-init structs marked for userspace (weak)"
519f671e58SKees Cook		depends on GCC_PLUGINS
529f671e58SKees Cook		select GCC_PLUGIN_STRUCTLEAK
539f671e58SKees Cook		help
549f671e58SKees Cook		  Zero-initialize any structures on the stack containing
559f671e58SKees Cook		  a __user attribute. This can prevent some classes of
569f671e58SKees Cook		  uninitialized stack variable exploits and information
579f671e58SKees Cook		  exposures, like CVE-2013-2141:
589f671e58SKees Cook		  https://git.kernel.org/linus/b9e146d8eb3b9eca
599f671e58SKees Cook
609f671e58SKees Cook	config GCC_PLUGIN_STRUCTLEAK_BYREF
619f671e58SKees Cook		bool "zero-init structs passed by reference (strong)"
629f671e58SKees Cook		depends on GCC_PLUGINS
639f671e58SKees Cook		select GCC_PLUGIN_STRUCTLEAK
649f671e58SKees Cook		help
659f671e58SKees Cook		  Zero-initialize any structures on the stack that may
669f671e58SKees Cook		  be passed by reference and had not already been
679f671e58SKees Cook		  explicitly initialized. This can prevent most classes
689f671e58SKees Cook		  of uninitialized stack variable exploits and information
699f671e58SKees Cook		  exposures, like CVE-2017-1000410:
709f671e58SKees Cook		  https://git.kernel.org/linus/06e7e776ca4d3654
719f671e58SKees Cook
729f671e58SKees Cook	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
739f671e58SKees Cook		bool "zero-init anything passed by reference (very strong)"
749f671e58SKees Cook		depends on GCC_PLUGINS
759f671e58SKees Cook		select GCC_PLUGIN_STRUCTLEAK
769f671e58SKees Cook		help
779f671e58SKees Cook		  Zero-initialize any stack variables that may be passed
789f671e58SKees Cook		  by reference and had not already been explicitly
799f671e58SKees Cook		  initialized. This is intended to eliminate all classes
809f671e58SKees Cook		  of uninitialized stack variable exploits and information
819f671e58SKees Cook		  exposures.
829f671e58SKees Cook
83*709a972eSKees Cook	config INIT_STACK_ALL
84*709a972eSKees Cook		bool "0xAA-init everything on the stack (strongest)"
85*709a972eSKees Cook		depends on CC_HAS_AUTO_VAR_INIT
86*709a972eSKees Cook		help
87*709a972eSKees Cook		  Initializes everything on the stack with a 0xAA
88*709a972eSKees Cook		  pattern. This is intended to eliminate all classes
89*709a972eSKees Cook		  of uninitialized stack variable exploits and information
90*709a972eSKees Cook		  exposures, even variables that were warned to have been
91*709a972eSKees Cook		  left uninitialized.
92*709a972eSKees Cook
939f671e58SKees Cookendchoice
949f671e58SKees Cook
959f671e58SKees Cookconfig GCC_PLUGIN_STRUCTLEAK_VERBOSE
969f671e58SKees Cook	bool "Report forcefully initialized variables"
979f671e58SKees Cook	depends on GCC_PLUGIN_STRUCTLEAK
989f671e58SKees Cook	depends on !COMPILE_TEST	# too noisy
999f671e58SKees Cook	help
1009f671e58SKees Cook	  This option will cause a warning to be printed each time the
1019f671e58SKees Cook	  structleak plugin finds a variable it thinks needs to be
1029f671e58SKees Cook	  initialized. Since not all existing initializers are detected
1039f671e58SKees Cook	  by the plugin, this can produce false positive warnings.
