summaryrefslogtreecommitdiffstats
path: root/scripts/gcc-plugins/Kconfig
blob: 74271dba4f94b5963c5f08a613d181269969868f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
preferred-plugin-hostcc := $(if-success,[ $(gcc-version) -ge 40800 ],$(HOSTCXX),$(HOSTCC))

config PLUGIN_HOSTCC
	string
	default "$(shell,$(srctree)/scripts/gcc-plugin.sh "$(preferred-plugin-hostcc)" "$(HOSTCXX)" "$(CC)")" if CC_IS_GCC
	help
	  Host compiler used to build GCC plugins.  This can be $(HOSTCXX),
	  $(HOSTCC), or a null string if GCC plugin is unsupported.

config HAVE_GCC_PLUGINS
	bool
	help
	  An arch should select this symbol if it supports building with
	  GCC plugins.

menuconfig GCC_PLUGINS
	bool "GCC plugins"
	depends on HAVE_GCC_PLUGINS
	depends on PLUGIN_HOSTCC != ""
	help
	  GCC plugins are loadable modules that provide extra features to the
	  compiler. They are useful for runtime instrumentation and static analysis.

	  See Documentation/gcc-plugins.txt for details.

if GCC_PLUGINS

config GCC_PLUGIN_CYC_COMPLEXITY
	bool "Compute the cyclomatic complexity of a function" if EXPERT
	depends on !COMPILE_TEST	# too noisy
	help
	  The complexity M of a function's control flow graph is defined as:
	   M = E - N + 2P
	  where

	  E = the number of edges
	  N = the number of nodes
	  P = the number of connected components (exit nodes).

	  Enabling this plugin reports the complexity to stderr during the
	  build. It mainly serves as a simple example of how to create a
	  gcc plugin for the kernel.

config GCC_PLUGIN_SANCOV
	bool
	help
	  This plugin inserts a __sanitizer_cov_trace_pc() call at the start of
	  basic blocks. It supports all gcc versions with plugin support (from
	  gcc-4.5 on). It is based on the commit "Add fuzzing coverage support"
	  by Dmitry Vyukov <dvyukov@google.com>.

config GCC_PLUGIN_LATENT_ENTROPY
	bool "Generate some entropy during boot and runtime"
	help
	  By saying Y here the kernel will instrument some kernel code to
	  extract some entropy from both original and artificially created
	  program state.  This will help especially embedded systems where
	  there is little 'natural' source of entropy normally.  The cost
	  is some slowdown of the boot process (about 0.5%) and fork and
	  irq processing.

	  Note that entropy extracted this way is not cryptographically
	  secure!

	  This plugin was ported from grsecurity/PaX. More information at:
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

config GCC_PLUGIN_STRUCTLEAK
	bool "Zero initialize stack variables"
	help
	  While the kernel is built with warnings enabled for any missed
	  stack variable initializations, this warning is silenced for
	  anything passed by reference to another function, under the
	  occasionally misguided assumption that the function will do
	  the initialization. As this regularly leads to exploitable
	  flaws, this plugin is available to identify and zero-initialize
	  such variables, depending on the chosen level of coverage.

	  This plugin was originally ported from grsecurity/PaX. More
	  information at:
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

choice
	prompt "Coverage"
	depends on GCC_PLUGIN_STRUCTLEAK
	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
	help
	  This chooses the level of coverage over classes of potentially
	  uninitialized variables. The selected class will be
	  zero-initialized before use.

	config GCC_PLUGIN_STRUCTLEAK_USER
		bool "structs marked for userspace"
		help
		  Zero-initialize any structures on the stack containing
		  a __user attribute. This can prevent some classes of
		  uninitialized stack variable exploits and information
		  exposures, like CVE-2013-2141:
		  https://git.kernel.org/linus/b9e146d8eb3b9eca

	config GCC_PLUGIN_STRUCTLEAK_BYREF
		bool "structs passed by reference"
		help
		  Zero-initialize any structures on the stack that may
		  be passed by reference and had not already been
		  explicitly initialized. This can prevent most classes
		  of uninitialized stack variable exploits and information
		  exposures, like CVE-2017-1000410:
		  https://git.kernel.org/linus/06e7e776ca4d3654

	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
		bool "anything passed by reference"
		help
		  Zero-initialize any stack variables that may be passed
		  by reference and had not already been explicitly
		  initialized. This is intended to eliminate all classes
		  of uninitialized stack variable exploits and information
		  exposures.

