xref: /openbmc/linux/security/Kconfig.hardening (revision c9dc580c)
1# SPDX-License-Identifier: GPL-2.0-only
2menu "Kernel hardening options"
3
4config GCC_PLUGIN_STRUCTLEAK
5	bool
6	help
7	  While the kernel is built with warnings enabled for any missed
8	  stack variable initializations, this warning is silenced for
9	  anything passed by reference to another function, under the
10	  occasionally misguided assumption that the function will do
11	  the initialization. As this regularly leads to exploitable
12	  flaws, this plugin is available to identify and zero-initialize
13	  such variables, depending on the chosen level of coverage.
14
15	  This plugin was originally ported from grsecurity/PaX. More
16	  information at:
17	   * https://grsecurity.net/
18	   * https://pax.grsecurity.net/
19
20menu "Memory initialization"
21
22config CC_HAS_AUTO_VAR_INIT_PATTERN
23	def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
24
25config CC_HAS_AUTO_VAR_INIT_ZERO_BARE
26	def_bool $(cc-option,-ftrivial-auto-var-init=zero)
27
28config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
29	# Clang 16 and later warn about using the -enable flag, but it
30	# is required before then.
31	def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang)
32	depends on !CC_HAS_AUTO_VAR_INIT_ZERO_BARE
33
34config CC_HAS_AUTO_VAR_INIT_ZERO
35	def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BARE || CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
36
37choice
38	prompt "Initialize kernel stack variables at function entry"
39	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
40	default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
41	default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO
42	default INIT_STACK_NONE
43	help
44	  This option enables initialization of stack variables at
45	  function entry time. This has the possibility to have the
46	  greatest coverage (since all functions can have their
47	  variables initialized), but the performance impact depends
48	  on the function calling complexity of a given workload's
49	  syscalls.
50
51	  This chooses the level of coverage over classes of potentially
52	  uninitialized variables. The selected class of variable will be
53	  initialized before use in a function.
54
55	config INIT_STACK_NONE
56		bool "no automatic stack variable initialization (weakest)"
57		help
58		  Disable automatic stack variable initialization.
59		  This leaves the kernel vulnerable to the standard
60		  classes of uninitialized stack variable exploits
61		  and information exposures.
62
63	config GCC_PLUGIN_STRUCTLEAK_USER
64		bool "zero-init structs marked for userspace (weak)"
65		# Plugin can be removed once the kernel only supports GCC 12+
66		depends on GCC_PLUGINS && !CC_HAS_AUTO_VAR_INIT_ZERO
67		select GCC_PLUGIN_STRUCTLEAK
68		help
69		  Zero-initialize any structures on the stack containing
70		  a __user attribute. This can prevent some classes of
71		  uninitialized stack variable exploits and information
72		  exposures, like CVE-2013-2141:
73		  https://git.kernel.org/linus/b9e146d8eb3b9eca
74
75	config GCC_PLUGIN_STRUCTLEAK_BYREF
76		bool "zero-init structs passed by reference (strong)"
77		# Plugin can be removed once the kernel only supports GCC 12+
78		depends on GCC_PLUGINS && !CC_HAS_AUTO_VAR_INIT_ZERO
79		depends on !(KASAN && KASAN_STACK)
80		select GCC_PLUGIN_STRUCTLEAK
81		help
82		  Zero-initialize any structures on the stack that may
83		  be passed by reference and had not already been
84		  explicitly initialized. This can prevent most classes
85		  of uninitialized stack variable exploits and information
86		  exposures, like CVE-2017-1000410:
87		  https://git.kernel.org/linus/06e7e776ca4d3654
88
89		  As a side-effect, this keeps a lot of variables on the
90		  stack that can otherwise be optimized out, so combining
91		  this with CONFIG_KASAN_STACK can lead to a stack overflow
92		  and is disallowed.
