security: Create "kernel hardening" config area

Right now kernel hardening options are scattered around various Kconfig
files. This can be a central place to collect these kinds of options
going forward. This is initially populated with the memory initialization
options from the gcc-plugins.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Masahiro Yamada <yamada.masahiro@socionext.com>
This commit is contained in:
Kees Cook 2019-04-10 08:23:44 -07:00
parent 8c2ffd9174
commit 9f671e5815
3 changed files with 101 additions and 69 deletions

View file

@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS
An arch should select this symbol if it supports building with
GCC plugins.
menuconfig GCC_PLUGINS
bool "GCC plugins"
config GCC_PLUGINS
bool
depends on HAVE_GCC_PLUGINS
depends on PLUGIN_HOSTCC != ""
default y
help
GCC plugins are loadable modules that provide extra features to the
compiler. They are useful for runtime instrumentation and static analysis.
See Documentation/gcc-plugins.txt for details.
if GCC_PLUGINS
menu "GCC plugins"
depends on GCC_PLUGINS
config GCC_PLUGIN_CYC_COMPLEXITY
bool "Compute the cyclomatic complexity of a function" if EXPERT
@ -66,71 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
* https://grsecurity.net/
* https://pax.grsecurity.net/
config GCC_PLUGIN_STRUCTLEAK
bool "Zero initialize stack variables"
help
While the kernel is built with warnings enabled for any missed
stack variable initializations, this warning is silenced for
anything passed by reference to another function, under the
occasionally misguided assumption that the function will do
the initialization. As this regularly leads to exploitable
flaws, this plugin is available to identify and zero-initialize
such variables, depending on the chosen level of coverage.
This plugin was originally ported from grsecurity/PaX. More
information at:
* https://grsecurity.net/
* https://pax.grsecurity.net/
choice
prompt "Coverage"
depends on GCC_PLUGIN_STRUCTLEAK
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
help
This chooses the level of coverage over classes of potentially
uninitialized variables. The selected class will be
zero-initialized before use.
config GCC_PLUGIN_STRUCTLEAK_USER
bool "structs marked for userspace"
help
Zero-initialize any structures on the stack containing
a __user attribute. This can prevent some classes of
uninitialized stack variable exploits and information
exposures, like CVE-2013-2141:
https://git.kernel.org/linus/b9e146d8eb3b9eca
config GCC_PLUGIN_STRUCTLEAK_BYREF
bool "structs passed by reference"
help
Zero-initialize any structures on the stack that may
be passed by reference and had not already been
explicitly initialized. This can prevent most classes
of uninitialized stack variable exploits and information
exposures, like CVE-2017-1000410:
https://git.kernel.org/linus/06e7e776ca4d3654
config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
bool "anything passed by reference"
help
Zero-initialize any stack variables that may be passed
by reference and had not already been explicitly
initialized. This is intended to eliminate all classes
of uninitialized stack variable exploits and information
exposures.
endchoice
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
bool "Report forcefully initialized variables"
depends on GCC_PLUGIN_STRUCTLEAK
depends on !COMPILE_TEST # too noisy
help
This option will cause a warning to be printed each time the
structleak plugin finds a variable it thinks needs to be
initialized. Since not all existing initializers are detected
by the plugin, this can produce false positive warnings.
config GCC_PLUGIN_RANDSTRUCT
bool "Randomize layout of sensitive kernel structures"
select MODVERSIONS if MODULES
@ -226,4 +163,4 @@ config GCC_PLUGIN_ARM_SSP_PER_TASK
bool
depends on GCC_PLUGINS && ARM
endif
endmenu

View file

@ -249,5 +249,7 @@ config LSM
If unsure, leave this as the default.
source "security/Kconfig.hardening"
endmenu

View file

@ -0,0 +1,93 @@
menu "Kernel hardening options"
config GCC_PLUGIN_STRUCTLEAK
bool
help
While the kernel is built with warnings enabled for any missed
stack variable initializations, this warning is silenced for
anything passed by reference to another function, under the
occasionally misguided assumption that the function will do
the initialization. As this regularly leads to exploitable
flaws, this plugin is available to identify and zero-initialize
such variables, depending on the chosen level of coverage.
This plugin was originally ported from grsecurity/PaX. More
information at:
* https://grsecurity.net/
* https://pax.grsecurity.net/
menu "Memory initialization"
choice
prompt "Initialize kernel stack variables at function entry"
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
default INIT_STACK_NONE
help
This option enables initialization of stack variables at
function entry time. This has the possibility to have the
greatest coverage (since all functions can have their
variables initialized), but the performance impact depends
on the function calling complexity of a given workload's
syscalls.
This chooses the level of coverage over classes of potentially
uninitialized variables. The selected class will be
initialized before use in a function.
config INIT_STACK_NONE
bool "no automatic initialization (weakest)"
help
Disable automatic stack variable initialization.
This leaves the kernel vulnerable to the standard
classes of uninitialized stack variable exploits
and information exposures.
config GCC_PLUGIN_STRUCTLEAK_USER
bool "zero-init structs marked for userspace (weak)"
depends on GCC_PLUGINS
select GCC_PLUGIN_STRUCTLEAK
help
Zero-initialize any structures on the stack containing
a __user attribute. This can prevent some classes of
uninitialized stack variable exploits and information
exposures, like CVE-2013-2141:
https://git.kernel.org/linus/b9e146d8eb3b9eca
config GCC_PLUGIN_STRUCTLEAK_BYREF
bool "zero-init structs passed by reference (strong)"
depends on GCC_PLUGINS
select GCC_PLUGIN_STRUCTLEAK
help
Zero-initialize any structures on the stack that may
be passed by reference and had not already been
explicitly initialized. This can prevent most classes
of uninitialized stack variable exploits and information
exposures, like CVE-2017-1000410:
https://git.kernel.org/linus/06e7e776ca4d3654
config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
bool "zero-init anything passed by reference (very strong)"
depends on GCC_PLUGINS
select GCC_PLUGIN_STRUCTLEAK
help
Zero-initialize any stack variables that may be passed
by reference and had not already been explicitly
initialized. This is intended to eliminate all classes
of uninitialized stack variable exploits and information
exposures.
endchoice
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
bool "Report forcefully initialized variables"
depends on GCC_PLUGIN_STRUCTLEAK
depends on !COMPILE_TEST # too noisy
help
This option will cause a warning to be printed each time the
structleak plugin finds a variable it thinks needs to be
initialized. Since not all existing initializers are detected
by the plugin, this can produce false positive warnings.
endmenu
endmenu