1preferred-plugin-hostcc := $(if-success,[ $(gcc-version) -ge 40800 ],$(HOSTCXX),$(HOSTCC)) 2 3config PLUGIN_HOSTCC 4 string 5 default "$(shell,$(srctree)/scripts/gcc-plugin.sh "$(preferred-plugin-hostcc)" "$(HOSTCXX)" "$(CC)")" 6 help 7 Host compiler used to build GCC plugins. This can be $(HOSTCXX), 8 $(HOSTCC), or a null string if GCC plugin is unsupported. 9 10config HAVE_GCC_PLUGINS 11 bool 12 help 13 An arch should select this symbol if it supports building with 14 GCC plugins. 15 16menuconfig GCC_PLUGINS 17 bool "GCC plugins" 18 depends on HAVE_GCC_PLUGINS 19 depends on PLUGIN_HOSTCC != "" 20 help 21 GCC plugins are loadable modules that provide extra features to the 22 compiler. They are useful for runtime instrumentation and static analysis. 23 24 See Documentation/gcc-plugins.txt for details. 25 26if GCC_PLUGINS 27 28config GCC_PLUGIN_CYC_COMPLEXITY 29 bool "Compute the cyclomatic complexity of a function" if EXPERT 30 depends on !COMPILE_TEST # too noisy 31 help 32 The complexity M of a function's control flow graph is defined as: 33 M = E - N + 2P 34 where 35 36 E = the number of edges 37 N = the number of nodes 38 P = the number of connected components (exit nodes). 39 40 Enabling this plugin reports the complexity to stderr during the 41 build. It mainly serves as a simple example of how to create a 42 gcc plugin for the kernel. 43 44config GCC_PLUGIN_SANCOV 45 bool 46 help 47 This plugin inserts a __sanitizer_cov_trace_pc() call at the start of 48 basic blocks. It supports all gcc versions with plugin support (from 49 gcc-4.5 on). It is based on the commit "Add fuzzing coverage support" 50 by Dmitry Vyukov <dvyukov@google.com>. 51 52config GCC_PLUGIN_LATENT_ENTROPY 53 bool "Generate some entropy during boot and runtime" 54 help 55 By saying Y here the kernel will instrument some kernel code to 56 extract some entropy from both original and artificially created 57 program state. This will help especially embedded systems where 58 there is little 'natural' source of entropy normally. The cost 59 is some slowdown of the boot process (about 0.5%) and fork and 60 irq processing. 61 62 Note that entropy extracted this way is not cryptographically 63 secure! 64 65 This plugin was ported from grsecurity/PaX. More information at: 66 * https://grsecurity.net/ 67 * https://pax.grsecurity.net/ 68 69config GCC_PLUGIN_STRUCTLEAK 70 bool "Force initialization of variables containing userspace addresses" 71 # Currently STRUCTLEAK inserts initialization out of live scope of 72 # variables from KASAN point of view. This leads to KASAN false 73 # positive reports. Prohibit this combination for now. 74 depends on !KASAN_EXTRA 75 help 76 This plugin zero-initializes any structures containing a 77 __user attribute. This can prevent some classes of information 78 exposures. 79 80 This plugin was ported from grsecurity/PaX. More information at: 81 * https://grsecurity.net/ 82 * https://pax.grsecurity.net/ 83 84config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL 85 bool "Force initialize all struct type variables passed by reference" 86 depends on GCC_PLUGIN_STRUCTLEAK 87 depends on !COMPILE_TEST 88 help 89 Zero initialize any struct type local variable that may be passed by 90 reference without having been initialized. 91 92config GCC_PLUGIN_STRUCTLEAK_VERBOSE 93 bool "Report forcefully initialized variables" 94 depends on GCC_PLUGIN_STRUCTLEAK 95 depends on !COMPILE_TEST # too noisy 96 help 97 This option will cause a warning to be printed each time the 98 structleak plugin finds a variable it thinks needs to be 99 initialized. Since not all existing initializers are detected 100 by the plugin, this can produce false positive warnings. 101 102config GCC_PLUGIN_RANDSTRUCT 103 bool "Randomize layout of sensitive kernel structures" 104 select MODVERSIONS if MODULES 105 help 106 If you say Y here, the layouts of structures that are entirely 107 function pointers (and have not been manually annotated with 108 __no_randomize_layout), or structures that have been explicitly 109 marked with __randomize_layout, will be randomized at compile-time. 110 This can introduce the requirement of an additional information 111 exposure vulnerability for exploits targeting these structure 112 types. 113 114 Enabling this feature will introduce some performance impact, 115 slightly increase memory usage, and prevent the use of forensic 116 tools like Volatility against the system (unless the kernel 117 source tree isn't cleaned after kernel installation). 118 119 The seed used for compilation is located at 120 scripts/gcc-plgins/randomize_layout_seed.h. It remains after 121 a make clean to allow for external modules to be compiled with 122 the existing seed and will be removed by a make mrproper or 123 make distclean. 124 125 Note that the implementation requires gcc 4.7 or newer. 126 127 This plugin was ported from grsecurity/PaX. More information at: 128 * https://grsecurity.net/ 129 * https://pax.grsecurity.net/ 130 131config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE 132 bool "Use cacheline-aware structure randomization" 133 depends on GCC_PLUGIN_RANDSTRUCT 134 depends on !COMPILE_TEST # do not reduce test coverage 135 help 136 If you say Y here, the RANDSTRUCT randomization will make a 137 best effort at restricting randomization to cacheline-sized 138 groups of elements. It will further not randomize bitfields 139 in structures. This reduces the performance hit of RANDSTRUCT 140 at the cost of weakened randomization. 141 142endif 143