93
94	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
95		bool "zero-init everything passed by reference (very strong)"
96		# Plugin can be removed once the kernel only supports GCC 12+
97		depends on GCC_PLUGINS && !CC_HAS_AUTO_VAR_INIT_ZERO
98		depends on !(KASAN && KASAN_STACK)
99		select GCC_PLUGIN_STRUCTLEAK
100		help
101		  Zero-initialize any stack variables that may be passed
102		  by reference and had not already been explicitly
103		  initialized. This is intended to eliminate all classes
104		  of uninitialized stack variable exploits and information
105		  exposures.
106
107		  As a side-effect, this keeps a lot of variables on the
108		  stack that can otherwise be optimized out, so combining
109		  this with CONFIG_KASAN_STACK can lead to a stack overflow
110		  and is disallowed.
111
112	config INIT_STACK_ALL_PATTERN
113		bool "pattern-init everything (strongest)"
114		depends on CC_HAS_AUTO_VAR_INIT_PATTERN
115		depends on !KMSAN
116		help
117		  Initializes everything on the stack (including padding)
118		  with a specific debug value. This is intended to eliminate
119		  all classes of uninitialized stack variable exploits and
120		  information exposures, even variables that were warned about
121		  having been left uninitialized.
122
123		  Pattern initialization is known to provoke many existing bugs
124		  related to uninitialized locals, e.g. pointers receive
125		  non-NULL values, buffer sizes and indices are very big. The
126		  pattern is situation-specific; Clang on 64-bit uses 0xAA
127		  repeating for all types and padding except float and double
128		  which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF
129		  repeating for all types and padding.
130
131	config INIT_STACK_ALL_ZERO
132		bool "zero-init everything (strongest and safest)"
133		depends on CC_HAS_AUTO_VAR_INIT_ZERO
134		depends on !KMSAN
135		help
136		  Initializes everything on the stack (including padding)
137		  with a zero value. This is intended to eliminate all
138		  classes of uninitialized stack variable exploits and
139		  information exposures, even variables that were warned
140		  about having been left uninitialized.
141
142		  Zero initialization provides safe defaults for strings
143		  (immediately NUL-terminated), pointers (NULL), indices
144		  (index 0), and sizes (0 length), so it is therefore more
145		  suitable as a production security mitigation than pattern
146		  initialization.
147
148endchoice
149
150config GCC_PLUGIN_STRUCTLEAK_VERBOSE
151	bool "Report forcefully initialized variables"
152	depends on GCC_PLUGIN_STRUCTLEAK
153	depends on !COMPILE_TEST	# too noisy
154	help
155	  This option will cause a warning to be printed each time the
156	  structleak plugin finds a variable it thinks needs to be
157	  initialized. Since not all existing initializers are detected
158	  by the plugin, this can produce false positive warnings.
159
160config GCC_PLUGIN_STACKLEAK
161	bool "Poison kernel stack before returning from syscalls"
162	depends on GCC_PLUGINS
163	depends on HAVE_ARCH_STACKLEAK
164	help
165	  This option makes the kernel erase the kernel stack before
166	  returning from system calls. This has the effect of leaving
167	  the stack initialized to the poison value, which both reduces
168	  the lifetime of any sensitive stack contents and reduces
169	  potential for uninitialized stack variable exploits or information
170	  exposures (it does not cover functions reaching the same stack
171	  depth as prior functions during the same syscall). This blocks
172	  most uninitialized stack variable attacks, with the performance
173	  impact being driven by the depth of the stack usage, rather than
174	  the function calling complexity.
175
176	  The performance impact on a single CPU system kernel compilation
177	  sees a 1% slowdown, other systems and workloads may vary and you
178	  are advised to test this feature on your expected workload before
179	  deploying it.
