Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp6369720yba; Thu, 11 Apr 2019 18:42:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqxk9q08qobjwklN8XrKyggn3FWYGw2Y51ESDuNz8mjQV7Tpst1vujm+mvgajucukTbRnuZ9 X-Received: by 2002:a63:5854:: with SMTP id i20mr49231000pgm.171.1555033336563; Thu, 11 Apr 2019 18:42:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555033336; cv=none; d=google.com; s=arc-20160816; b=PsH5+3RsijP1G0p1e0Uy3R3CqgzXsB89ALURJ70FqTLeYn17wi7GDSd3UrdnazCIg7 5L8pcpyP1FWhu7MS0PfZE2WewSx4n3pQRVLFxXSy1GnorVvlqawhY4QbHjQHneMim2VD O3w5LMjBRfIy2426QnbfNlM3IhukYoR9XOwN+/XgXQB0307/0UzPD3O7nHRyEx+0RC6c MntweSAV7S9tnOMHQrM+4lmhLuSCEim+vzJTuuX2IjeOl4P8n3VK39gtbt4UBVOHNcsr PcT5e7cLwbGsGxzO4OMk83KlHNpp0T8IKAVwXDEIhBBO1Qa8K4kAgA79rxuWYkBj6U2n oqpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature:dkim-filter; bh=wED/bPdbA4GxkGl8E0KKrdQFhvPzZe9DgYeDFMFx+cY=; b=gh9PrSfYiHAzoX658k6uftxI6tITjwXko+UiVHfeZZ8GwJirJL/apzwHJ22XT74K57 JVFbu3rbg5oZfDZ3QSXrmWKnC+hlxt7ewstF/rOzIr5tIcZ2S0A77oNr6PbL4roZVl42 Nzs04e3AOuz2BoC6nWAYTymhEgHakmjyzWRgDPCe9LcFRX9lpb46MgIWHnMekqWLER2P YwYWb6t84AZz0riMuHbKeiLz0viZj13ZrqRA0nzjzd4CmcIHu/tJ11poWTbA7JgxzbPA oKMQShUTcORAHcEOzp/24zv08jEyNguWjHYQw4anbiwqGGFFQnRaOkHCGNe3Z+AJQmhz 4FwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=TgaYf8ej; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d69si19677197pgc.451.2019.04.11.18.41.46; Thu, 11 Apr 2019 18:42:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=TgaYf8ej; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726738AbfDLBjh (ORCPT + 99 others); Thu, 11 Apr 2019 21:39:37 -0400 Received: from conssluserg-02.nifty.com ([210.131.2.81]:27241 "EHLO conssluserg-02.nifty.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726661AbfDLBjg (ORCPT ); Thu, 11 Apr 2019 21:39:36 -0400 Received: from mail-vs1-f53.google.com (mail-vs1-f53.google.com [209.85.217.53]) (authenticated) by conssluserg-02.nifty.com with ESMTP id x3C1dEhH018200; Fri, 12 Apr 2019 10:39:15 +0900 DKIM-Filter: OpenDKIM Filter v2.10.3 conssluserg-02.nifty.com x3C1dEhH018200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.com; s=dec2015msa; t=1555033155; bh=wED/bPdbA4GxkGl8E0KKrdQFhvPzZe9DgYeDFMFx+cY=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=TgaYf8ejAkSb+KcUStxfixqZ4UReRUqq/bzp2Cjh+zp22RycuccAElfyUL7UoXC21 5fsi2lBn760a7KnfVDPY1N77hg+BPGD9AwhpjaqLdBmiOU/wxuFp3O2ChrcPQCQCRl TkyuC+Og2LkBoP6vx8gpXcbILjQDMev4t+rPsSwRmfiysBlQbT1h/zIAiSQVQpFZ11 y2L496iki86kzInRBL2pc7598Xzf0oZaa+dAhhlvoig6/pwS6UP1yVqXRnoRVYPrH9 pgN6vMz/1bIUvNHVOhof8kpj0AgIqEGYFNfboxcHVMM6PDCG4oLSeH01GqvvmuTIpa CXp6k8obUAPmA== X-Nifty-SrcIP: [209.85.217.53] Received: by mail-vs1-f53.google.com with SMTP id g127so4633405vsd.6; Thu, 11 Apr 2019 18:39:15 -0700 (PDT) X-Gm-Message-State: APjAAAVmFF8gfhBG+fqVcz3mKgYeeEN/gTX3zOdeoxI+2aciiE928nnQ u4H2jf+uQZHv070IM07r1phYQvKywI6/4wdvtuc= X-Received: by 2002:a67:818e:: with SMTP id c136mr30122229vsd.65.1555033154146; Thu, 11 Apr 2019 18:39:14 -0700 (PDT) MIME-Version: 1.0 References: <20190411180117.27704-1-keescook@chromium.org> <20190411180117.27704-2-keescook@chromium.org> In-Reply-To: <20190411180117.27704-2-keescook@chromium.org> From: Masahiro Yamada Date: Fri, 12 Apr 2019 10:38:38 +0900 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 1/3] security: Create "kernel hardening" config area To: Kees Cook Cc: Alexander Potapenko , James Morris , Alexander Popov , Nick Desaulniers , Kostya Serebryany , Dmitry Vyukov , Sandeep Patil , Laura Abbott , Randy Dunlap , Michal Marek , Emese Revfy , "Serge E. Hallyn" , Kernel Hardening , linux-security-module@vger.kernel.org, Linux Kbuild mailing list , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 12, 2019 at 3:01 AM Kees Cook wrote: > > Right now kernel hardening options are scattered around various Kconfig > files. This can be a central place to collect these kinds of options > going forward. This is initially populated with