Kconfig.hardening 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356
  1. # SPDX-License-Identifier: GPL-2.0-only
  2. menu "Kernel hardening options"
  3. menu "Memory initialization"
  4. config CC_HAS_AUTO_VAR_INIT_PATTERN
  5. def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
  6. config CC_HAS_AUTO_VAR_INIT_ZERO_BARE
  7. def_bool $(cc-option,-ftrivial-auto-var-init=zero)
  8. config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
  9. # Clang 16 and later warn about using the -enable flag, but it
  10. # is required before then.
  11. def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang)
  12. depends on !CC_HAS_AUTO_VAR_INIT_ZERO_BARE
  13. config CC_HAS_AUTO_VAR_INIT_ZERO
  14. def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BARE || CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
  15. choice
  16. prompt "Initialize kernel stack variables at function entry"
  17. default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
  18. default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO
  19. default INIT_STACK_NONE
  20. help
  21. This option enables initialization of stack variables at
  22. function entry time. This has the possibility to have the
  23. greatest coverage (since all functions can have their
  24. variables initialized), but the performance impact depends
  25. on the function calling complexity of a given workload's
  26. syscalls.
  27. This chooses the level of coverage over classes of potentially
  28. uninitialized variables. The selected class of variable will be
  29. initialized before use in a function.
  30. config INIT_STACK_NONE
  31. bool "no automatic stack variable initialization (weakest)"
  32. help
  33. Disable automatic stack variable initialization.
  34. This leaves the kernel vulnerable to the standard
  35. classes of uninitialized stack variable exploits
  36. and information exposures.
  37. config INIT_STACK_ALL_PATTERN
  38. bool "pattern-init everything (strongest)"
  39. depends on CC_HAS_AUTO_VAR_INIT_PATTERN
  40. depends on !KMSAN
  41. help
  42. Initializes everything on the stack (including padding)
  43. with a specific debug value. This is intended to eliminate
  44. all classes of uninitialized stack variable exploits and
  45. information exposures, even variables that were warned about
  46. having been left uninitialized.
  47. Pattern initialization is known to provoke many existing bugs
  48. related to uninitialized locals, e.g. pointers receive
  49. non-NULL values, buffer sizes and indices are very big. The
  50. pattern is situation-specific; Clang on 64-bit uses 0xAA
  51. repeating for all types and padding except float and double
  52. which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF
  53. repeating for all types and padding.
  54. GCC uses 0xFE repeating for all types, and zero for padding.
  55. config INIT_STACK_ALL_ZERO
  56. bool "zero-init everything (strongest and safest)"
  57. depends on CC_HAS_AUTO_VAR_INIT_ZERO
  58. depends on !KMSAN
  59. help
  60. Initializes everything on the stack (including padding)
  61. with a zero value. This is intended to eliminate all
  62. classes of uninitialized stack variable exploits and
  63. information exposures, even variables that were warned
  64. about having been left uninitialized.
  65. Zero initialization provides safe defaults for strings
  66. (immediately NUL-terminated), pointers (NULL), indices
  67. (index 0), and sizes (0 length), so it is therefore more
  68. suitable as a production security mitigation than pattern
  69. initialization.
  70. endchoice
  71. config CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
  72. def_bool $(cc-option,-fsanitize-coverage-stack-depth-callback-min=1)
  73. config KSTACK_ERASE
  74. bool "Poison kernel stack before returning from syscalls"
  75. depends on HAVE_ARCH_KSTACK_ERASE
  76. depends on GCC_PLUGINS || CC_HAS_SANCOV_STACK_DEPTH_CALLBACK
  77. help
  78. This option makes the kernel erase the kernel stack before
  79. returning from system calls. This has the effect of leaving
  80. the stack initialized to the poison value, which both reduces
  81. the lifetime of any sensitive stack contents and reduces
  82. potential for uninitialized stack variable exploits or information
  83. exposures (it does not cover functions reaching the same stack
  84. depth as prior functions during the same syscall). This blocks
  85. most uninitialized stack variable attacks, with the performance
  86. impact being driven by the depth of the stack usage, rather than
  87. the function calling complexity.
  88. The performance impact on a single CPU system kernel compilation
  89. sees a 1% slowdown, other systems and workloads may vary and you
  90. are advised to test this feature on your expected workload before
  91. deploying it.
  92. config GCC_PLUGIN_STACKLEAK
  93. def_bool KSTACK_ERASE
  94. depends on GCC_PLUGINS
  95. help
  96. This plugin was ported from grsecurity/PaX. More information at:
  97. * https://grsecurity.net/
  98. * https://pax.grsecurity.net/
  99. config GCC_PLUGIN_STACKLEAK_VERBOSE
  100. bool "Report stack depth analysis instrumentation" if EXPERT
  101. depends on GCC_PLUGIN_STACKLEAK
  102. depends on !COMPILE_TEST # too noisy
  103. help
  104. This option will cause a warning to be printed each time the
  105. stackleak plugin finds a function it thinks needs to be
  106. instrumented. This is useful for comparing coverage between
  107. builds.
