summaryrefslogtreecommitdiff
path: root/arch/Kconfig
diff options
context:
space:
mode:
Diffstat (limited to 'arch/Kconfig')
-rw-r--r--arch/Kconfig41
1 files changed, 40 insertions, 1 deletions
diff --git a/arch/Kconfig b/arch/Kconfig
index f76b214cf7ad..dc26b6d9175e 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -425,7 +425,7 @@ config GCC_PLUGIN_STRUCTLEAK
bool "Force initialization of variables containing userspace addresses"
depends on GCC_PLUGINS
help
- This plugin zero-initializes any structures that containing a
+ This plugin zero-initializes any structures containing a
__user attribute. This can prevent some classes of information
exposures.
@@ -443,6 +443,45 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE
initialized. Since not all existing initializers are detected
by the plugin, this can produce false positive warnings.
+config GCC_PLUGIN_RANDSTRUCT
+ bool "Randomize layout of sensitive kernel structures"
+ depends on GCC_PLUGINS
+ select MODVERSIONS if MODULES
+ help
+ If you say Y here, the layouts of structures explicitly
+ marked by __randomize_layout will be randomized at
+ compile-time. This can introduce the requirement of an
+ additional information exposure vulnerability for exploits
+ targeting these structure types.
+
+ Enabling this feature will introduce some performance impact,
+ slightly increase memory usage, and prevent the use of forensic
+ tools like Volatility against the system (unless the kernel
+ source tree isn't cleaned after kernel installation).
+
+ The seed used for compilation is located at
+ scripts/gcc-plgins/randomize_layout_seed.h. It remains after
+ a make clean to allow for external modules to be compiled with
+ the existing seed and will be removed by a make mrproper or
+ make distclean.
+
+ Note that the implementation requires gcc 4.7 or newer.
+
+ This plugin was ported from grsecurity/PaX. More information at:
+ * https://grsecurity.net/
+ * https://pax.grsecurity.net/
+
+config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
+ bool "Use cacheline-aware structure randomization"
+ depends on GCC_PLUGIN_RANDSTRUCT
+ depends on !COMPILE_TEST
+ help
+ If you say Y here, the RANDSTRUCT randomization will make a
+ best effort at restricting randomization to cacheline-sized
+ groups of elements. It will further not randomize bitfields
+ in structures. This reduces the performance hit of RANDSTRUCT
+ at the cost of weakened randomization.
+
config HAVE_CC_STACKPROTECTOR
bool
help
generated by cgit v1.2.3 (git 2.39.0) at 2024-12-11 15:54:43 +0300