1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 29f671e58SKees Cookmenu "Kernel hardening options" 39f671e58SKees Cook 49f671e58SKees Cookconfig GCC_PLUGIN_STRUCTLEAK 59f671e58SKees Cook bool 69f671e58SKees Cook help 79f671e58SKees Cook While the kernel is built with warnings enabled for any missed 89f671e58SKees Cook stack variable initializations, this warning is silenced for 99f671e58SKees Cook anything passed by reference to another function, under the 109f671e58SKees Cook occasionally misguided assumption that the function will do 119f671e58SKees Cook the initialization. As this regularly leads to exploitable 129f671e58SKees Cook flaws, this plugin is available to identify and zero-initialize 139f671e58SKees Cook such variables, depending on the chosen level of coverage. 149f671e58SKees Cook 159f671e58SKees Cook This plugin was originally ported from grsecurity/PaX. More 169f671e58SKees Cook information at: 179f671e58SKees Cook * https://grsecurity.net/ 189f671e58SKees Cook * https://pax.grsecurity.net/ 199f671e58SKees Cook 209f671e58SKees Cookmenu "Memory initialization" 219f671e58SKees Cook 22f0fe00d4Sglider@google.comconfig CC_HAS_AUTO_VAR_INIT_PATTERN 23709a972eSKees Cook def_bool $(cc-option,-ftrivial-auto-var-init=pattern) 24709a972eSKees Cook 25607e57c6SKees Cookconfig CC_HAS_AUTO_VAR_INIT_ZERO_BARE 26607e57c6SKees Cook def_bool $(cc-option,-ftrivial-auto-var-init=zero) 27607e57c6SKees Cook 28607e57c6SKees Cookconfig CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER 29607e57c6SKees Cook # Clang 16 and later warn about using the -enable flag, but it 30607e57c6SKees Cook # is required before then. 31f0fe00d4Sglider@google.com def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang) 32607e57c6SKees Cook depends on !CC_HAS_AUTO_VAR_INIT_ZERO_BARE 33607e57c6SKees Cook 34607e57c6SKees Cookconfig CC_HAS_AUTO_VAR_INIT_ZERO 35607e57c6SKees Cook def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BARE || CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER 36f0fe00d4Sglider@google.com 379f671e58SKees Cookchoice 389f671e58SKees Cook prompt "Initialize kernel stack variables at function entry" 399f671e58SKees Cook default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS 40f0fe00d4Sglider@google.com default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN 41f02003c8SKees Cook default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO 429f671e58SKees Cook default INIT_STACK_NONE 439f671e58SKees Cook help 449f671e58SKees Cook This option enables initialization of stack variables at 459f671e58SKees Cook function entry time. This has the possibility to have the 469f671e58SKees Cook greatest coverage (since all functions can have their 479f671e58SKees Cook variables initialized), but the performance impact depends 489f671e58SKees Cook on the function calling complexity of a given workload's 499f671e58SKees Cook syscalls. 509f671e58SKees Cook 519f671e58SKees Cook This chooses the level of coverage over classes of potentially 52dcb7c0b9SKees Cook uninitialized variables. The selected class of variable will be 539f671e58SKees Cook initialized before use in a function. 549f671e58SKees Cook 559f671e58SKees Cook config INIT_STACK_NONE 56dcb7c0b9SKees Cook bool "no automatic stack variable initialization (weakest)" 579f671e58SKees Cook help 589f671e58SKees Cook Disable automatic stack variable initialization. 599f671e58SKees Cook This leaves the kernel vulnerable to the standard 609f671e58SKees Cook classes of uninitialized stack variable exploits 619f671e58SKees Cook and information exposures. 