  108. config KSTACK_ERASE_TRACK_MIN_SIZE
  109. int "Minimum stack frame size of functions tracked by KSTACK_ERASE"
  110. default 100
  111. range 0 4096
  112. depends on KSTACK_ERASE
  113. help
  114. The KSTACK_ERASE option instruments the kernel code for tracking
  115. the lowest border of the kernel stack (and for some other purposes).
  116. It inserts the __sanitizer_cov_stack_depth() call for the functions
  117. with a stack frame size greater than or equal to this parameter.
  118. If unsure, leave the default value 100.
  119. config KSTACK_ERASE_METRICS
  120. bool "Show KSTACK_ERASE metrics in the /proc file system"
  121. depends on KSTACK_ERASE
  122. depends on PROC_FS
  123. help
  124. If this is set, KSTACK_ERASE metrics for every task are available
  125. in the /proc file system. In particular, /proc/<pid>/stack_depth
  126. shows the maximum kernel stack consumption for the current and
  127. previous syscalls. Although this information is not precise, it
  128. can be useful for estimating the KSTACK_ERASE performance impact
  129. for your workloads.
  130. config KSTACK_ERASE_RUNTIME_DISABLE
  131. bool "Allow runtime disabling of kernel stack erasing"
  132. depends on KSTACK_ERASE
  133. help
  134. This option provides 'stack_erasing' sysctl, which can be used in
  135. runtime to control kernel stack erasing for kernels built with
  136. CONFIG_KSTACK_ERASE.
  137. config INIT_ON_ALLOC_DEFAULT_ON
  138. bool "Enable heap memory zeroing on allocation by default"
  139. depends on !KMSAN
  140. help
  141. This has the effect of setting "init_on_alloc=1" on the kernel
  142. command line. This can be disabled with "init_on_alloc=0".
  143. When "init_on_alloc" is enabled, all page allocator and slab
  144. allocator memory will be zeroed when allocated, eliminating
  145. many kinds of "uninitialized heap memory" flaws, especially
  146. heap content exposures. The performance impact varies by
  147. workload, but most cases see <1% impact. Some synthetic
  148. workloads have measured as high as 7%.
  149. config INIT_ON_FREE_DEFAULT_ON
  150. bool "Enable heap memory zeroing on free by default"
  151. depends on !KMSAN
  152. help
  153. This has the effect of setting "init_on_free=1" on the kernel
  154. command line. This can be disabled with "init_on_free=0".
  155. Similar to "init_on_alloc", when "init_on_free" is enabled,
  156. all page allocator and slab allocator memory will be zeroed
  157. when freed, eliminating many kinds of "uninitialized heap memory"
  158. flaws, especially heap content exposures. The primary difference
  159. with "init_on_free" is that data lifetime in memory is reduced,
  160. as anything freed is wiped immediately, making live forensics or
  161. cold boot memory attacks unable to recover freed memory contents.
  162. The performance impact varies by workload, but is more expensive
  163. than "init_on_alloc" due to the negative cache effects of
  164. touching "cold" memory areas. Most cases see 3-5% impact. Some
  165. synthetic workloads have measured as high as 8%.
  166. config CC_HAS_ZERO_CALL_USED_REGS
  167. def_bool $(cc-option,-fzero-call-used-regs=used-gpr)
  168. # https://github.com/ClangBuiltLinux/linux/issues/1766
  169. # https://github.com/llvm/llvm-project/issues/59242
  170. depends on !CC_IS_CLANG || CLANG_VERSION > 150006
  171. config ZERO_CALL_USED_REGS
  172. bool "Enable register zeroing on function exit"
  173. depends on CC_HAS_ZERO_CALL_USED_REGS
  174. help
  175. At the end of functions, always zero any caller-used register
  176. contents. This helps ensure that temporary values are not
  177. leaked beyond the function boundary. This means that register
  178. contents are less likely to be available for side channels
  179. and information exposures. Additionally, this helps reduce the
  180. number of useful ROP gadgets by about 20% (and removes compiler
  181. generated "write-what-where" gadgets) in the resulting kernel
  182. image. This has a less than 1% performance impact on most
  183. workloads. Image size growth depends on architecture, and should
  184. be evaluated for suitability. For example, x86_64 grows by less
  185. than 1%, and arm64 grows by about 5%.
  186. endmenu
  187. menu "Bounds checking"
  188. config FORTIFY_SOURCE
  189. bool "Harden common str/mem functions against buffer overflows"
  190. depends on ARCH_HAS_FORTIFY_SOURCE
  191. # https://github.com/llvm/llvm-project/issues/53645
  192. depends on !X86_32 || !CC_IS_CLANG || CLANG_VERSION >= 160000
  193. help
  194. Detect overflows of buffers in common string and memory functions
  195. where the compiler can determine and validate the buffer sizes.
