Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e0c6791d authored by Alexander Potapenko's avatar Alexander Potapenko Committed by Todd Kjos
Browse files

BACKPORT: security: Create "kernel hardening" config area 



Right now kernel hardening options are scattered around various Kconfig
files. This can be a central place to collect these kinds of options
going forward. This is initially populated with the memory initialization
options from the gcc-plugins.

The Android backport only moves the config options available in 4.19 at
the moment.

Change-Id: Iadf83f71da5410bad0aff01309365de0809fde96
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Acked-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
(cherry picked from commit 9f671e58159adea641f76c56d1f0bbdcb3c524ff)
Bug: 133428616
Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
parent d9bd2653

scripts/gcc-plugins/Kconfig

+6 −37
Original line number Diff line number Diff line
@@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS 
	  An arch should select this symbol if it supports building with

	  GCC plugins.



menuconfig GCC_PLUGINS

	bool "GCC plugins"

config GCC_PLUGINS

	bool

	depends on HAVE_GCC_PLUGINS

	depends on PLUGIN_HOSTCC != ""

	default y

	help

	  GCC plugins are loadable modules that provide extra features to the

	  compiler. They are useful for runtime instrumentation and static analysis.



	  See Documentation/gcc-plugins.txt for details.



if GCC_PLUGINS

menu "GCC plugins"

	depends on GCC_PLUGINS



config GCC_PLUGIN_CYC_COMPLEXITY

	bool "Compute the cyclomatic complexity of a function" if EXPERT
@@ -66,39 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY 
	   * https://grsecurity.net/

	   * https://pax.grsecurity.net/



config GCC_PLUGIN_STRUCTLEAK

	bool "Force initialization of variables containing userspace addresses"

	# Currently STRUCTLEAK inserts initialization out of live scope of

	# variables from KASAN point of view. This leads to KASAN false

	# positive reports. Prohibit this combination for now.

	depends on !KASAN_EXTRA

	help

	  This plugin zero-initializes any structures containing a

	  __user attribute. This can prevent some classes of information

	  exposures.



	  This plugin was ported from grsecurity/PaX. More information at:

	   * https://grsecurity.net/

	   * https://pax.grsecurity.net/



config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL

	bool "Force initialize all struct type variables passed by reference"

	depends on GCC_PLUGIN_STRUCTLEAK

	depends on !COMPILE_TEST

	help

	  Zero initialize any struct type local variable that may be passed by

	  reference without having been initialized.



config GCC_PLUGIN_STRUCTLEAK_VERBOSE

	bool "Report forcefully initialized variables"

	depends on GCC_PLUGIN_STRUCTLEAK

	depends on !COMPILE_TEST	# too noisy

	help

	  This option will cause a warning to be printed each time the

	  structleak plugin finds a variable it thinks needs to be

	  initialized. Since not all existing initializers are detected

	  by the plugin, this can produce false positive warnings.



config GCC_PLUGIN_RANDSTRUCT

	bool "Randomize layout of sensitive kernel structures"

	select MODVERSIONS if MODULES
@@ -139,4 +108,4 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE 
	  in structures.  This reduces the performance hit of RANDSTRUCT

	  at the cost of weakened randomization.



endif
 
endmenu

security/Kconfig

+2 −0
Original line number Diff line number Diff line
@@ -285,5 +285,7 @@ config DEFAULT_SECURITY 
	default "apparmor" if DEFAULT_SECURITY_APPARMOR

	default "" if DEFAULT_SECURITY_DAC



source "security/Kconfig.hardening"



endmenu

security/Kconfig.hardening

0 → 100644
+67 −0
Original line number Diff line number Diff line 
# SPDX-License-Identifier: GPL-2.0-only

menu "Kernel hardening options"



config GCC_PLUGIN_STRUCTLEAK

	bool "Force initialization of variables containing userspace addresses"

	# Currently STRUCTLEAK inserts initialization out of live scope of

	# variables from KASAN point of view. This leads to KASAN false

	# positive reports. Prohibit this combination for now.

	depends on !KASAN_EXTRA

	help

	  This plugin zero-initializes any structures containing a

	  __user attribute. This can prevent some classes of information

	  exposures.



	  This plugin was ported from grsecurity/PaX. More information at:

	   * https://grsecurity.net/

	   * https://pax.grsecurity.net/



menu "Memory initialization"



choice

	prompt "Initialize kernel stack variables at function entry"

	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS

	default INIT_STACK_NONE

	help

	  This option enables initialization of stack variables at

	  function entry time. This has the possibility to have the

	  greatest coverage (since all functions can have their

	  variables initialized), but the performance impact depends

	  on the function calling complexity of a given workload's

	  syscalls.



	  This chooses the level of coverage over classes of potentially

	  uninitialized variables. The selected class will be

	  initialized before use in a function.



	config INIT_STACK_NONE

		bool "no automatic initialization (weakest)"

		help

		  Disable automatic stack variable initialization.

		  This leaves the kernel vulnerable to the standard

		  classes of uninitialized stack variable exploits

		  and information exposures.



	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL

		bool "Force initialize all struct type variables passed by reference"

		depends on GCC_PLUGIN_STRUCTLEAK

		depends on !COMPILE_TEST

		help

		  Zero initialize any struct type local variable that may

		  be passed by reference without having been initialized.



endchoice



config GCC_PLUGIN_STRUCTLEAK_VERBOSE

	bool "Report forcefully initialized variables"

	depends on GCC_PLUGIN_STRUCTLEAK

	depends on !COMPILE_TEST	# too noisy

	help

	  This option will cause a warning to be printed each time the

	  structleak plugin finds a variable it thinks needs to be

	  initialized. Since not all existing initializers are detected

	  by the plugin, this can produce false positive warnings.



endmenu



endmenu