xref: /openbmc/linux/security/Kconfig.hardening (revision 9f671e58) 
1menu "Kernel hardening options"
2
3config GCC_PLUGIN_STRUCTLEAK
4	bool
5	help
6	  While the kernel is built with warnings enabled for any missed
7	  stack variable initializations, this warning is silenced for
8	  anything passed by reference to another function, under the
9	  occasionally misguided assumption that the function will do
10	  the initialization. As this regularly leads to exploitable
11	  flaws, this plugin is available to identify and zero-initialize
12	  such variables, depending on the chosen level of coverage.
13
14	  This plugin was originally ported from grsecurity/PaX. More
15	  information at:
16	   * https://grsecurity.net/
17	   * https://pax.grsecurity.net/
18
19menu "Memory initialization"
20
21choice
22	prompt "Initialize kernel stack variables at function entry"
23	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
24	default INIT_STACK_NONE
25	help
26	  This option enables initialization of stack variables at
27	  function entry time. This has the possibility to have the
28	  greatest coverage (since all functions can have their
29	  variables initialized), but the performance impact depends
30	  on the function calling complexity of a given workload's
31	  syscalls.
32
33	  This chooses the level of coverage over classes of potentially
34	  uninitialized variables. The selected class will be
35	  initialized before use in a function.
36
37	config INIT_STACK_NONE
38		bool "no automatic initialization (weakest)"
39		help
40		  Disable automatic stack variable initialization.
41		  This leaves the kernel vulnerable to the standard
42		  classes of uninitialized stack variable exploits
43		  and information exposures.
44
45	config GCC_PLUGIN_STRUCTLEAK_USER
46		bool "zero-init structs marked for userspace (weak)"
47		depends on GCC_PLUGINS
48		select GCC_PLUGIN_STRUCTLEAK
49		help
50		  Zero-initialize any structures on the stack containing
51		  a __user attribute. This can prevent some classes of
52		  uninitialized stack variable exploits and information
53		  exposures, like CVE-2013-2141:
54		  https://git.kernel.org/linus/b9e146d8eb3b9eca
55
56	config GCC_PLUGIN_STRUCTLEAK_BYREF
57		bool "zero-init structs passed by reference (strong)"
58		depends on GCC_PLUGINS
59		select GCC_PLUGIN_STRUCTLEAK
60		help
61		  Zero-initialize any structures on the stack that may
62		  be passed by reference and had not already been
63		  explicitly initialized. This can prevent most classes
64		  of uninitialized stack variable exploits and information
65		  exposures, like CVE-2017-1000410:
66		  https://git.kernel.org/linus/06e7e776ca4d3654
67
68	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
69		bool "zero-init anything passed by reference (very strong)"
70		depends on GCC_PLUGINS
71		select GCC_PLUGIN_STRUCTLEAK
72		help
73		  Zero-initialize any stack variables that may be passed
74		  by reference and had not already been explicitly
75		  initialized. This is intended to eliminate all classes
76		  of uninitialized stack variable exploits and information
77		  exposures.
78
79endchoice
80
81config GCC_PLUGIN_STRUCTLEAK_VERBOSE
82	bool "Report forcefully initialized variables"
83	depends on GCC_PLUGIN_STRUCTLEAK
84	depends on !COMPILE_TEST	# too noisy
85	help
86	  This option will cause a warning to be printed each time the
87	  structleak plugin finds a variable it thinks needs to be
88	  initialized. Since not all existing initializers are detected
89	  by the plugin, this can produce false positive warnings.
90
91endmenu
92
93endmenu
94