  196. config HARDENED_USERCOPY
  197. bool "Harden memory copies between kernel and userspace"
  198. imply STRICT_DEVMEM
  199. help
  200. This option checks for obviously wrong memory regions when
  201. copying memory to/from the kernel (via copy_to_user() and
  202. copy_from_user() functions) by rejecting memory ranges that
  203. are larger than the specified heap object, span multiple
  204. separately allocated pages, are not on the process stack,
  205. or are part of the kernel text. This prevents entire classes
  206. of heap overflow exploits and similar kernel memory exposures.
  207. config HARDENED_USERCOPY_DEFAULT_ON
  208. bool "Harden memory copies by default"
  209. depends on HARDENED_USERCOPY
  210. default HARDENED_USERCOPY
  211. help
  212. This has the effect of setting "hardened_usercopy=on" on the kernel
  213. command line. This can be disabled with "hardened_usercopy=off".
  214. endmenu
  215. menu "Hardening of kernel data structures"
  216. config LIST_HARDENED
  217. bool "Check integrity of linked list manipulation"
  218. help
  219. Minimal integrity checking in the linked-list manipulation routines
  220. to catch memory corruptions that are not guaranteed to result in an
  221. immediate access fault.
  222. If unsure, say N.
  223. config RUST_BITMAP_HARDENED
  224. bool "Check integrity of bitmap Rust API"
  225. depends on RUST
  226. help
  227. Enables additional assertions in the Rust Bitmap API to catch
  228. arguments that are not guaranteed to result in an immediate access
  229. fault.
  230. If unsure, say N.
  231. config BUG_ON_DATA_CORRUPTION
  232. bool "Trigger a BUG when data corruption is detected"
  233. select LIST_HARDENED
  234. help
  235. Select this option if the kernel should BUG when it encounters
  236. data corruption in kernel memory structures when they get checked
  237. for validity.
  238. If unsure, say N.
  239. endmenu
  240. config CC_HAS_RANDSTRUCT
  241. def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null)
  242. # Randstruct was first added in Clang 15, but it isn't safe to use until
  243. # Clang 16 due to https://github.com/llvm/llvm-project/issues/60349
  244. depends on !CC_IS_CLANG || CLANG_VERSION >= 160000
  245. choice
  246. prompt "Randomize layout of sensitive kernel structures"
  247. default RANDSTRUCT_FULL if COMPILE_TEST && (GCC_PLUGINS || CC_HAS_RANDSTRUCT)
  248. default RANDSTRUCT_NONE
  249. help
  250. If you enable this, the layouts of structures that are entirely
  251. function pointers (and have not been manually annotated with
  252. __no_randomize_layout), or structures that have been explicitly
  253. marked with __randomize_layout, will be randomized at compile-time.
  254. This can introduce the requirement of an additional information
  255. exposure vulnerability for exploits targeting these structure
  256. types.
  257. Enabling this feature will introduce some performance impact,
  258. slightly increase memory usage, and prevent the use of forensic
  259. tools like Volatility against the system (unless the kernel
  260. source tree isn't cleaned after kernel installation).
  261. The seed used for compilation is in scripts/basic/randomize.seed.
  262. It remains after a "make clean" to allow for external modules to
  263. be compiled with the existing seed and will be removed by a
  264. "make mrproper" or "make distclean". This file should not be made
  265. public, or the structure layout can be determined.
  266. config RANDSTRUCT_NONE
  267. bool "Disable structure layout randomization"
  268. help
  269. Build normally: no structure layout randomization.
  270. config RANDSTRUCT_FULL
  271. bool "Fully randomize structure layout"
  272. depends on CC_HAS_RANDSTRUCT || GCC_PLUGINS
  273. select MODVERSIONS if MODULES && !COMPILE_TEST
  274. help
  275. Fully randomize the member layout of sensitive
  276. structures as much as possible, which may have both a
  277. memory size and performance impact.
  278. One difference between the Clang and GCC plugin
  279. implementations is the handling of bitfields. The GCC
  280. plugin treats them as fully separate variables,
  281. introducing sometimes significant padding. Clang tries
  282. to keep adjacent bitfields together, but with their bit
  283. ordering randomized.
  284. config RANDSTRUCT_PERFORMANCE
  285. bool "Limit randomization of structure layout to cache-lines"
  286. depends on GCC_PLUGINS
  287. select MODVERSIONS if MODULES && !COMPILE_TEST
  288. help
  289. Randomization of sensitive kernel structures will make a
  290. best effort at restricting randomization to cacheline-sized
  291. groups of members. It will further not randomize bitfields
  292. in structures. This reduces the performance hit of RANDSTRUCT
  293. at the cost of weakened randomization.
  294. endchoice
  295. config RANDSTRUCT
  296. def_bool !RANDSTRUCT_NONE
  297. config GCC_PLUGIN_RANDSTRUCT
  298. def_bool GCC_PLUGINS && RANDSTRUCT
  299. help
  300. Use GCC plugin to randomize structure layout.
  301. This plugin was ported from grsecurity/PaX. More
  302. information at:
  303. * https://grsecurity.net/
  304. * https://pax.grsecurity.net/
  305. endmenu