629f671e58SKees Cook 639f671e58SKees Cook config GCC_PLUGIN_STRUCTLEAK_USER 649f671e58SKees Cook bool "zero-init structs marked for userspace (weak)" 658bd51a2bSKees Cook # Plugin can be removed once the kernel only supports GCC 12+ 668bd51a2bSKees Cook depends on GCC_PLUGINS && !CC_HAS_AUTO_VAR_INIT_ZERO 679f671e58SKees Cook select GCC_PLUGIN_STRUCTLEAK 689f671e58SKees Cook help 699f671e58SKees Cook Zero-initialize any structures on the stack containing 709f671e58SKees Cook a __user attribute. This can prevent some classes of 719f671e58SKees Cook uninitialized stack variable exploits and information 729f671e58SKees Cook exposures, like CVE-2013-2141: 739f671e58SKees Cook https://git.kernel.org/linus/b9e146d8eb3b9eca 749f671e58SKees Cook 759f671e58SKees Cook config GCC_PLUGIN_STRUCTLEAK_BYREF 769f671e58SKees Cook bool "zero-init structs passed by reference (strong)" 778bd51a2bSKees Cook # Plugin can be removed once the kernel only supports GCC 12+ 788bd51a2bSKees Cook depends on GCC_PLUGINS && !CC_HAS_AUTO_VAR_INIT_ZERO 7902c58773SWalter Wu depends on !(KASAN && KASAN_STACK) 809f671e58SKees Cook select GCC_PLUGIN_STRUCTLEAK 819f671e58SKees Cook help 829f671e58SKees Cook Zero-initialize any structures on the stack that may 839f671e58SKees Cook be passed by reference and had not already been 849f671e58SKees Cook explicitly initialized. This can prevent most classes 859f671e58SKees Cook of uninitialized stack variable exploits and information 869f671e58SKees Cook exposures, like CVE-2017-1000410: 879f671e58SKees Cook https://git.kernel.org/linus/06e7e776ca4d3654 889f671e58SKees Cook 89173e6ee2SArnd Bergmann As a side-effect, this keeps a lot of variables on the 90173e6ee2SArnd Bergmann stack that can otherwise be optimized out, so combining 91173e6ee2SArnd Bergmann this with CONFIG_KASAN_STACK can lead to a stack overflow 92173e6ee2SArnd Bergmann and is disallowed. 93173e6ee2SArnd Bergmann 949f671e58SKees Cook config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL 95dcb7c0b9SKees Cook bool "zero-init everything passed by reference (very strong)" 968bd51a2bSKees Cook # Plugin can be removed once the kernel only supports GCC 12+ 978bd51a2bSKees Cook depends on GCC_PLUGINS && !CC_HAS_AUTO_VAR_INIT_ZERO 9802c58773SWalter Wu depends on !(KASAN && KASAN_STACK) 999f671e58SKees Cook select GCC_PLUGIN_STRUCTLEAK 1009f671e58SKees Cook help 1019f671e58SKees Cook Zero-initialize any stack variables that may be passed 1029f671e58SKees Cook by reference and had not already been explicitly 1039f671e58SKees Cook initialized. This is intended to eliminate all classes 1049f671e58SKees Cook of uninitialized stack variable exploits and information 1059f671e58SKees Cook exposures. 1069f671e58SKees Cook 107dcb7c0b9SKees Cook As a side-effect, this keeps a lot of variables on the 108dcb7c0b9SKees Cook stack that can otherwise be optimized out, so combining 109dcb7c0b9SKees Cook this with CONFIG_KASAN_STACK can lead to a stack overflow 110dcb7c0b9SKees Cook and is disallowed. 111dcb7c0b9SKees Cook 112f0fe00d4Sglider@google.com config INIT_STACK_ALL_PATTERN 113dcb7c0b9SKees Cook bool "pattern-init everything (strongest)" 114f0fe00d4Sglider@google.com depends on CC_HAS_AUTO_VAR_INIT_PATTERN 11542eaa27dSAlexander Potapenko depends on !KMSAN 116709a972eSKees Cook help 117dcb7c0b9SKees Cook Initializes everything on the stack (including padding) 118dcb7c0b9SKees Cook with a specific debug value. This is intended to eliminate 119dcb7c0b9SKees Cook all classes of uninitialized stack variable exploits and 120dcb7c0b9SKees Cook information exposures, even variables that were warned about 121dcb7c0b9SKees Cook having been left uninitialized. 122709a972eSKees Cook 123f0fe00d4Sglider@google.com Pattern initialization is known to provoke many existing bugs 124f0fe00d4Sglider@google.com related to uninitialized locals, e.g. pointers receive 125dcb7c0b9SKees Cook non-NULL values, buffer sizes and indices are very big. The 126dcb7c0b9SKees Cook pattern is situation-specific; Clang on 64-bit uses 0xAA 127dcb7c0b9SKees Cook repeating for all types and padding except float and double 128dcb7c0b9SKees Cook which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF 129dcb7c0b9SKees Cook repeating for all types and padding. 