Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp6369720yba;
        Thu, 11 Apr 2019 18:42:16 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxk9q08qobjwklN8XrKyggn3FWYGw2Y51ESDuNz8mjQV7Tpst1vujm+mvgajucukTbRnuZ9
X-Received: by 2002:a63:5854:: with SMTP id i20mr49231000pgm.171.1555033336563;
        Thu, 11 Apr 2019 18:42:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1555033336; cv=none;
        d=google.com; s=arc-20160816;
        b=PsH5+3RsijP1G0p1e0Uy3R3CqgzXsB89ALURJ70FqTLeYn17wi7GDSd3UrdnazCIg7
         5L8pcpyP1FWhu7MS0PfZE2WewSx4n3pQRVLFxXSy1GnorVvlqawhY4QbHjQHneMim2VD
         O3w5LMjBRfIy2426QnbfNlM3IhukYoR9XOwN+/XgXQB0307/0UzPD3O7nHRyEx+0RC6c
         MntweSAV7S9tnOMHQrM+4lmhLuSCEim+vzJTuuX2IjeOl4P8n3VK39gtbt4UBVOHNcsr
         PcT5e7cLwbGsGxzO4OMk83KlHNpp0T8IKAVwXDEIhBBO1Qa8K4kAgA79rxuWYkBj6U2n
         oqpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature:dkim-filter;
        bh=wED/bPdbA4GxkGl8E0KKrdQFhvPzZe9DgYeDFMFx+cY=;
        b=gh9PrSfYiHAzoX658k6uftxI6tITjwXko+UiVHfeZZ8GwJirJL/apzwHJ22XT74K57
         JVFbu3rbg5oZfDZ3QSXrmWKnC+hlxt7ewstF/rOzIr5tIcZ2S0A77oNr6PbL4roZVl42
         Nzs04e3AOuz2BoC6nWAYTymhEgHakmjyzWRgDPCe9LcFRX9lpb46MgIWHnMekqWLER2P
         YwYWb6t84AZz0riMuHbKeiLz0viZj13ZrqRA0nzjzd4CmcIHu/tJ11poWTbA7JgxzbPA
         oKMQShUTcORAHcEOzp/24zv08jEyNguWjHYQw4anbiwqGGFFQnRaOkHCGNe3Z+AJQmhz
         4FwA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=TgaYf8ej;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d69si19677197pgc.451.2019.04.11.18.41.46;
        Thu, 11 Apr 2019 18:42:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=TgaYf8ej;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726738AbfDLBjh (ORCPT <rfc822;crosarcplusplustest@gmail.com>
        + 99 others); Thu, 11 Apr 2019 21:39:37 -0400
Received: from conssluserg-02.nifty.com ([210.131.2.81]:27241 "EHLO
        conssluserg-02.nifty.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726661AbfDLBjg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 11 Apr 2019 21:39:36 -0400
Received: from mail-vs1-f53.google.com (mail-vs1-f53.google.com [209.85.217.53]) (authenticated)
        by conssluserg-02.nifty.com with ESMTP id x3C1dEhH018200;
        Fri, 12 Apr 2019 10:39:15 +0900
DKIM-Filter: OpenDKIM Filter v2.10.3 conssluserg-02.nifty.com x3C1dEhH018200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.com;
        s=dec2015msa; t=1555033155;
        bh=wED/bPdbA4GxkGl8E0KKrdQFhvPzZe9DgYeDFMFx+cY=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=TgaYf8ejAkSb+KcUStxfixqZ4UReRUqq/bzp2Cjh+zp22RycuccAElfyUL7UoXC21
         5fsi2lBn760a7KnfVDPY1N77hg+BPGD9AwhpjaqLdBmiOU/wxuFp3O2ChrcPQCQCRl
         TkyuC+Og2LkBoP6vx8gpXcbILjQDMev4t+rPsSwRmfiysBlQbT1h/zIAiSQVQpFZ11
         y2L496iki86kzInRBL2pc7598Xzf0oZaa+dAhhlvoig6/pwS6UP1yVqXRnoRVYPrH9
         pgN6vMz/1bIUvNHVOhof8kpj0AgIqEGYFNfboxcHVMM6PDCG4oLSeH01GqvvmuTIpa
         CXp6k8obUAPmA==
X-Nifty-SrcIP: [209.85.217.53]
Received: by mail-vs1-f53.google.com with SMTP id g127so4633405vsd.6;
        Thu, 11 Apr 2019 18:39:15 -0700 (PDT)
X-Gm-Message-State: APjAAAVmFF8gfhBG+fqVcz3mKgYeeEN/gTX3zOdeoxI+2aciiE928nnQ
        u4H2jf+uQZHv070IM07r1phYQvKywI6/4wdvtuc=
X-Received: by 2002:a67:818e:: with SMTP id c136mr30122229vsd.65.1555033154146;
