On 23.04.2019 22:49, Kees Cook wrote: > This moves the stackleak plugin options to Kconfig.hardening's memory > initialization menu. > > Signed-off-by: Kees Cook <keesc...@chromium.org>
Hello Kees, I see the changes in STACKLEAK help, looks good to me. For this patch - Reviewed-by: Alexander Popov <alex.po...@linux.com> By the way, for your information, GCC_PLUGIN_STRUCTLEAK help is now unreachable from 'make menuconfig'. Best regards, Alexander > --- > scripts/gcc-plugins/Kconfig | 51 --------------------------------- > security/Kconfig.hardening | 57 +++++++++++++++++++++++++++++++++++++ > 2 files changed, 57 insertions(+), 51 deletions(-) > > diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig > index 352f03878a1e..80220ed26a35 100644 > --- a/scripts/gcc-plugins/Kconfig > +++ b/scripts/gcc-plugins/Kconfig > @@ -108,57 +108,6 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE > in structures. This reduces the performance hit of RANDSTRUCT > at the cost of weakened randomization. > > -config GCC_PLUGIN_STACKLEAK > - bool "Erase the kernel stack before returning from syscalls" > - depends on GCC_PLUGINS > - depends on HAVE_ARCH_STACKLEAK > - help > - This option makes the kernel erase the kernel stack before > - returning from system calls. That reduces the information which > - kernel stack leak bugs can reveal and blocks some uninitialized > - stack variable attacks. > - > - The tradeoff is the performance impact: on a single CPU system kernel > - compilation sees a 1% slowdown, other systems and workloads may vary > - and you are advised to test this feature on your expected workload > - before deploying it. > - > - This plugin was ported from grsecurity/PaX. More information at: > - * https://grsecurity.net/ > - * https://pax.grsecurity.net/ > - > -config STACKLEAK_TRACK_MIN_SIZE > - int "Minimum stack frame size of functions tracked by STACKLEAK" > - default 100 > - range 0 4096 > - depends on GCC_PLUGIN_STACKLEAK > - help > - The STACKLEAK gcc plugin instruments the kernel code for tracking > - the lowest border of the kernel stack (and for some other purposes). > - It inserts the stackleak_track_stack() call for the functions with > - a stack frame size greater than or equal to this parameter. > - If unsure, leave the default value 100. > - > -config STACKLEAK_METRICS > - bool "Show STACKLEAK metrics in the /proc file system" > - depends on GCC_PLUGIN_STACKLEAK > - depends on PROC_FS > - help > - If this is set, STACKLEAK metrics for every task are available in > - the /proc file system. In particular, /proc/<pid>/stack_depth > - shows the maximum kernel stack consumption for the current and > - previous syscalls. Although this information is not precise, it > - can be useful for estimating the STACKLEAK performance impact for > - your workloads. > - > -config STACKLEAK_RUNTIME_DISABLE > - bool "Allow runtime disabling of kernel stack erasing" > - depends on GCC_PLUGIN_STACKLEAK > - help > - This option provides 'stack_erasing' sysctl, which can be used in > - runtime to control kernel stack erasing for kernels built with > - CONFIG_GCC_PLUGIN_STACKLEAK. > - > config GCC_PLUGIN_ARM_SSP_PER_TASK > bool > depends on GCC_PLUGINS && ARM > diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening > index 19881341f1c2..a96d4a43ca65 100644 > --- a/security/Kconfig.hardening > +++ b/security/Kconfig.hardening > @@ -88,6 +88,63 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE > initialized. Since not all existing initializers are detected > by the plugin, this can produce false positive warnings. > > +config GCC_PLUGIN_STACKLEAK > + bool "Poison kernel stack before returning from syscalls" > + depends on GCC_PLUGINS > + depends on HAVE_ARCH_STACKLEAK > + help > + This option makes the kernel erase the kernel stack before > + returning from system calls. This has the effect of leaving > + the stack initialized to the poison value, which both reduces > + the lifetime of any sensitive stack contents and reduces > + potential for uninitialized stack variable exploits or information > + exposures (it does not cover functions reaching the same stack > + depth as prior functions during the same syscall). This blocks > + most uninitialized stack variable attacks, with the performance > + impact being driven by the depth of the stack usage, rather than > + the function calling complexity. > + > + The performance impact on a single CPU system kernel compilation > + sees a 1% slowdown, other systems and workloads may vary and you > + are advised to test this feature on your expected workload before > + deploying it. > + > + This plugin was ported from grsecurity/PaX. More information at: > + * https://grsecurity.net/ > + * https://pax.grsecurity.net/ > + > +config STACKLEAK_TRACK_MIN_SIZE > + int "Minimum stack frame size of functions tracked by STACKLEAK" > + default 100 > + range 0 4096 > + depends on GCC_PLUGIN_STACKLEAK > + help > + The STACKLEAK gcc plugin instruments the kernel code for tracking > + the lowest border of the kernel stack (and for some other purposes). > + It inserts the stackleak_track_stack() call for the functions with > + a stack frame size greater than or equal to this parameter. > + If unsure, leave the default value 100. > + > +config STACKLEAK_METRICS > + bool "Show STACKLEAK metrics in the /proc file system" > + depends on GCC_PLUGIN_STACKLEAK > + depends on PROC_FS > + help > + If this is set, STACKLEAK metrics for every task are available in > + the /proc file system. In particular, /proc/<pid>/stack_depth > + shows the maximum kernel stack consumption for the current and > + previous syscalls. Although this information is not precise, it > + can be useful for estimating the STACKLEAK performance impact for > + your workloads. > + > +config STACKLEAK_RUNTIME_DISABLE > + bool "Allow runtime disabling of kernel stack erasing" > + depends on GCC_PLUGIN_STACKLEAK > + help > + This option provides 'stack_erasing' sysctl, which can be used in > + runtime to control kernel stack erasing for kernels built with > + CONFIG_GCC_PLUGIN_STACKLEAK. > + > endmenu > > endmenu >