130f0fe00d4Sglider@google.com 131f0fe00d4Sglider@google.com config INIT_STACK_ALL_ZERO 132dcb7c0b9SKees Cook bool "zero-init everything (strongest and safest)" 133f0fe00d4Sglider@google.com depends on CC_HAS_AUTO_VAR_INIT_ZERO 13442eaa27dSAlexander Potapenko depends on !KMSAN 135f0fe00d4Sglider@google.com help 136dcb7c0b9SKees Cook Initializes everything on the stack (including padding) 137dcb7c0b9SKees Cook with a zero value. This is intended to eliminate all 138dcb7c0b9SKees Cook classes of uninitialized stack variable exploits and 139dcb7c0b9SKees Cook information exposures, even variables that were warned 140dcb7c0b9SKees Cook about having been left uninitialized. 141f0fe00d4Sglider@google.com 142dcb7c0b9SKees Cook Zero initialization provides safe defaults for strings 143dcb7c0b9SKees Cook (immediately NUL-terminated), pointers (NULL), indices 144dcb7c0b9SKees Cook (index 0), and sizes (0 length), so it is therefore more 145dcb7c0b9SKees Cook suitable as a production security mitigation than pattern 146dcb7c0b9SKees Cook initialization. 147f0fe00d4Sglider@google.com 1489f671e58SKees Cookendchoice 1499f671e58SKees Cook 1509f671e58SKees Cookconfig GCC_PLUGIN_STRUCTLEAK_VERBOSE 1519f671e58SKees Cook bool "Report forcefully initialized variables" 1529f671e58SKees Cook depends on GCC_PLUGIN_STRUCTLEAK 1539f671e58SKees Cook depends on !COMPILE_TEST # too noisy 1549f671e58SKees Cook help 1559f671e58SKees Cook This option will cause a warning to be printed each time the 1569f671e58SKees Cook structleak plugin finds a variable it thinks needs to be 1579f671e58SKees Cook initialized. Since not all existing initializers are detected 1589f671e58SKees Cook by the plugin, this can produce false positive warnings. 1599f671e58SKees Cook 160b6a6a377SKees Cookconfig GCC_PLUGIN_STACKLEAK 161b6a6a377SKees Cook bool "Poison kernel stack before returning from syscalls" 162b6a6a377SKees Cook depends on GCC_PLUGINS 163b6a6a377SKees Cook depends on HAVE_ARCH_STACKLEAK 164b6a6a377SKees Cook help 165b6a6a377SKees Cook This option makes the kernel erase the kernel stack before 166b6a6a377SKees Cook returning from system calls. This has the effect of leaving 167b6a6a377SKees Cook the stack initialized to the poison value, which both reduces 168b6a6a377SKees Cook the lifetime of any sensitive stack contents and reduces 169b6a6a377SKees Cook potential for uninitialized stack variable exploits or information 170b6a6a377SKees Cook exposures (it does not cover functions reaching the same stack 171b6a6a377SKees Cook depth as prior functions during the same syscall). This blocks 172b6a6a377SKees Cook most uninitialized stack variable attacks, with the performance 173b6a6a377SKees Cook impact being driven by the depth of the stack usage, rather than 174b6a6a377SKees Cook the function calling complexity. 175b6a6a377SKees Cook 176b6a6a377SKees Cook The performance impact on a single CPU system kernel compilation 177b6a6a377SKees Cook sees a 1% slowdown, other systems and workloads may vary and you 178b6a6a377SKees Cook are advised to test this feature on your expected workload before 179b6a6a377SKees Cook deploying it. 180b6a6a377SKees Cook 181b6a6a377SKees Cook This plugin was ported from grsecurity/PaX. More information at: 182b6a6a377SKees Cook * https://grsecurity.net/ 183b6a6a377SKees Cook * https://pax.grsecurity.net/ 184b6a6a377SKees Cook 185f154066bSKees Cookconfig GCC_PLUGIN_STACKLEAK_VERBOSE 186f154066bSKees Cook bool "Report stack depth analysis instrumentation" if EXPERT 187f154066bSKees Cook depends on GCC_PLUGIN_STACKLEAK 188f154066bSKees Cook depends on !COMPILE_TEST # too noisy 189f154066bSKees Cook help 190f154066bSKees Cook This option will cause a warning to be printed each time the 191f154066bSKees Cook stackleak plugin finds a function it thinks needs to be 192f154066bSKees Cook instrumented. This is useful for comparing coverage between 193f154066bSKees Cook builds. 