xref: /openbmc/linux/lib/Kconfig.kasan (revision b1c3d2be)
1# SPDX-License-Identifier: GPL-2.0-only
2
3# This config refers to the generic KASAN mode.
4config HAVE_ARCH_KASAN
5	bool
6
7config HAVE_ARCH_KASAN_SW_TAGS
8	bool
9
10config HAVE_ARCH_KASAN_HW_TAGS
11	bool
12
13config HAVE_ARCH_KASAN_VMALLOC
14	bool
15
16config ARCH_DISABLE_KASAN_INLINE
17	bool
18	help
19	  Disables both inline and stack instrumentation. Selected by
20	  architectures that do not support these instrumentation types.
21
22config CC_HAS_KASAN_GENERIC
23	def_bool $(cc-option, -fsanitize=kernel-address)
24
25config CC_HAS_KASAN_SW_TAGS
26	def_bool $(cc-option, -fsanitize=kernel-hwaddress)
27
28# This option is only required for software KASAN modes.
29# Old GCC versions do not have proper support for no_sanitize_address.
30# See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89124 for details.
31config CC_HAS_WORKING_NOSANITIZE_ADDRESS
32	def_bool !CC_IS_GCC || GCC_VERSION >= 80300
33
34menuconfig KASAN
35	bool "KASAN: dynamic memory safety error detector"
36	depends on (((HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC) || \
37		     (HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS)) && \
38		    CC_HAS_WORKING_NOSANITIZE_ADDRESS) || \
39		   HAVE_ARCH_KASAN_HW_TAGS
40	depends on (SLUB && SYSFS && !SLUB_TINY) || (SLAB && !DEBUG_SLAB)
41	select STACKDEPOT_ALWAYS_INIT
42	help
43	  Enables KASAN (Kernel Address Sanitizer) - a dynamic memory safety
44	  error detector designed to find out-of-bounds and use-after-free bugs.
45
46	  See Documentation/dev-tools/kasan.rst for details.
47
48	  For better error reports, also enable CONFIG_STACKTRACE.
49
50if KASAN
51
52choice
53	prompt "KASAN mode"
54	default KASAN_GENERIC
55	help
56	  KASAN has three modes:
57
58	  1. Generic KASAN (supported by many architectures, enabled with
59	     CONFIG_KASAN_GENERIC, similar to userspace ASan),
60	  2. Software Tag-Based KASAN (arm64 only, based on software memory
61	     tagging, enabled with CONFIG_KASAN_SW_TAGS, similar to userspace
62	     HWASan), and
63	  3. Hardware Tag-Based KASAN (arm64 only, based on hardware memory
64	     tagging, enabled with CONFIG_KASAN_HW_TAGS).
65
66	  See Documentation/dev-tools/kasan.rst for details about each mode.
67
68config KASAN_GENERIC
69	bool "Generic KASAN"
70	depends on HAVE_ARCH_KASAN && CC_HAS_KASAN_GENERIC
71	depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS
72	select SLUB_DEBUG if SLUB
73	select CONSTRUCTORS
74	help
75	  Enables Generic KASAN.
76
77	  Requires GCC 8.3.0+ or Clang.
78
79	  Consumes about 1/8th of available memory at kernel start and adds an
80	  overhead of ~50% for dynamic allocations.
81	  The performance slowdown is ~x3.
82
83	  (Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.)
84
85config KASAN_SW_TAGS
86	bool "Software Tag-Based KASAN"
87	depends on HAVE_ARCH_KASAN_SW_TAGS && CC_HAS_KASAN_SW_TAGS
88	depends on CC_HAS_WORKING_NOSANITIZE_ADDRESS
89	select SLUB_DEBUG if SLUB
90	select CONSTRUCTORS
91	help
92	  Enables Software Tag-Based KASAN.
93
94	  Requires GCC 11+ or Clang.
95
96	  Supported only on arm64 CPUs and relies on Top Byte Ignore.
97
98	  Consumes about 1/16th of available memory at kernel start and
99	  add an overhead of ~20% for dynamic allocations.
100
101	  May potentially introduce problems related to pointer casting and
102	  comparison, as it embeds a tag into the top byte of each pointer.