180
181	  This plugin was ported from grsecurity/PaX. More information at:
182	   * https://grsecurity.net/
183	   * https://pax.grsecurity.net/
184
185config GCC_PLUGIN_STACKLEAK_VERBOSE
186	bool "Report stack depth analysis instrumentation" if EXPERT
187	depends on GCC_PLUGIN_STACKLEAK
188	depends on !COMPILE_TEST	# too noisy
189	help
190	  This option will cause a warning to be printed each time the
191	  stackleak plugin finds a function it thinks needs to be
192	  instrumented. This is useful for comparing coverage between
193	  builds.
194
195config STACKLEAK_TRACK_MIN_SIZE
196	int "Minimum stack frame size of functions tracked by STACKLEAK"
197	default 100
198	range 0 4096
199	depends on GCC_PLUGIN_STACKLEAK
200	help
201	  The STACKLEAK gcc plugin instruments the kernel code for tracking
202	  the lowest border of the kernel stack (and for some other purposes).
203	  It inserts the stackleak_track_stack() call for the functions with
204	  a stack frame size greater than or equal to this parameter.
205	  If unsure, leave the default value 100.
206
207config STACKLEAK_METRICS
208	bool "Show STACKLEAK metrics in the /proc file system"
209	depends on GCC_PLUGIN_STACKLEAK
210	depends on PROC_FS
211	help
212	  If this is set, STACKLEAK metrics for every task are available in
213	  the /proc file system. In particular, /proc/<pid>/stack_depth
214	  shows the maximum kernel stack consumption for the current and
215	  previous syscalls. Although this information is not precise, it
216	  can be useful for estimating the STACKLEAK performance impact for
217	  your workloads.
218
219config STACKLEAK_RUNTIME_DISABLE
220	bool "Allow runtime disabling of kernel stack erasing"
221	depends on GCC_PLUGIN_STACKLEAK
222	help
223	  This option provides 'stack_erasing' sysctl, which can be used in
224	  runtime to control kernel stack erasing for kernels built with
225	  CONFIG_GCC_PLUGIN_STACKLEAK.
226
227config INIT_ON_ALLOC_DEFAULT_ON
228	bool "Enable heap memory zeroing on allocation by default"
229	depends on !KMSAN
230	help
231	  This has the effect of setting "init_on_alloc=1" on the kernel
232	  command line. This can be disabled with "init_on_alloc=0".
233	  When "init_on_alloc" is enabled, all page allocator and slab
234	  allocator memory will be zeroed when allocated, eliminating
235	  many kinds of "uninitialized heap memory" flaws, especially
236	  heap content exposures. The performance impact varies by
237	  workload, but most cases see <1% impact. Some synthetic
238	  workloads have measured as high as 7%.
239
240config INIT_ON_FREE_DEFAULT_ON
241	bool "Enable heap memory zeroing on free by default"
242	depends on !KMSAN
243	help
244	  This has the effect of setting "init_on_free=1" on the kernel
245	  command line. This can be disabled with "init_on_free=0".
246	  Similar to "init_on_alloc", when "init_on_free" is enabled,
247	  all page allocator and slab allocator memory will be zeroed
248	  when freed, eliminating many kinds of "uninitialized heap memory"
249	  flaws, especially heap content exposures. The primary difference
250	  with "init_on_free" is that data lifetime in memory is reduced,
251	  as anything freed is wiped immediately, making live forensics or
252	  cold boot memory attacks unable to recover freed memory contents.
253	  The performance impact varies by workload, but is more expensive
254	  than "init_on_alloc" due to the negative cache effects of
255	  touching "cold" memory areas. Most cases see 3-5% impact. Some
256	  synthetic workloads have measured as high as 8%.