194f154066bSKees Cook 195b6a6a377SKees Cookconfig STACKLEAK_TRACK_MIN_SIZE 196b6a6a377SKees Cook int "Minimum stack frame size of functions tracked by STACKLEAK" 197b6a6a377SKees Cook default 100 198b6a6a377SKees Cook range 0 4096 199b6a6a377SKees Cook depends on GCC_PLUGIN_STACKLEAK 200b6a6a377SKees Cook help 201b6a6a377SKees Cook The STACKLEAK gcc plugin instruments the kernel code for tracking 202b6a6a377SKees Cook the lowest border of the kernel stack (and for some other purposes). 203b6a6a377SKees Cook It inserts the stackleak_track_stack() call for the functions with 204b6a6a377SKees Cook a stack frame size greater than or equal to this parameter. 205b6a6a377SKees Cook If unsure, leave the default value 100. 206b6a6a377SKees Cook 207b6a6a377SKees Cookconfig STACKLEAK_METRICS 208b6a6a377SKees Cook bool "Show STACKLEAK metrics in the /proc file system" 209b6a6a377SKees Cook depends on GCC_PLUGIN_STACKLEAK 210b6a6a377SKees Cook depends on PROC_FS 211b6a6a377SKees Cook help 212b6a6a377SKees Cook If this is set, STACKLEAK metrics for every task are available in 213b6a6a377SKees Cook the /proc file system. In particular, /proc/<pid>/stack_depth 214b6a6a377SKees Cook shows the maximum kernel stack consumption for the current and 215b6a6a377SKees Cook previous syscalls. Although this information is not precise, it 216b6a6a377SKees Cook can be useful for estimating the STACKLEAK performance impact for 217b6a6a377SKees Cook your workloads. 218b6a6a377SKees Cook 219b6a6a377SKees Cookconfig STACKLEAK_RUNTIME_DISABLE 220b6a6a377SKees Cook bool "Allow runtime disabling of kernel stack erasing" 221b6a6a377SKees Cook depends on GCC_PLUGIN_STACKLEAK 222b6a6a377SKees Cook help 223b6a6a377SKees Cook This option provides 'stack_erasing' sysctl, which can be used in 224b6a6a377SKees Cook runtime to control kernel stack erasing for kernels built with 225b6a6a377SKees Cook CONFIG_GCC_PLUGIN_STACKLEAK. 226b6a6a377SKees Cook 2276471384aSAlexander Potapenkoconfig INIT_ON_ALLOC_DEFAULT_ON 2286471384aSAlexander Potapenko bool "Enable heap memory zeroing on allocation by default" 22942eaa27dSAlexander Potapenko depends on !KMSAN 2306471384aSAlexander Potapenko help 2316471384aSAlexander Potapenko This has the effect of setting "init_on_alloc=1" on the kernel 2326471384aSAlexander Potapenko command line. This can be disabled with "init_on_alloc=0". 2336471384aSAlexander Potapenko When "init_on_alloc" is enabled, all page allocator and slab 2346471384aSAlexander Potapenko allocator memory will be zeroed when allocated, eliminating 2356471384aSAlexander Potapenko many kinds of "uninitialized heap memory" flaws, especially 2366471384aSAlexander Potapenko heap content exposures. The performance impact varies by 2376471384aSAlexander Potapenko workload, but most cases see <1% impact. Some synthetic 2386471384aSAlexander Potapenko workloads have measured as high as 7%. 2396471384aSAlexander Potapenko 2406471384aSAlexander Potapenkoconfig INIT_ON_FREE_DEFAULT_ON 2416471384aSAlexander Potapenko bool "Enable heap memory zeroing on free by default" 24242eaa27dSAlexander Potapenko depends on !KMSAN 2436471384aSAlexander Potapenko help 2446471384aSAlexander Potapenko This has the effect of setting "init_on_free=1" on the kernel 2456471384aSAlexander Potapenko command line. This can be disabled with "init_on_free=0". 2466471384aSAlexander Potapenko Similar to "init_on_alloc", when "init_on_free" is enabled, 2476471384aSAlexander Potapenko all page allocator and slab allocator memory will be zeroed 2486471384aSAlexander Potapenko when freed, eliminating many kinds of "uninitialized heap memory" 2496471384aSAlexander Potapenko flaws, especially heap content exposures. The primary difference 2506471384aSAlexander Potapenko with "init_on_free" is that data lifetime in memory is reduced, 2516471384aSAlexander Potapenko as anything freed is wiped immediately, making live forensics or 2526471384aSAlexander Potapenko cold boot memory attacks unable to recover freed memory contents. 