security: Create "kernel hardening" config area
Right now kernel hardening options are scattered around various Kconfig files. This can be a central place to collect these kinds of options going forward. This is initially populated with the memory initialization options from the gcc-plugins. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Masahiro Yamada <yamada.masahiro@socionext.com>
This commit is contained in:
parent
8c2ffd9174
commit
9f671e5815
3 changed files with 101 additions and 69 deletions
|
@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS
|
|||
An arch should select this symbol if it supports building with
|
||||
GCC plugins.
|
||||
|
||||
menuconfig GCC_PLUGINS
|
||||
bool "GCC plugins"
|
||||
config GCC_PLUGINS
|
||||
bool
|
||||
depends on HAVE_GCC_PLUGINS
|
||||
depends on PLUGIN_HOSTCC != ""
|
||||
default y
|
||||
help
|
||||
GCC plugins are loadable modules that provide extra features to the
|
||||
compiler. They are useful for runtime instrumentation and static analysis.
|
||||
|
||||
See Documentation/gcc-plugins.txt for details.
|
||||
|
||||
if GCC_PLUGINS
|
||||
menu "GCC plugins"
|
||||
depends on GCC_PLUGINS
|
||||
|
||||
config GCC_PLUGIN_CYC_COMPLEXITY
|
||||
bool "Compute the cyclomatic complexity of a function" if EXPERT
|
||||
|
@ -66,71 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
|
|||
* https://grsecurity.net/
|
||||
* https://pax.grsecurity.net/
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK
|
||||
bool "Zero initialize stack variables"
|
||||
help
|
||||
While the kernel is built with warnings enabled for any missed
|
||||
stack variable initializations, this warning is silenced for
|
||||
anything passed by reference to another function, under the
|
||||
occasionally misguided assumption that the function will do
|
||||
the initialization. As this regularly leads to exploitable
|
||||
flaws, this plugin is available to identify and zero-initialize
|
||||
such variables, depending on the chosen level of coverage.
|
||||
|
||||
This plugin was originally ported from grsecurity/PaX. More
|
||||
information at:
|
||||
* https://grsecurity.net/
|
||||
* https://pax.grsecurity.net/
|
||||
|
||||
choice
|
||||
prompt "Coverage"
|
||||
depends on GCC_PLUGIN_STRUCTLEAK
|
||||
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
|
||||
help
|
||||
This chooses the level of coverage over classes of potentially
|
||||
uninitialized variables. The selected class will be
|
||||
zero-initialized before use.
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_USER
|
||||
bool "structs marked for userspace"
|
||||
help
|
||||
Zero-initialize any structures on the stack containing
|
||||
a __user attribute. This can prevent some classes of
|
||||
uninitialized stack variable exploits and information
|
||||
exposures, like CVE-2013-2141:
|
||||
https://git.kernel.org/linus/b9e146d8eb3b9eca
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_BYREF
|
||||
bool "structs passed by reference"
|
||||
help
|
||||
Zero-initialize any structures on the stack that may
|
||||
be passed by reference and had not already been
|
||||
explicitly initialized. This can prevent most classes
|
||||
of uninitialized stack variable exploits and information
|
||||
exposures, like CVE-2017-1000410:
|
||||
https://git.kernel.org/linus/06e7e776ca4d3654
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
|
||||
bool "anything passed by reference"
|
||||
help
|
||||
Zero-initialize any stack variables that may be passed
|
||||
by reference and had not already been explicitly
|
||||
initialized. This is intended to eliminate all classes
|
||||
of uninitialized stack variable exploits and information
|
||||
exposures.
|
||||
|
||||
endchoice
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
|
||||
bool "Report forcefully initialized variables"
|
||||
depends on GCC_PLUGIN_STRUCTLEAK
|
||||
depends on !COMPILE_TEST # too noisy
|
||||
help
|
||||
This option will cause a warning to be printed each time the
|
||||
structleak plugin finds a variable it thinks needs to be
|
||||
initialized. Since not all existing initializers are detected
|
||||
by the plugin, this can produce false positive warnings.
|
||||
|
||||
config GCC_PLUGIN_RANDSTRUCT
|
||||
bool "Randomize layout of sensitive kernel structures"
|
||||
select MODVERSIONS if MODULES
|
||||
|
@ -226,4 +163,4 @@ config GCC_PLUGIN_ARM_SSP_PER_TASK
|
|||
bool
|
||||
depends on GCC_PLUGINS && ARM
|
||||
|
||||
endif
|
||||
endmenu
|
||||
|
|
|
@ -249,5 +249,7 @@ config LSM
|
|||
|
||||
If unsure, leave this as the default.