257
258config CC_HAS_ZERO_CALL_USED_REGS
259	def_bool $(cc-option,-fzero-call-used-regs=used-gpr)
260	# https://github.com/ClangBuiltLinux/linux/issues/1766
261	# https://github.com/llvm/llvm-project/issues/59242
262	depends on !CC_IS_CLANG || CLANG_VERSION > 150006
263
264config ZERO_CALL_USED_REGS
265	bool "Enable register zeroing on function exit"
266	depends on CC_HAS_ZERO_CALL_USED_REGS
267	help
268	  At the end of functions, always zero any caller-used register
269	  contents. This helps ensure that temporary values are not
270	  leaked beyond the function boundary. This means that register
271	  contents are less likely to be available for side channels
272	  and information exposures. Additionally, this helps reduce the
273	  number of useful ROP gadgets by about 20% (and removes compiler
274	  generated "write-what-where" gadgets) in the resulting kernel
275	  image. This has a less than 1% performance impact on most
276	  workloads. Image size growth depends on architecture, and should
277	  be evaluated for suitability. For example, x86_64 grows by less
278	  than 1%, and arm64 grows by about 5%.
279
280endmenu
281
282config CC_HAS_RANDSTRUCT
283	def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null)
284	# Randstruct was first added in Clang 15, but it isn't safe to use until
285	# Clang 16 due to https://github.com/llvm/llvm-project/issues/60349
286	depends on !CC_IS_CLANG || CLANG_VERSION >= 160000
287
288choice
289	prompt "Randomize layout of sensitive kernel structures"
290	default RANDSTRUCT_FULL if COMPILE_TEST && (GCC_PLUGINS || CC_HAS_RANDSTRUCT)
291	default RANDSTRUCT_NONE
292	help
293	  If you enable this, the layouts of structures that are entirely
294	  function pointers (and have not been manually annotated with
295	  __no_randomize_layout), or structures that have been explicitly
296	  marked with __randomize_layout, will be randomized at compile-time.
297	  This can introduce the requirement of an additional information
298	  exposure vulnerability for exploits targeting these structure
299	  types.
300
301	  Enabling this feature will introduce some performance impact,
302	  slightly increase memory usage, and prevent the use of forensic
303	  tools like Volatility against the system (unless the kernel
304	  source tree isn't cleaned after kernel installation).
305
306	  The seed used for compilation is in scripts/basic/randomize.seed.
307	  It remains after a "make clean" to allow for external modules to
308	  be compiled with the existing seed and will be removed by a
309	  "make mrproper" or "make distclean". This file should not be made
310	  public, or the structure layout can be determined.
311
312	config RANDSTRUCT_NONE
313		bool "Disable structure layout randomization"
314		help
315		  Build normally: no structure layout randomization.
316
317	config RANDSTRUCT_FULL
318		bool "Fully randomize structure layout"
319		depends on CC_HAS_RANDSTRUCT || GCC_PLUGINS
320		select MODVERSIONS if MODULES
321		help
322		  Fully randomize the member layout of sensitive
323		  structures as much as possible, which may have both a
324		  memory size and performance impact.
325
326		  One difference between the Clang and GCC plugin
327		  implementations is the handling of bitfields. The GCC
328		  plugin treats them as fully separate variables,
329		  introducing sometimes significant padding. Clang tries
330		  to keep adjacent bitfields together, but with their bit
331		  ordering randomized.
332
333	config RANDSTRUCT_PERFORMANCE
334		bool "Limit randomization of structure layout to cache-lines"
335		depends on GCC_PLUGINS
336		select MODVERSIONS if MODULES
337		help
338		  Randomization of sensitive kernel structures will make a
339		  best effort at restricting randomization to cacheline-sized
340		  groups of members. It will further not randomize bitfields
341		  in structures. This reduces the performance hit of RANDSTRUCT
342		  at the cost of weakened randomization.
343endchoice
344
345config RANDSTRUCT
346	def_bool !RANDSTRUCT_NONE
347
348config GCC_PLUGIN_RANDSTRUCT
349	def_bool GCC_PLUGINS && RANDSTRUCT
350	help
351	  Use GCC plugin to randomize structure layout.
352
353	  This plugin was ported from grsecurity/PaX. More
354	  information at:
355	   * https://grsecurity.net/
356	   * https://pax.grsecurity.net/
357
358endmenu
359