2536471384aSAlexander Potapenko The performance impact varies by workload, but is more expensive 2546471384aSAlexander Potapenko than "init_on_alloc" due to the negative cache effects of 2556471384aSAlexander Potapenko touching "cold" memory areas. Most cases see 3-5% impact. Some 2566471384aSAlexander Potapenko synthetic workloads have measured as high as 8%. 2576471384aSAlexander Potapenko 258a82adfd5SKees Cookconfig CC_HAS_ZERO_CALL_USED_REGS 259a82adfd5SKees Cook def_bool $(cc-option,-fzero-call-used-regs=used-gpr) 260d6a9fb87SNathan Chancellor # https://github.com/ClangBuiltLinux/linux/issues/1766 261d6a9fb87SNathan Chancellor # https://github.com/llvm/llvm-project/issues/59242 262d6a9fb87SNathan Chancellor depends on !CC_IS_CLANG || CLANG_VERSION > 150006 263a82adfd5SKees Cook 264a82adfd5SKees Cookconfig ZERO_CALL_USED_REGS 265a82adfd5SKees Cook bool "Enable register zeroing on function exit" 266a82adfd5SKees Cook depends on CC_HAS_ZERO_CALL_USED_REGS 267a82adfd5SKees Cook help 268a82adfd5SKees Cook At the end of functions, always zero any caller-used register 269a82adfd5SKees Cook contents. This helps ensure that temporary values are not 270a82adfd5SKees Cook leaked beyond the function boundary. This means that register 271a82adfd5SKees Cook contents are less likely to be available for side channels 272a82adfd5SKees Cook and information exposures. Additionally, this helps reduce the 273a82adfd5SKees Cook number of useful ROP gadgets by about 20% (and removes compiler 274a82adfd5SKees Cook generated "write-what-where" gadgets) in the resulting kernel 275a82adfd5SKees Cook image. This has a less than 1% performance impact on most 276a82adfd5SKees Cook workloads. Image size growth depends on architecture, and should 277a82adfd5SKees Cook be evaluated for suitability. For example, x86_64 grows by less 278a82adfd5SKees Cook than 1%, and arm64 grows by about 5%. 279a82adfd5SKees Cook 2809f671e58SKees Cookendmenu 2819f671e58SKees Cook 282aebc7b0dSMarco Elvermenu "Hardening of kernel data structures" 283aebc7b0dSMarco Elver 284aebc7b0dSMarco Elverconfig LIST_HARDENED 285aebc7b0dSMarco Elver bool "Check integrity of linked list manipulation" 286aebc7b0dSMarco Elver help 287aebc7b0dSMarco Elver Minimal integrity checking in the linked-list manipulation routines 288aebc7b0dSMarco Elver to catch memory corruptions that are not guaranteed to result in an 289aebc7b0dSMarco Elver immediate access fault. 290aebc7b0dSMarco Elver 291aebc7b0dSMarco Elver If unsure, say N. 292aebc7b0dSMarco Elver 293*aa9f10d5SMarco Elverconfig BUG_ON_DATA_CORRUPTION 294*aa9f10d5SMarco Elver bool "Trigger a BUG when data corruption is detected" 295*aa9f10d5SMarco Elver select LIST_HARDENED 296*aa9f10d5SMarco Elver help 297*aa9f10d5SMarco Elver Select this option if the kernel should BUG when it encounters 298*aa9f10d5SMarco Elver data corruption in kernel memory structures when they get checked 299*aa9f10d5SMarco Elver for validity. 300*aa9f10d5SMarco Elver 301*aa9f10d5SMarco Elver If unsure, say N. 302*aa9f10d5SMarco Elver 303aebc7b0dSMarco Elverendmenu 304aebc7b0dSMarco Elver 305035f7f87SKees Cookconfig CC_HAS_RANDSTRUCT 306035f7f87SKees Cook def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null) 30778f7a3fdSEric Biggers # Randstruct was first added in Clang 15, but it isn't safe to use until 30878f7a3fdSEric Biggers # Clang 16 due to https://github.com/llvm/llvm-project/issues/60349 30978f7a3fdSEric Biggers depends on !CC_IS_CLANG || CLANG_VERSION >= 160000 310035f7f87SKees Cook 311595b893eSKees Cookchoice 312595b893eSKees Cook prompt "Randomize layout of sensitive kernel structures" 313035f7f87SKees Cook default RANDSTRUCT_FULL if COMPILE_TEST && (GCC_PLUGINS || CC_HAS_RANDSTRUCT) 314595b893eSKees Cook default RANDSTRUCT_NONE 315595b893eSKees Cook help 316595b893eSKees Cook If you enable this, the layouts of structures that are entirely 317595b893eSKees Cook function pointers (and have not been manually annotated with 318595b893eSKees Cook __no_randomize_layout), or structures that have been explicitly 319595b893eSKees Cook marked with __randomize_layout, will be randomized at compile-time. 320595b893eSKees Cook This can introduce the requirement of an additional information 321595b893eSKees Cook exposure vulnerability for exploits targeting these structure 322595b893eSKees Cook types. 323595b893eSKees Cook 324595b893eSKees Cook Enabling this feature will introduce some performance impact, 325595b893eSKees Cook slightly increase memory usage, and prevent the use of forensic 326595b893eSKees Cook tools like Volatility against the system (unless the kernel 327595b893eSKees Cook source tree isn't cleaned after kernel installation). 328595b893eSKees Cook 329be2b34faSKees Cook The seed used for compilation is in scripts/basic/randomize.seed. 330be2b34faSKees Cook It remains after a "make clean" to allow for external modules to 331be2b34faSKees Cook be compiled with the existing seed and will be removed by a 332be2b34faSKees Cook "make mrproper" or "make distclean". This file should not be made 333be2b34faSKees Cook public, or the structure layout can be determined. 334595b893eSKees Cook 335595b893eSKees Cook config RANDSTRUCT_NONE 336595b893eSKees Cook bool "Disable structure layout randomization" 337595b893eSKees Cook help 338595b893eSKees Cook Build normally: no structure layout randomization. 339595b893eSKees Cook 340595b893eSKees Cook config RANDSTRUCT_FULL 341595b893eSKees Cook bool "Fully randomize structure layout" 342035f7f87SKees Cook depends on CC_HAS_RANDSTRUCT || GCC_PLUGINS 343595b893eSKees Cook select MODVERSIONS if MODULES 344595b893eSKees Cook help 345595b893eSKees Cook Fully randomize the member layout of sensitive 346595b893eSKees Cook structures as much as possible, which may have both a 347595b893eSKees Cook memory size and performance impact. 348595b893eSKees Cook 349035f7f87SKees Cook One difference between the Clang and GCC plugin 350035f7f87SKees Cook implementations is the handling of bitfields. The GCC 351035f7f87SKees Cook plugin treats them as fully separate variables, 352035f7f87SKees Cook introducing sometimes significant padding. Clang tries 353035f7f87SKees Cook to keep adjacent bitfields together, but with their bit 354035f7f87SKees Cook ordering randomized. 355035f7f87SKees Cook 356595b893eSKees Cook config RANDSTRUCT_PERFORMANCE 357595b893eSKees Cook bool "Limit randomization of structure layout to cache-lines" 358595b893eSKees Cook depends on GCC_PLUGINS 359595b893eSKees Cook select MODVERSIONS if MODULES 360595b893eSKees Cook help 361595b893eSKees Cook Randomization of sensitive kernel structures will make a 362595b893eSKees Cook best effort at restricting randomization to cacheline-sized 363595b893eSKees Cook groups of members. It will further not randomize bitfields 364595b893eSKees Cook in structures. This reduces the performance hit of RANDSTRUCT 365595b893eSKees Cook at the cost of weakened randomization. 366595b893eSKees Cookendchoice 367595b893eSKees Cook 368595b893eSKees Cookconfig RANDSTRUCT 369595b893eSKees Cook def_bool !RANDSTRUCT_NONE 370595b893eSKees Cook 371595b893eSKees Cookconfig GCC_PLUGIN_RANDSTRUCT 372595b893eSKees Cook def_bool GCC_PLUGINS && RANDSTRUCT 373595b893eSKees Cook help 374595b893eSKees Cook Use GCC plugin to randomize structure layout. 375595b893eSKees Cook 376595b893eSKees Cook This plugin was ported from grsecurity/PaX. More 377595b893eSKees Cook information at: 378595b893eSKees Cook * https://grsecurity.net/ 379595b893eSKees Cook * https://pax.grsecurity.net/ 380595b893eSKees Cook 3819f671e58SKees Cookendmenu 382