the memory initialization > options from the gcc-plugins. > > Signed-off-by: Kees Cook > --- > scripts/gcc-plugins/Kconfig | 74 +++-------------------------- > security/Kconfig | 2 + > security/Kconfig.hardening | 93 +++++++++++++++++++++++++++++++++++++ > 3 files changed, 102 insertions(+), 67 deletions(-) > create mode 100644 security/Kconfig.hardening > > diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig > index 74271dba4f94..84d471dea2b7 100644 > --- a/scripts/gcc-plugins/Kconfig > +++ b/scripts/gcc-plugins/Kconfig > @@ -13,10 +13,11 @@ config HAVE_GCC_PLUGINS > An arch should select this symbol if it supports building with > GCC plugins. > > -menuconfig GCC_PLUGINS > - bool "GCC plugins" > +config GCC_PLUGINS > + bool > depends on HAVE_GCC_PLUGINS > depends on PLUGIN_HOSTCC != "" > + default y > help > GCC plugins are loadable modules that provide extra features to the > compiler. They are useful for runtime instrumentation and static analysis. > @@ -25,6 +26,8 @@ menuconfig GCC_PLUGINS > > if GCC_PLUGINS > > +menu "GCC plugins" > + Just a tip to save "if" ... "endif" block. If you like, you can write like follows: menu "GCC plugins" depends on GCC_PLUGINS endmenu instead of if GCC_PLUGINS menu "GCC plugins" endmenu fi > +menu "Memory initialization" > + > +choice > + prompt "Initialize kernel stack variables at function entry" > + depends on GCC_PLUGINS On second thought, this 'depends on' is unnecessary because INIT_STACK_NONE should be always visible. > + default INIT_STACK_NONE > + help > + This option enables initialization of stack variables at > + function entry time. This has the possibility to have the > + greatest coverage (since all functions can have their > + variables initialized), but the performance impact depends > + on the function calling complexity of a given workload's > + syscalls. > + > + This chooses the level of coverage over classes of potentially > + uninitialized variables. The selected class will be > + initialized before use in a function. > + > + config INIT_STACK_NONE > + bool "no automatic initialization (weakest)" > + help > + Disable automatic stack variable initialization. > + This leaves the kernel vulnerable to the standard > + classes of uninitialized stack variable exploits > + and information exposures. > + > + config GCC_PLUGIN_STRUCTLEAK_USER > + bool "zero-init structs marked for userspace (weak)" > + depends on GCC_PLUGINS > + select GCC_PLUGIN_STRUCTLEAK > + help > + Zero-initialize any structures on the stack containing > + a __user attribute. This can prevent some classes of > + uninitialized stack variable exploits and information > + exposures, like CVE-2013-2141: > + https://git.kernel.org/linus/b9e146d8eb3b9eca > + > + config GCC_PLUGIN_STRUCTLEAK_BYREF > + bool "zero-init structs passed by reference (strong)" > + depends on GCC_PLUGINS > + select GCC_PLUGIN_STRUCTLEAK > + help > + Zero-initialize any structures on the stack that may > + be passed by reference and had not already been > + explicitly initialized. This can prevent most classes > + of uninitialized stack variable exploits and information > + exposures, like CVE-2017-1000410: > + https://git.kernel.org/linus/06e7e776ca4d3654 > + > + config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL > + bool "zero-init anything passed by reference (very strong)" > + depends on GCC_PLUGINS > + select GCC_PLUGIN_STRUCTLEAK > + help > + Zero-initialize any stack variables that may be passed > + by reference and had not already been explicitly > + initialized. This is intended to eliminate all classes > + of uninitialized stack variable exploits and information > + exposures. > + > +endchoice Another behavior change is GCC_PLUGIN_STRUCTLEAK was previously enabled by all{yes,mod}config, and in the compile-test coverage. It will be disabled for all{yes,mod}config with this patch. This is up to you. Just FYI. -- Best Regards Masahiro Yamada