security: Create "kernel hardening" config area

Right now kernel hardening options are scattered around various Kconfig files. This can be a central place to collect these kinds of options going forward. This is initially populated with the memory initialization options from the gcc-plugins. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Masahiro Yamada <yamada.masahiro@socionext.com>
author: Kees Cook <keescook@chromium.org> 2019-04-10 11:23:44 -0400
committer: Kees Cook <keescook@chromium.org> 2019-04-24 16:45:49 -0400
commit: 9f671e58159adea641f76c56d1f0bbdcb3c524ff (patch)
tree: 0561e3b3a551ef3b1f189a1950980367d8593016 /scripts
parent: 8c2ffd9174779014c3fe1f96d9dc3641d9175f00 (diff)
1 files changed, 6 insertions, 69 deletions
diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig
index 74271dba4f94..352f03878a1e 100644
--- a/scripts/gcc-plugins/Kconfig
+++ b/scripts/gcc-plugins/Kconfig
@@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS
          An arch should select this symbol if it supports building with
          GCC plugins.
-menuconfig GCC_PLUGINS
+config GCC_PLUGINS
-        bool "GCC plugins"
+        bool
        depends on HAVE_GCC_PLUGINS
        depends on PLUGIN_HOSTCC != ""
+        default y
        help
          GCC plugins are loadable modules that provide extra features to the
          compiler. They are useful for runtime instrumentation and static analysis.
          See Documentation/gcc-plugins.txt for details.
-if GCC_PLUGINS
+menu "GCC plugins"
+        depends on GCC_PLUGINS
 config GCC_PLUGIN_CYC_COMPLEXITY
        bool "Compute the cyclomatic complexity of a function" if EXPERT
@@ -66,71 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
           * https://grsecurity.net/
           * https://pax.grsecurity.net/
-config GCC_PLUGIN_STRUCTLEAK
-        bool "Zero initialize stack variables"
-        help
-          While the kernel is built with warnings enabled for any missed
-          stack variable initializations, this warning is silenced for
-          anything passed by reference to another function, under the
-          occasionally misguided assumption that the function will do
-          the initialization. As this regularly leads to exploitable
-          flaws, this plugin is available to identify and zero-initialize
-          such variables, depending on the chosen level of coverage.
-          This plugin was originally ported from grsecurity/PaX. More
-          information at:
-           * https://grsecurity.net/
-           * https://pax.grsecurity.net/
-choice
-        prompt "Coverage"
-        depends on GCC_PLUGIN_STRUCTLEAK
-        default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
-        help
-          This chooses the level of coverage over classes of potentially
-          uninitialized variables. The selected class will be
-          zero-initialized before use.
-        config GCC_PLUGIN_STRUCTLEAK_USER
-                bool "structs marked for userspace"
-                help
-                  Zero-initialize any structures on the stack containing
-                  a __user attribute. This can prevent some classes of
-                  uninitialized stack variable exploits and information
-                  exposures, like CVE-2013-2141:
-                  https://git.kernel.org/linus/b9e146d8eb3b9eca
-        config GCC_PLUGIN_STRUCTLEAK_BYREF
-                bool "structs passed by reference"
-                help
-                  Zero-initialize any structures on the stack that may
-                  be passed by reference and had not already been
-                  explicitly initialized. This can prevent most classes
-                  of uninitialized stack variable exploits and information
-                  exposures, like CVE-2017-1000410:
-                  https://git.kernel.org/linus/06e7e776ca4d3654
-        config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
-                bool "anything passed by reference"
-                help
-                  Zero-initialize any stack variables that may be passed
-                  by reference and had not already been explicitly
-                  initialized. This is intended to eliminate all classes
-                  of uninitialized stack variable exploits and information
-                  exposures.
-endchoice
-config GCC_PLUGIN_STRUCTLEAK_VERBOSE
-        bool "Report forcefully initialized variables"
-        depends on GCC_PLUGIN_STRUCTLEAK
-        depends on !COMPILE_TEST        # too noisy
-        help
-          This option will cause a warning to be printed each time the
-          structleak plugin finds a variable it thinks needs to be
-          initialized. Since not all existing initializers are detected
-          by the plugin, this can produce false positive warnings.