|
||||
|
||||
source "security/Kconfig.hardening"
|
||||
|
||||
endmenu
|
||||
|
||||
|
|
93
security/Kconfig.hardening
Normal file
93
security/Kconfig.hardening
Normal file
|
@ -0,0 +1,93 @@
|
|||
menu "Kernel hardening options"
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK
|
||||
bool
|
||||
help
|
||||
While the kernel is built with warnings enabled for any missed
|
||||
stack variable initializations, this warning is silenced for
|
||||
anything passed by reference to another function, under the
|
||||
occasionally misguided assumption that the function will do
|
||||
the initialization. As this regularly leads to exploitable
|
||||
flaws, this plugin is available to identify and zero-initialize
|
||||
such variables, depending on the chosen level of coverage.
|
||||
|
||||
This plugin was originally ported from grsecurity/PaX. More
|
||||
information at:
|
||||
* https://grsecurity.net/
|
||||
* https://pax.grsecurity.net/
|
||||
|
||||
menu "Memory initialization"
|
||||
|
||||
choice
|
||||
prompt "Initialize kernel stack variables at function entry"
|
||||
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
|
||||
default INIT_STACK_NONE
|
||||
help
|
||||
This option enables initialization of stack variables at
|
||||
function entry time. This has the possibility to have the
|
||||
greatest coverage (since all functions can have their
|
||||
variables initialized), but the performance impact depends
|
||||
on the function calling complexity of a given workload's
|
||||
syscalls.
|
||||
|
||||
This chooses the level of coverage over classes of potentially
|
||||
uninitialized variables. The selected class will be
|
||||
initialized before use in a function.
|
||||
|
||||
config INIT_STACK_NONE
|
||||
bool "no automatic initialization (weakest)"
|
||||
help
|
||||
Disable automatic stack variable initialization.
|
||||
This leaves the kernel vulnerable to the standard
|
||||
classes of uninitialized stack variable exploits
|
||||
and information exposures.
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_USER
|
||||
bool "zero-init structs marked for userspace (weak)"
|
||||
depends on GCC_PLUGINS
|
||||
select GCC_PLUGIN_STRUCTLEAK
|
||||
help
|
||||
Zero-initialize any structures on the stack containing
|
||||
a __user attribute. This can prevent some classes of
|
||||
uninitialized stack variable exploits and information
|
||||
exposures, like CVE-2013-2141:
|
||||
https://git.kernel.org/linus/b9e146d8eb3b9eca
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_BYREF
|
||||
bool "zero-init structs passed by reference (strong)"
|
||||
depends on GCC_PLUGINS
|
||||
select GCC_PLUGIN_STRUCTLEAK
|
||||
help
|
||||
Zero-initialize any structures on the stack that may
|
||||
be passed by reference and had not already been
|
||||
explicitly initialized. This can prevent most classes
|
||||
of uninitialized stack variable exploits and information
|
||||
exposures, like CVE-2017-1000410:
|
||||
https://git.kernel.org/linus/06e7e776ca4d3654
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
|
||||
bool "zero-init anything passed by reference (very strong)"
|
||||
depends on GCC_PLUGINS
|
||||
select GCC_PLUGIN_STRUCTLEAK
|
||||
help
|
||||
Zero-initialize any stack variables that may be passed
|
||||
by reference and had not already been explicitly
|
||||
initialized. This is intended to eliminate all classes
|
||||
of uninitialized stack variable exploits and information
|
||||
exposures.
|
||||
|
||||
endchoice
|
||||
|
||||
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
|
||||
bool "Report forcefully initialized variables"
|
||||
depends on GCC_PLUGIN_STRUCTLEAK
|
||||
depends on !COMPILE_TEST # too noisy
|
||||
help
|
||||
This option will cause a warning to be printed each time the
|
||||
structleak plugin finds a variable it thinks needs to be
|
||||
initialized. Since not all existing initializers are detected
|
||||
by the plugin, this can produce false positive warnings.
|
||||
|
||||
endmenu
|
||||
|
||||
endmenu
|
Loading…
Reference in a new issue