linux_dsm_epyc7002/security/Kconfig.hardening

menu "Kernel hardening options"

config GCC_PLUGIN_STRUCTLEAK
	bool
	help
	  While the kernel is built with warnings enabled for any missed
	  stack variable initializations, this warning is silenced for
	  anything passed by reference to another function, under the
	  occasionally misguided assumption that the function will do
	  the initialization. As this regularly leads to exploitable
	  flaws, this plugin is available to identify and zero-initialize
	  such variables, depending on the chosen level of coverage.

	  This plugin was originally ported from grsecurity/PaX. More
	  information at:
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

menu "Memory initialization"

choice
	prompt "Initialize kernel stack variables at function entry"
	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
	default INIT_STACK_NONE
	help
	  This option enables initialization of stack variables at
	  function entry time. This has the possibility to have the
	  greatest coverage (since all functions can have their
	  variables initialized), but the performance impact depends
	  on the function calling complexity of a given workload's
	  syscalls.

	  This chooses the level of coverage over classes of potentially
	  uninitialized variables. The selected class will be
	  initialized before use in a function.

	config INIT_STACK_NONE
		bool "no automatic initialization (weakest)"
		help
		  Disable automatic stack variable initialization.
		  This leaves the kernel vulnerable to the standard
		  classes of uninitialized stack variable exploits
		  and information exposures.

	config GCC_PLUGIN_STRUCTLEAK_USER
		bool "zero-init structs marked for userspace (weak)"
		depends on GCC_PLUGINS
		select GCC_PLUGIN_STRUCTLEAK
		help
		  Zero-initialize any structures on the stack containing
		  a __user attribute. This can prevent some classes of
		  uninitialized stack variable exploits and information
		  exposures, like CVE-2013-2141:
		  https://git.kernel.org/linus/b9e146d8eb3b9eca

	config GCC_PLUGIN_STRUCTLEAK_BYREF
		bool "zero-init structs passed by reference (strong)"
		depends on GCC_PLUGINS
		select GCC_PLUGIN_STRUCTLEAK
		help
		  Zero-initialize any structures on the stack that may
		  be passed by reference and had not already been
		  explicitly initialized. This can prevent most classes
		  of uninitialized stack variable exploits and information
		  exposures, like CVE-2017-1000410:
		  https://git.kernel.org/linus/06e7e776ca4d3654

	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
		bool "zero-init anything passed by reference (very strong)"
		depends on GCC_PLUGINS
		select GCC_PLUGIN_STRUCTLEAK
		help
		  Zero-initialize any stack variables that may be passed
		  by reference and had not already been explicitly
		  initialized. This is intended to eliminate all classes
		  of uninitialized stack variable exploits and information
		  exposures.

endchoice

config GCC_PLUGIN_STRUCTLEAK_VERBOSE
	bool "Report forcefully initialized variables"
	depends on GCC_PLUGIN_STRUCTLEAK
	depends on !COMPILE_TEST	# too noisy
	help
	  This option will cause a warning to be printed each time the
	  structleak plugin finds a variable it thinks needs to be
	  initialized. Since not all existing initializers are detected
	  by the plugin, this can produce false positive warnings.

endmenu

endmenu
security: Create "kernel hardening" config area Right now kernel hardening options are scattered around various Kconfig files. This can be a central place to collect these kinds of options going forward. This is initially populated with the memory initialization options from the gcc-plugins. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Masahiro Yamada <yamada.masahiro@socionext.com> 2019-04-10 22:23:44 +07:00			`menu "Kernel hardening options"`

			`config GCC_PLUGIN_STRUCTLEAK`
			`bool`
			`help`
			`While the kernel is built with warnings enabled for any missed`
			`stack variable initializations, this warning is silenced for`
			`anything passed by reference to another function, under the`
			`occasionally misguided assumption that the function will do`
			`the initialization. As this regularly leads to exploitable`
			`flaws, this plugin is available to identify and zero-initialize`
			`such variables, depending on the chosen level of coverage.`

			`This plugin was originally ported from grsecurity/PaX. More`
			`information at:`
			`* https://grsecurity.net/`
			`* https://pax.grsecurity.net/`

			`menu "Memory initialization"`

			`choice`
			`prompt "Initialize kernel stack variables at function entry"`
			`default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS`
			`default INIT_STACK_NONE`
			`help`
			`This option enables initialization of stack variables at`
			`function entry time. This has the possibility to have the`
			`greatest coverage (since all functions can have their`
			`variables initialized), but the performance impact depends`
			`on the function calling complexity of a given workload's`
			`syscalls.`

			`This chooses the level of coverage over classes of potentially`
			`uninitialized variables. The selected class will be`
			`initialized before use in a function.`

			`config INIT_STACK_NONE`
			`bool "no automatic initialization (weakest)"`
			`help`
			`Disable automatic stack variable initialization.`
			`This leaves the kernel vulnerable to the standard`
			`classes of uninitialized stack variable exploits`
			`and information exposures.`

			`config GCC_PLUGIN_STRUCTLEAK_USER`
			`bool "zero-init structs marked for userspace (weak)"`
			`depends on GCC_PLUGINS`
			`select GCC_PLUGIN_STRUCTLEAK`
			`help`
			`Zero-initialize any structures on the stack containing`
			`a __user attribute. This can prevent some classes of`
			`uninitialized stack variable exploits and information`
			`exposures, like CVE-2013-2141:`
			`https://git.kernel.org/linus/b9e146d8eb3b9eca`

			`config GCC_PLUGIN_STRUCTLEAK_BYREF`
			`bool "zero-init structs passed by reference (strong)"`
			`depends on GCC_PLUGINS`
			`select GCC_PLUGIN_STRUCTLEAK`
			`help`
			`Zero-initialize any structures on the stack that may`
			`be passed by reference and had not already been`
			`explicitly initialized. This can prevent most classes`
			`of uninitialized stack variable exploits and information`
			`exposures, like CVE-2017-1000410:`
			`https://git.kernel.org/linus/06e7e776ca4d3654`

			`config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL`
			`bool "zero-init anything passed by reference (very strong)"`
			`depends on GCC_PLUGINS`
			`select GCC_PLUGIN_STRUCTLEAK`
			`help`
			`Zero-initialize any stack variables that may be passed`
			`by reference and had not already been explicitly`
			`initialized. This is intended to eliminate all classes`
			`of uninitialized stack variable exploits and information`
			`exposures.`

			`endchoice`

			`config GCC_PLUGIN_STRUCTLEAK_VERBOSE`
			`bool "Report forcefully initialized variables"`
			`depends on GCC_PLUGIN_STRUCTLEAK`
			`depends on !COMPILE_TEST # too noisy`
			`help`
			`This option will cause a warning to be printed each time the`
			`structleak plugin finds a variable it thinks needs to be`
			`initialized. Since not all existing initializers are detected`
			`by the plugin, this can produce false positive warnings.`

			`endmenu`

			`endmenu`