1 files changed, 51 insertions, 0 deletions
diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig
index cb0c889e13aa..0d5c799688f0 100644
--- a/scripts/gcc-plugins/Kconfig
+++ b/scripts/gcc-plugins/Kconfig
@@ -139,4 +139,55 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
          in structures.  This reduces the performance hit of RANDSTRUCT
          at the cost of weakened randomization.
+config GCC_PLUGIN_STACKLEAK
+        bool "Erase the kernel stack before returning from syscalls"
+        depends on GCC_PLUGINS
+        depends on HAVE_ARCH_STACKLEAK
+        help
+          This option makes the kernel erase the kernel stack before
+          returning from system calls. That reduces the information which
+          kernel stack leak bugs can reveal and blocks some uninitialized
+          stack variable attacks.
+          The tradeoff is the performance impact: on a single CPU system kernel
+          compilation sees a 1% slowdown, other systems and workloads may vary
+          and you are advised to test this feature on your expected workload
+          before deploying it.
+          This plugin was ported from grsecurity/PaX. More information at:
+           * https://grsecurity.net/
+           * https://pax.grsecurity.net/
+config STACKLEAK_TRACK_MIN_SIZE
+        int "Minimum stack frame size of functions tracked by STACKLEAK"
+        default 100
+        range 0 4096
+        depends on GCC_PLUGIN_STACKLEAK
+        help
+          The STACKLEAK gcc plugin instruments the kernel code for tracking
+          the lowest border of the kernel stack (and for some other purposes).
+          It inserts the stackleak_track_stack() call for the functions with
+          a stack frame size greater than or equal to this parameter.
+          If unsure, leave the default value 100.
+config STACKLEAK_METRICS
+        bool "Show STACKLEAK metrics in the /proc file system"
+        depends on GCC_PLUGIN_STACKLEAK
+        depends on PROC_FS
+        help
+          If this is set, STACKLEAK metrics for every task are available in
+          the /proc file system. In particular, /proc/<pid>/stack_depth
+          shows the maximum kernel stack consumption for the current and
+          previous syscalls. Although this information is not precise, it
+          can be useful for estimating the STACKLEAK performance impact for
+          your workloads.
+config STACKLEAK_RUNTIME_DISABLE
+        bool "Allow runtime disabling of kernel stack erasing"
+        depends on GCC_PLUGIN_STACKLEAK
+        help
+          This option provides 'stack_erasing' sysctl, which can be used in
+          runtime to control kernel stack erasing for kernels built with
+          CONFIG_GCC_PLUGIN_STACKLEAK.
 endif

diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index cb0c889e13aa..0d5c799688f0 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig
@@ -139,4 +139,55 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
139	in structures. This reduces the performance hit of RANDSTRUCT	139	in structures. This reduces the performance hit of RANDSTRUCT
140	at the cost of weakened randomization.	140	at the cost of weakened randomization.
141		141
		142	config GCC_PLUGIN_STACKLEAK
		143	bool "Erase the kernel stack before returning from syscalls"
		144	depends on GCC_PLUGINS
		145	depends on HAVE_ARCH_STACKLEAK
		146	help
		147	This option makes the kernel erase the kernel stack before
		148	returning from system calls. That reduces the information which
		149	kernel stack leak bugs can reveal and blocks some uninitialized
		150	stack variable attacks.
		151
		152	The tradeoff is the performance impact: on a single CPU system kernel
		153	compilation sees a 1% slowdown, other systems and workloads may vary
		154	and you are advised to test this feature on your expected workload
		155	before deploying it.
		156
		157	This plugin was ported from grsecurity/PaX. More information at:
		158	* https://grsecurity.net/
		159	* https://pax.grsecurity.net/
		160
		161	config STACKLEAK_TRACK_MIN_SIZE
		162	int "Minimum stack frame size of functions tracked by STACKLEAK"
		163	default 100
		164	range 0 4096
		165	depends on GCC_PLUGIN_STACKLEAK
		166	help
		167	The STACKLEAK gcc plugin instruments the kernel code for tracking
		168	the lowest border of the kernel stack (and for some other purposes).
		169	It inserts the stackleak_track_stack() call for the functions with
		170	a stack frame size greater than or equal to this parameter.
		171	If unsure, leave the default value 100.
		172
		173	config STACKLEAK_METRICS
		174	bool "Show STACKLEAK metrics in the /proc file system"
		175	depends on GCC_PLUGIN_STACKLEAK
		176	depends on PROC_FS
		177	help
		178	If this is set, STACKLEAK metrics for every task are available in
		179	the /proc file system. In particular, /proc/<pid>/stack_depth
		180	shows the maximum kernel stack consumption for the current and
		181	previous syscalls. Although this information is not precise, it
		182	can be useful for estimating the STACKLEAK performance impact for
		183	your workloads.
		184
		185	config STACKLEAK_RUNTIME_DISABLE
		186	bool "Allow runtime disabling of kernel stack erasing"
		187	depends on GCC_PLUGIN_STACKLEAK
		188	help
		189	This option provides 'stack_erasing' sysctl, which can be used in
		190	runtime to control kernel stack erasing for kernels built with
		191	CONFIG_GCC_PLUGIN_STACKLEAK.
		192
142	endif	193	endif