endchoice

config GCC_PLUGIN_STRUCTLEAK_VERBOSE
	bool "Report forcefully initialized variables"
	depends on GCC_PLUGIN_STRUCTLEAK
	depends on !COMPILE_TEST	# too noisy
	help
	  This option will cause a warning to be printed each time the
	  structleak plugin finds a variable it thinks needs to be
	  initialized. Since not all existing initializers are detected
	  by the plugin, this can produce false positive warnings.

config GCC_PLUGIN_RANDSTRUCT
	bool "Randomize layout of sensitive kernel structures"
	select MODVERSIONS if MODULES
	help
	  If you say Y here, the layouts of structures that are entirely
	  function pointers (and have not been manually annotated with
	  __no_randomize_layout), or structures that have been explicitly
	  marked with __randomize_layout, will be randomized at compile-time.
	  This can introduce the requirement of an additional information
	  exposure vulnerability for exploits targeting these structure
	  types.

	  Enabling this feature will introduce some performance impact,
	  slightly increase memory usage, and prevent the use of forensic
	  tools like Volatility against the system (unless the kernel
	  source tree isn't cleaned after kernel installation).

	  The seed used for compilation is located at
	  scripts/gcc-plgins/randomize_layout_seed.h.  It remains after
	  a make clean to allow for external modules to be compiled with
	  the existing seed and will be removed by a make mrproper or
	  make distclean.

	  Note that the implementation requires gcc 4.7 or newer.

	  This plugin was ported from grsecurity/PaX. More information at:
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
	bool "Use cacheline-aware structure randomization"
	depends on GCC_PLUGIN_RANDSTRUCT
	depends on !COMPILE_TEST	# do not reduce test coverage
	help
	  If you say Y here, the RANDSTRUCT randomization will make a
	  best effort at restricting randomization to cacheline-sized
	  groups of elements.  It will further not randomize bitfields
	  in structures.  This reduces the performance hit of RANDSTRUCT
	  at the cost of weakened randomization.

config GCC_PLUGIN_STACKLEAK
	bool "Erase the kernel stack before returning from syscalls"
	depends on GCC_PLUGINS
	depends on HAVE_ARCH_STACKLEAK
	help
	  This option makes the kernel erase the kernel stack before
	  returning from system calls. That reduces the information which
	  kernel stack leak bugs can reveal and blocks some uninitialized
	  stack variable attacks.

	  The tradeoff is the performance impact: on a single CPU system kernel
	  compilation sees a 1% slowdown, other systems and workloads may vary
	  and you are advised to test this feature on your expected workload
	  before deploying it.

	  This plugin was ported from grsecurity/PaX. More information at:
	   * https://grsecurity.net/
	   * https://pax.grsecurity.net/

config STACKLEAK_TRACK_MIN_SIZE
	int "Minimum stack frame size of functions tracked by STACKLEAK"
	default 100
	range 0 4096
	depends on GCC_PLUGIN_STACKLEAK
	help
	  The STACKLEAK gcc plugin instruments the kernel code for tracking
	  the lowest border of the kernel stack (and for some other purposes).
	  It inserts the stackleak_track_stack() call for the functions with
	  a stack frame size greater than or equal to this parameter.
	  If unsure, leave the default value 100.

config STACKLEAK_METRICS
	bool "Show STACKLEAK metrics in the /proc file system"
	depends on GCC_PLUGIN_STACKLEAK
	depends on PROC_FS
	help
	  If this is set, STACKLEAK metrics for every task are available in
	  the /proc file system. In particular, /proc/<pid>/stack_depth
	  shows the maximum kernel stack consumption for the current and
	  previous syscalls. Although this information is not precise, it
	  can be useful for estimating the STACKLEAK performance impact for
	  your workloads.

config STACKLEAK_RUNTIME_DISABLE
	bool "Allow runtime disabling of kernel stack erasing"
	depends on GCC_PLUGIN_STACKLEAK
	help
	  This option provides 'stack_erasing' sysctl, which can be used in
	  runtime to control kernel stack erasing for kernels built with
	  CONFIG_GCC_PLUGIN_STACKLEAK.

config GCC_PLUGIN_ARM_SSP_PER_TASK
	bool
	depends on GCC_PLUGINS && ARM

endif