linux/lib/Kconfig.kasan

# SPDX-License-Identifier: GPL-2.0-only
# This config refers to the generic KASAN mode.
config HAVE_ARCH_KASAN
	bool

config HAVE_ARCH_KASAN_SW_TAGS
	bool

config	HAVE_ARCH_KASAN_VMALLOC
	bool

config CC_HAS_KASAN_GENERIC
	def_bool $(cc-option, -fsanitize=kernel-address)

config CC_HAS_KASAN_SW_TAGS
	def_bool $(cc-option, -fsanitize=kernel-hwaddress)

config CC_HAS_WORKING_NOSANITIZE_ADDRESS
	def_bool !CC_IS_GCC || GCC_VERSION >= 80300

menuconfig KASAN
	bool "KASAN: runtime memory debugger"
	depends on (HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC) || \
		   (HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS)
	depends on (SLUB && SYSFS) || (SLAB && !DEBUG_SLAB)
	depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS
	help
	  Enables KASAN (KernelAddressSANitizer) - runtime memory debugger,
	  designed to find out-of-bounds accesses and use-after-free bugs.
	  See Documentation/dev-tools/kasan.rst for details.

if KASAN

choice
	prompt "KASAN mode"
	default KASAN_GENERIC
	help
	  KASAN has two modes: generic KASAN (similar to userspace ASan,
	  x86_64/arm64/xtensa, enabled with CONFIG_KASAN_GENERIC) and
	  software tag-based KASAN (a version based on software memory
	  tagging, arm64 only, similar to userspace HWASan, enabled with
	  CONFIG_KASAN_SW_TAGS).

	  Both generic and tag-based KASAN are strictly debugging features.

config KASAN_GENERIC
	bool "Generic mode"
	depends on HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC
	depends on (SLUB && SYSFS) || (SLAB && !DEBUG_SLAB)
	select SLUB_DEBUG if SLUB
	select CONSTRUCTORS
	select STACKDEPOT
	help
	  Enables generic KASAN mode.

	  This mode is supported in both GCC and Clang. With GCC it requires
	  version 8.3.0 or later. Any supported Clang version is compatible,
	  but detection of out-of-bounds accesses for global variables is
	  supported only since Clang 11.

	  This mode consumes about 1/8th of available memory at kernel start
	  and introduces an overhead of ~x1.5 for the rest of the allocations.
	  The performance slowdown is ~x3.

	  For better error detection enable CONFIG_STACKTRACE.

	  Currently CONFIG_KASAN_GENERIC doesn't work with CONFIG_DEBUG_SLAB
	  (the resulting kernel does not boot).

config KASAN_SW_TAGS
	bool "Software tag-based mode"
	depends on HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS
	depends on (SLUB && SYSFS) || (SLAB && !DEBUG_SLAB)
	select SLUB_DEBUG if SLUB
	select CONSTRUCTORS
	select STACKDEPOT
	help
	  Enables software tag-based KASAN mode.

	  This mode requires Top Byte Ignore support by the CPU and therefore
	  is only supported for arm64. This mode requires Clang.

	  This mode consumes about 1/16th of available memory at kernel start
	  and introduces an overhead of ~20% for the rest of the allocations.
	  This mode may potentially introduce problems relating to pointer
	  casting and comparison, as it embeds tags into the top byte of each
	  pointer.

	  For better error detection enable CONFIG_STACKTRACE.

	  Currently CONFIG_KASAN_SW_TAGS doesn't work with CONFIG_DEBUG_SLAB
	  (the resulting kernel does not boot).

endchoice

choice
	prompt "Instrumentation type"
	default KASAN_OUTLINE

config KASAN_OUTLINE
	bool "Outline instrumentation"
	help
	  Before every memory access compiler insert function call
	  __asan_load*/__asan_store*. These functions performs check
	  of shadow memory. This is slower than inline instrumentation,
	  however it doesn't bloat size of kernel's .text section so
	  much as inline does.

config KASAN_INLINE
	bool "Inline instrumentation"
	help
	  Compiler directly inserts code checking shadow memory before
	  memory accesses. This is faster than outline (in some workloads
	  it gives about x2 boost over outline instrumentation), but
	  make kernel's .text size much bigger.

endchoice

config KASAN_STACK_ENABLE
	bool "Enable stack instrumentation (unsafe)" if CC_IS_CLANG && !COMPILE_TEST
	help
	  The LLVM stack address sanitizer has a know problem that
	  causes excessive stack usage in a lot of functions, see
	  https://bugs.llvm.org/show_bug.cgi?id=38809
	  Disabling asan-stack makes it safe to run kernels build
	  with clang-8 with KASAN enabled, though it loses some of
	  the functionality.
	  This feature is always disabled when compile-testing with clang
	  to avoid cluttering the output in stack overflow warnings,
	  but clang users can still enable it for builds without
	  CONFIG_COMPILE_TEST.	On gcc it is assumed to always be safe
	  to use and enabled by default.

config KASAN_STACK
	int
	default 1 if KASAN_STACK_ENABLE || CC_IS_GCC
	default 0

config KASAN_SW_TAGS_IDENTIFY
	bool "Enable memory corruption identification"
	depends on KASAN_SW_TAGS
	help
	  This option enables best-effort identification of bug type
	  (use-after-free or out-of-bounds) at the cost of increased
	  memory consumption.

config KASAN_VMALLOC
	bool "Back mappings in vmalloc space with real shadow memory"
	depends on HAVE_ARCH_KASAN_VMALLOC
	help
	  By default, the shadow region for vmalloc space is the read-only
	  zero page. This means that KASAN cannot detect errors involving
	  vmalloc space.

	  Enabling this option will hook in to vmap/vmalloc and back those
	  mappings with real shadow memory allocated on demand. This allows
	  for KASAN to detect more sorts of errors (and to support vmapped
	  stacks), but at the cost of higher memory usage.

config KASAN_KUNIT_TEST
	tristate "KUnit-compatible tests of KASAN bug detection capabilities" if !KUNIT_ALL_TESTS
	depends on KASAN && KUNIT
	default KUNIT_ALL_TESTS
	help
	  This is a KUnit test suite doing various nasty things like
	  out of bounds and use after free accesses. It is useful for testing
	  kernel debugging features like KASAN.

	  For more information on KUnit and unit tests in general, please refer
	  to the KUnit documentation in Documentation/dev-tools/kunit

config TEST_KASAN_MODULE
	tristate "KUnit-incompatible tests of KASAN bug detection capabilities"
	depends on m && KASAN
	help
	  This is a part of the KASAN test suite that is incompatible with
	  KUnit. Currently includes tests that do bad copy_from/to_user
	  accesses.

endif # KASAN