Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e0c6791d authored by Alexander Potapenko's avatar Alexander Potapenko Committed by Todd Kjos
Browse files

BACKPORT: security: Create "kernel hardening" config area



Right now kernel hardening options are scattered around various Kconfig
files. This can be a central place to collect these kinds of options
going forward. This is initially populated with the memory initialization
options from the gcc-plugins.

The Android backport only moves the config options available in 4.19 at
the moment.

Change-Id: Iadf83f71da5410bad0aff01309365de0809fde96
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Acked-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
(cherry picked from commit 9f671e58159adea641f76c56d1f0bbdcb3c524ff)
Bug: 133428616
Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
parent d9bd2653
Loading
Loading
Loading
Loading
+6 −37
Original line number Diff line number Diff line
@@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS
	  An arch should select this symbol if it supports building with
	  GCC plugins.

menuconfig GCC_PLUGINS
	bool "GCC plugins"
config GCC_PLUGINS
	bool
	depends on HAVE_GCC_PLUGINS
	depends on PLUGIN_HOSTCC != ""
	default y
	help
	  GCC plugins are loadable modules that provide extra features to the
	  compiler. They are useful for runtime instrumentation and static analysis.

	  See Documentation/gcc-plugins.txt for details.

if GCC_PLUGINS
menu "GCC plugins"
	depends on GCC_PLUGINS

config GCC_PLUGIN_CYC_COMPLEXITY
	bool "Compute the cyclomatic complexity of a function" if EXPERT
@@ -66,39 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

config GCC_PLUGIN_STRUCTLEAK
	bool "Force initialization of variables containing userspace addresses"
	# Currently STRUCTLEAK inserts initialization out of live scope of
	# variables from KASAN point of view. This leads to KASAN false
	# positive reports. Prohibit this combination for now.
	depends on !KASAN_EXTRA
	help
	  This plugin zero-initializes any structures containing a
	  __user attribute. This can prevent some classes of information
	  exposures.

	  This plugin was ported from grsecurity/PaX. More information at:
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
	bool "Force initialize all struct type variables passed by reference"
	depends on GCC_PLUGIN_STRUCTLEAK
	depends on !COMPILE_TEST
	help
	  Zero initialize any struct type local variable that may be passed by
	  reference without having been initialized.

config GCC_PLUGIN_STRUCTLEAK_VERBOSE
	bool "Report forcefully initialized variables"
	depends on GCC_PLUGIN_STRUCTLEAK
	depends on !COMPILE_TEST	# too noisy
	help
	  This option will cause a warning to be printed each time the
	  structleak plugin finds a variable it thinks needs to be
	  initialized. Since not all existing initializers are detected
	  by the plugin, this can produce false positive warnings.

config GCC_PLUGIN_RANDSTRUCT
	bool "Randomize layout of sensitive kernel structures"
	select MODVERSIONS if MODULES
@@ -139,4 +108,4 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
	  in structures.  This reduces the performance hit of RANDSTRUCT
	  at the cost of weakened randomization.

endif
endmenu
+2 −0
Original line number Diff line number Diff line
@@ -285,5 +285,7 @@ config DEFAULT_SECURITY
	default "apparmor" if DEFAULT_SECURITY_APPARMOR
	default "" if DEFAULT_SECURITY_DAC

source "security/Kconfig.hardening"

endmenu
+67 −0
Original line number Diff line number Diff line
# SPDX-License-Identifier: GPL-2.0-only
menu "Kernel hardening options"

config GCC_PLUGIN_STRUCTLEAK
	bool "Force initialization of variables containing userspace addresses"
	# Currently STRUCTLEAK inserts initialization out of live scope of
	# variables from KASAN point of view. This leads to KASAN false
	# positive reports. Prohibit this combination for now.
	depends on !KASAN_EXTRA
	help
	  This plugin zero-initializes any structures containing a
	  __user attribute. This can prevent some classes of information
	  exposures.

	  This plugin was ported from grsecurity/PaX. More information at:
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

menu "Memory initialization"

choice
	prompt "Initialize kernel stack variables at function entry"
	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
	default INIT_STACK_NONE
	help
	  This option enables initialization of stack variables at
	  function entry time. This has the possibility to have the
	  greatest coverage (since all functions can have their
	  variables initialized), but the performance impact depends
	  on the function calling complexity of a given workload's
	  syscalls.

	  This chooses the level of coverage over classes of potentially
	  uninitialized variables. The selected class will be
	  initialized before use in a function.

	config INIT_STACK_NONE
		bool "no automatic initialization (weakest)"
		help
		  Disable automatic stack variable initialization.
		  This leaves the kernel vulnerable to the standard
		  classes of uninitialized stack variable exploits
		  and information exposures.

	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
		bool "Force initialize all struct type variables passed by reference"
		depends on GCC_PLUGIN_STRUCTLEAK
		depends on !COMPILE_TEST
		help
		  Zero initialize any struct type local variable that may
		  be passed by reference without having been initialized.

endchoice

config GCC_PLUGIN_STRUCTLEAK_VERBOSE
	bool "Report forcefully initialized variables"
	depends on GCC_PLUGIN_STRUCTLEAK
	depends on !COMPILE_TEST	# too noisy
	help
	  This option will cause a warning to be printed each time the
	  structleak plugin finds a variable it thinks needs to be
	  initialized. Since not all existing initializers are detected
	  by the plugin, this can produce false positive warnings.

endmenu

endmenu