103
104	  (Incompatible with CONFIG_DEBUG_SLAB: the kernel does not boot.)
105
106config KASAN_HW_TAGS
107	bool "Hardware Tag-Based KASAN"
108	depends on HAVE_ARCH_KASAN_HW_TAGS
109	depends on SLUB
110	help
111	  Enables Hardware Tag-Based KASAN.
112
113	  Requires GCC 10+ or Clang 12+.
114
115	  Supported only on arm64 CPUs starting from ARMv8.5 and relies on
116	  Memory Tagging Extension and Top Byte Ignore.
117
118	  Consumes about 1/32nd of available memory.
119
120	  May potentially introduce problems related to pointer casting and
121	  comparison, as it embeds a tag into the top byte of each pointer.
122
123endchoice
124
125choice
126	prompt "Instrumentation type"
127	depends on KASAN_GENERIC || KASAN_SW_TAGS
128	default KASAN_OUTLINE
129
130config KASAN_OUTLINE
131	bool "Outline instrumentation"
132	help
133	  Makes the compiler insert function calls that check whether the memory
134	  is accessible before each memory access. Slower than KASAN_INLINE, but
135	  does not bloat the size of the kernel's .text section so much.
136
137config KASAN_INLINE
138	bool "Inline instrumentation"
139	depends on !ARCH_DISABLE_KASAN_INLINE
140	help
141	  Makes the compiler directly insert memory accessibility checks before
142	  each memory access. Faster than KASAN_OUTLINE (gives ~x2 boost for
143	  some workloads), but makes the kernel's .text size much bigger.
144
145endchoice
146
147config KASAN_STACK
148	bool "Stack instrumentation (unsafe)" if CC_IS_CLANG && !COMPILE_TEST
149	depends on KASAN_GENERIC || KASAN_SW_TAGS
150	depends on !ARCH_DISABLE_KASAN_INLINE
151	default y if CC_IS_GCC
152	help
153	  Disables stack instrumentation and thus KASAN's ability to detect
154	  out-of-bounds bugs in stack variables.
155
156	  With Clang, stack instrumentation has a problem that causes excessive
157	  stack usage, see https://bugs.llvm.org/show_bug.cgi?id=38809. Thus,
158	  with Clang, this option is deemed unsafe.
159
160	  This option is always disabled when compile-testing with Clang to
161	  avoid cluttering the log with stack overflow warnings.
162
163	  With GCC, enabling stack instrumentation is assumed to be safe.
164
165	  If the architecture disables inline instrumentation via
166	  ARCH_DISABLE_KASAN_INLINE, stack instrumentation gets disabled
167	  as well, as it adds inline-style instrumentation that is run
168	  unconditionally.
169
170config KASAN_VMALLOC
171	bool "Check accesses to vmalloc allocations"
172	depends on HAVE_ARCH_KASAN_VMALLOC
173	help
174	  Makes KASAN check the validity of accesses to vmalloc allocations.
175
176	  With software KASAN modes, all types vmalloc allocations are
177	  checked. Enabling this option leads to higher memory usage.
178
179	  With Hardware Tag-Based KASAN, only non-executable VM_ALLOC mappings
180	  are checked. There is no additional memory usage.
181
182config KASAN_KUNIT_TEST
183	tristate "KUnit-compatible tests of KASAN bug detection capabilities" if !KUNIT_ALL_TESTS
184	depends on KASAN && KUNIT && TRACEPOINTS
185	default KUNIT_ALL_TESTS
186	help
187	  A KUnit-based KASAN test suite. Triggers different kinds of
188	  out-of-bounds and use-after-free accesses. Useful for testing whether
189	  KASAN can detect certain bug types.
190
191	  For more information on KUnit and unit tests in general, please refer
192	  to the KUnit documentation in Documentation/dev-tools/kunit/.
193
194config KASAN_MODULE_TEST
195	tristate "KUnit-incompatible tests of KASAN bug detection capabilities"
196	depends on m && KASAN && !KASAN_HW_TAGS
197	help
198	  A part of the KASAN test suite that is not integrated with KUnit.
199	  Incompatible with Hardware Tag-Based KASAN.
200
201endif # KASAN
202