 config GCC_PLUGIN_RANDSTRUCT
        bool "Randomize layout of sensitive kernel structures"
        select MODVERSIONS if MODULES
@@ -226,4 +163,4 @@ config GCC_PLUGIN_ARM_SSP_PER_TASK
        bool
        depends on GCC_PLUGINS && ARM
-endif
+endmenu
author	Kees Cook <keescook@chromium.org>	2019-04-10 11:23:44 -0400
committer	Kees Cook <keescook@chromium.org>	2019-04-24 16:45:49 -0400
commit	9f671e58159adea641f76c56d1f0bbdcb3c524ff (patch)
tree	0561e3b3a551ef3b1f189a1950980367d8593016 /scripts
parent	8c2ffd9174779014c3fe1f96d9dc3641d9175f00 (diff)

diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index 74271dba4f94..352f03878a1e 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig
@@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS
13	An arch should select this symbol if it supports building with	13	An arch should select this symbol if it supports building with
14	GCC plugins.	14	GCC plugins.
15		15
16	menuconfig GCC_PLUGINS	16	config GCC_PLUGINS
17	bool "GCC plugins"	17	bool
18	depends on HAVE_GCC_PLUGINS	18	depends on HAVE_GCC_PLUGINS
19	depends on PLUGIN_HOSTCC != ""	19	depends on PLUGIN_HOSTCC != ""
		20	default y
20	help	21	help
21	GCC plugins are loadable modules that provide extra features to the	22	GCC plugins are loadable modules that provide extra features to the
22	compiler. They are useful for runtime instrumentation and static analysis.	23	compiler. They are useful for runtime instrumentation and static analysis.
23		24
24	See Documentation/gcc-plugins.txt for details.	25	See Documentation/gcc-plugins.txt for details.
25		26
26	if GCC_PLUGINS	27	menu "GCC plugins"
		28	depends on GCC_PLUGINS
27		29
28	config GCC_PLUGIN_CYC_COMPLEXITY	30	config GCC_PLUGIN_CYC_COMPLEXITY
29	bool "Compute the cyclomatic complexity of a function" if EXPERT	31	bool "Compute the cyclomatic complexity of a function" if EXPERT
@@ -66,71 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
66	* https://grsecurity.net/	68	* https://grsecurity.net/
67	* https://pax.grsecurity.net/	69	* https://pax.grsecurity.net/
68		70
69	config GCC_PLUGIN_STRUCTLEAK
70	bool "Zero initialize stack variables"
71	help
72	While the kernel is built with warnings enabled for any missed
73	stack variable initializations, this warning is silenced for
74	anything passed by reference to another function, under the
75	occasionally misguided assumption that the function will do
76	the initialization. As this regularly leads to exploitable
77	flaws, this plugin is available to identify and zero-initialize
78	such variables, depending on the chosen level of coverage.
79
80	This plugin was originally ported from grsecurity/PaX. More
81	information at:
82	* https://grsecurity.net/
83	* https://pax.grsecurity.net/
84
85	choice
86	prompt "Coverage"
87	depends on GCC_PLUGIN_STRUCTLEAK
88	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
89	help
90	This chooses the level of coverage over classes of potentially
91	uninitialized variables. The selected class will be
92	zero-initialized before use.
93
94	config GCC_PLUGIN_STRUCTLEAK_USER
95	bool "structs marked for userspace"
96	help
97	Zero-initialize any structures on the stack containing
98	a __user attribute. This can prevent some classes of
99	uninitialized stack variable exploits and information
100	exposures, like CVE-2013-2141:
101	https://git.kernel.org/linus/b9e146d8eb3b9eca
102
103	config GCC_PLUGIN_STRUCTLEAK_BYREF
104	bool "structs passed by reference"
105	help
106	Zero-initialize any structures on the stack that may
107	be passed by reference and had not already been
108	explicitly initialized. This can prevent most classes
109	of uninitialized stack variable exploits and information
110	exposures, like CVE-2017-1000410:
111	https://git.kernel.org/linus/06e7e776ca4d3654
112
113	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
114	bool "anything passed by reference"
115	help
116	Zero-initialize any stack variables that may be passed
117	by reference and had not already been explicitly
118	initialized. This is intended to eliminate all classes
119	of uninitialized stack variable exploits and information
120	exposures.
121
122	endchoice
123
124	config GCC_PLUGIN_STRUCTLEAK_VERBOSE
125	bool "Report forcefully initialized variables"
126	depends on GCC_PLUGIN_STRUCTLEAK
127	depends on !COMPILE_TEST # too noisy
128	help
129	This option will cause a warning to be printed each time the
130	structleak plugin finds a variable it thinks needs to be
131	initialized. Since not all existing initializers are detected
132	by the plugin, this can produce false positive warnings.
133
134	config GCC_PLUGIN_RANDSTRUCT	71	config GCC_PLUGIN_RANDSTRUCT
135	bool "Randomize layout of sensitive kernel structures"	72	bool "Randomize layout of sensitive kernel structures"
136	select MODVERSIONS if MODULES	73	select MODVERSIONS if MODULES
@@ -226,4 +163,4 @@ config GCC_PLUGIN_ARM_SSP_PER_TASK
226	bool	163	bool
227	depends on GCC_PLUGINS && ARM	164	depends on GCC_PLUGINS && ARM
228		165
229	endif	166	endmenu