1049f671e58SKees Cook
105b6a6a377SKees Cookconfig GCC_PLUGIN_STACKLEAK
106b6a6a377SKees Cook	bool "Poison kernel stack before returning from syscalls"
107b6a6a377SKees Cook	depends on GCC_PLUGINS
108b6a6a377SKees Cook	depends on HAVE_ARCH_STACKLEAK
109b6a6a377SKees Cook	help
110b6a6a377SKees Cook	  This option makes the kernel erase the kernel stack before
111b6a6a377SKees Cook	  returning from system calls. This has the effect of leaving
112b6a6a377SKees Cook	  the stack initialized to the poison value, which both reduces
113b6a6a377SKees Cook	  the lifetime of any sensitive stack contents and reduces
114b6a6a377SKees Cook	  potential for uninitialized stack variable exploits or information
115b6a6a377SKees Cook	  exposures (it does not cover functions reaching the same stack
116b6a6a377SKees Cook	  depth as prior functions during the same syscall). This blocks
117b6a6a377SKees Cook	  most uninitialized stack variable attacks, with the performance
118b6a6a377SKees Cook	  impact being driven by the depth of the stack usage, rather than
119b6a6a377SKees Cook	  the function calling complexity.
120b6a6a377SKees Cook
121b6a6a377SKees Cook	  The performance impact on a single CPU system kernel compilation
122b6a6a377SKees Cook	  sees a 1% slowdown, other systems and workloads may vary and you
123b6a6a377SKees Cook	  are advised to test this feature on your expected workload before
124b6a6a377SKees Cook	  deploying it.
125b6a6a377SKees Cook
126b6a6a377SKees Cook	  This plugin was ported from grsecurity/PaX. More information at:
127b6a6a377SKees Cook	   * https://grsecurity.net/
128b6a6a377SKees Cook	   * https://pax.grsecurity.net/
129b6a6a377SKees Cook
130b6a6a377SKees Cookconfig STACKLEAK_TRACK_MIN_SIZE
131b6a6a377SKees Cook	int "Minimum stack frame size of functions tracked by STACKLEAK"
132b6a6a377SKees Cook	default 100
133b6a6a377SKees Cook	range 0 4096
134b6a6a377SKees Cook	depends on GCC_PLUGIN_STACKLEAK
135b6a6a377SKees Cook	help
136b6a6a377SKees Cook	  The STACKLEAK gcc plugin instruments the kernel code for tracking
137b6a6a377SKees Cook	  the lowest border of the kernel stack (and for some other purposes).
138b6a6a377SKees Cook	  It inserts the stackleak_track_stack() call for the functions with
139b6a6a377SKees Cook	  a stack frame size greater than or equal to this parameter.
140b6a6a377SKees Cook	  If unsure, leave the default value 100.
141b6a6a377SKees Cook
142b6a6a377SKees Cookconfig STACKLEAK_METRICS
143b6a6a377SKees Cook	bool "Show STACKLEAK metrics in the /proc file system"
144b6a6a377SKees Cook	depends on GCC_PLUGIN_STACKLEAK
145b6a6a377SKees Cook	depends on PROC_FS
146b6a6a377SKees Cook	help
147b6a6a377SKees Cook	  If this is set, STACKLEAK metrics for every task are available in
148b6a6a377SKees Cook	  the /proc file system. In particular, /proc/<pid>/stack_depth
149b6a6a377SKees Cook	  shows the maximum kernel stack consumption for the current and
150b6a6a377SKees Cook	  previous syscalls. Although this information is not precise, it
151b6a6a377SKees Cook	  can be useful for estimating the STACKLEAK performance impact for
152b6a6a377SKees Cook	  your workloads.
153b6a6a377SKees Cook
154b6a6a377SKees Cookconfig STACKLEAK_RUNTIME_DISABLE
155b6a6a377SKees Cook	bool "Allow runtime disabling of kernel stack erasing"
156b6a6a377SKees Cook	depends on GCC_PLUGIN_STACKLEAK
157b6a6a377SKees Cook	help
158b6a6a377SKees Cook	  This option provides 'stack_erasing' sysctl, which can be used in
159b6a6a377SKees Cook	  runtime to control kernel stack erasing for kernels built with
160b6a6a377SKees Cook	  CONFIG_GCC_PLUGIN_STACKLEAK.
161b6a6a377SKees Cook
1629f671e58SKees Cookendmenu
1639f671e58SKees Cook
1649f671e58SKees Cookendmenu
165