1menu "Kernel hardening options" 2 3config GCC_PLUGIN_STRUCTLEAK 4 bool 5 help 6 While the kernel is built with warnings enabled for any missed 7 stack variable initializations, this warning is silenced for 8 anything passed by reference to another function, under the 9 occasionally misguided assumption that the function will do 10 the initialization. As this regularly leads to exploitable 11 flaws, this plugin is available to identify and zero-initialize 12 such variables, depending on the chosen level of coverage. 13 14 This plugin was originally ported from grsecurity/PaX. More 15 information at: 16 * https://grsecurity.net/ 17 * https://pax.grsecurity.net/ 18 19menu "Memory initialization" 20 21choice 22 prompt "Initialize kernel stack variables at function entry" 23 default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS 24 default INIT_STACK_NONE 25 help 26 This option enables initialization of stack variables at 27 function entry time. This has the possibility to have the 28 greatest coverage (since all functions can have their 29 variables initialized), but the performance impact depends 30 on the function calling complexity of a given workload's 31 syscalls. 32 33 This chooses the level of coverage over classes of potentially 34 uninitialized variables. The selected class will be 35 initialized before use in a function. 36 37 config INIT_STACK_NONE 38 bool "no automatic initialization (weakest)" 39 help 40 Disable automatic stack variable initialization. 41 This leaves the kernel vulnerable to the standard 42 classes of uninitialized stack variable exploits 43 and information exposures. 44 45 config GCC_PLUGIN_STRUCTLEAK_USER 46 bool "zero-init structs marked for userspace (weak)" 47 depends on GCC_PLUGINS 48 select GCC_PLUGIN_STRUCTLEAK 49 help 50 Zero-initialize any structures on the stack containing 51 a __user attribute. This can prevent some classes of 52 uninitialized stack variable exploits and information 53 exposures, like CVE-2013-2141: 54 https://git.kernel.org/linus/b9e146d8eb3b9eca 55 56 config GCC_PLUGIN_STRUCTLEAK_BYREF 57 bool "zero-init structs passed by reference (strong)" 58 depends on GCC_PLUGINS 59 select GCC_PLUGIN_STRUCTLEAK 60 help 61 Zero-initialize any structures on the stack that may 62 be passed by reference and had not already been 63 explicitly initialized. This can prevent most classes 64 of uninitialized stack variable exploits and information 65 exposures, like CVE-2017-1000410: 66 https://git.kernel.org/linus/06e7e776ca4d3654 67 68 config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL 69 bool "zero-init anything passed by reference (very strong)" 70 depends on GCC_PLUGINS 71 select GCC_PLUGIN_STRUCTLEAK 72 help 73 Zero-initialize any stack variables that may be passed 74 by reference and had not already been explicitly 75 initialized. This is intended to eliminate all classes 76 of uninitialized stack variable exploits and information 77 exposures. 78 79endchoice 80 81config GCC_PLUGIN_STRUCTLEAK_VERBOSE 82 bool "Report forcefully initialized variables" 83 depends on GCC_PLUGIN_STRUCTLEAK 84 depends on !COMPILE_TEST # too noisy 85 help 86 This option will cause a warning to be printed each time the 87 structleak plugin finds a variable it thinks needs to be 88 initialized. Since not all existing initializers are detected 89 by the plugin, this can produce false positive warnings. 90 91config GCC_PLUGIN_STACKLEAK 92 bool "Poison kernel stack before returning from syscalls" 93 depends on GCC_PLUGINS 94 depends on HAVE_ARCH_STACKLEAK 95 help 96 This option makes the kernel erase the kernel stack before 97 returning from system calls. This has the effect of leaving 98 the stack initialized to the poison value, which both reduces 99 the lifetime of any sensitive stack contents and reduces 100 potential for uninitialized stack variable exploits or information 101 exposures (it does not cover functions reaching the same stack 102 depth as prior functions during the same syscall). This blocks 103 most uninitialized stack variable attacks, with the performance 104 impact being driven by the depth of the stack usage, rather than 105 the function calling complexity. 106 107 The performance impact on a single CPU system kernel compilation 108 sees a 1% slowdown, other systems and workloads may vary and you 109 are advised to test this feature on your expected workload before 110 deploying it. 111 112 This plugin was ported from grsecurity/PaX. More information at: 113 * https://grsecurity.net/ 114 * https://pax.grsecurity.net/ 115 116config STACKLEAK_TRACK_MIN_SIZE 117 int "Minimum stack frame size of functions tracked by STACKLEAK" 118 default 100 119 range 0 4096 120 depends on GCC_PLUGIN_STACKLEAK 121 help 122 The STACKLEAK gcc plugin instruments the kernel code for tracking 123 the lowest border of the kernel stack (and for some other purposes). 124 It inserts the stackleak_track_stack() call for the functions with 125 a stack frame size greater than or equal to this parameter. 126 If unsure, leave the default value 100. 127 128config STACKLEAK_METRICS 129 bool "Show STACKLEAK metrics in the /proc file system" 130 depends on GCC_PLUGIN_STACKLEAK 131 depends on PROC_FS 132 help 133 If this is set, STACKLEAK metrics for every task are available in 134 the /proc file system. In particular, /proc/<pid>/stack_depth 135 shows the maximum kernel stack consumption for the current and 136 previous syscalls. Although this information is not precise, it 137 can be useful for estimating the STACKLEAK performance impact for 138 your workloads. 139 140config STACKLEAK_RUNTIME_DISABLE 141 bool "Allow runtime disabling of kernel stack erasing" 142 depends on GCC_PLUGIN_STACKLEAK 143 help 144 This option provides 'stack_erasing' sysctl, which can be used in 145 runtime to control kernel stack erasing for kernels built with 146 CONFIG_GCC_PLUGIN_STACKLEAK. 147 148endmenu 149 150endmenu 151