 Thu, 11 Apr 2019 18:39:14 -0700 (PDT)
MIME-Version: 1.0
References: <20190411180117.27704-1-keescook@chromium.org> <20190411180117.27704-2-keescook@chromium.org>
In-Reply-To: <20190411180117.27704-2-keescook@chromium.org>
From:   Masahiro Yamada <yamada.masahiro@socionext.com>
Date:   Fri, 12 Apr 2019 10:38:38 +0900
X-Gmail-Original-Message-ID: <CAK7LNATvNJprA94Qypfub2rpbEEJkAeV3yqVyuk2aNEraDKZ6w@mail.gmail.com>
Message-ID: <CAK7LNATvNJprA94Qypfub2rpbEEJkAeV3yqVyuk2aNEraDKZ6w@mail.gmail.com>
Subject: Re: [PATCH v2 1/3] security: Create "kernel hardening" config area
To:     Kees Cook <keescook@chromium.org>
Cc:     Alexander Potapenko <glider@google.com>,
        James Morris <jmorris@namei.org>,
        Alexander Popov <alex.popov@linux.com>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Kostya Serebryany <kcc@google.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Sandeep Patil <sspatil@android.com>,
        Laura Abbott <labbott@redhat.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Michal Marek <michal.lkml@markovi.net>,
        Emese Revfy <re.emese@gmail.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        linux-security-module@vger.kernel.org,
        Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Apr 12, 2019 at 3:01 AM Kees Cook <keescook@chromium.org> wrote:
>
> Right now kernel hardening options are scattered around various Kconfig
> files. This can be a central place to collect these kinds of options
> going forward. This is initially populated with the memory initialization
> options from the gcc-plugins.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  scripts/gcc-plugins/Kconfig | 74 +++--------------------------
>  security/Kconfig            |  2 +
>  security/Kconfig.hardening  | 93 +++++++++++++++++++++++++++++++++++++
>  3 files changed, 102 insertions(+), 67 deletions(-)
>  create mode 100644 security/Kconfig.hardening
>
> diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig
> index 74271dba4f94..84d471dea2b7 100644
> --- a/scripts/gcc-plugins/Kconfig
> +++ b/scripts/gcc-plugins/Kconfig
> @@ -13,10 +13,11 @@ config HAVE_GCC_PLUGINS
>           An arch should select this symbol if it supports building with
>           GCC plugins.
>
> -menuconfig GCC_PLUGINS
> -       bool "GCC plugins"
> +config GCC_PLUGINS
> +       bool
>         depends on HAVE_GCC_PLUGINS
>         depends on PLUGIN_HOSTCC != ""
> +       default y
>         help
>           GCC plugins are loadable modules that provide extra features to the
>           compiler. They are useful for runtime instrumentation and static analysis.
> @@ -25,6 +26,8 @@ menuconfig GCC_PLUGINS
>
>  if GCC_PLUGINS
>
> +menu "GCC plugins"
> +



Just a tip to save "if" ... "endif" block.


If you like, you can write like follows:


menu "GCC plugins"
          depends on GCC_PLUGINS

  <menu body>

endmenu



instead of



if GCC_PLUGINS

menu "GCC plugins"

 <menu body>

endmenu

fi




> +menu "Memory initialization"
> +
> +choice
> +       prompt "Initialize kernel stack variables at function entry"
> +       depends on GCC_PLUGINS

On second thought,
this 'depends on' is unnecessary
because INIT_STACK_NONE should be always visible.


> +       default INIT_STACK_NONE
> +       help
> +         This option enables initialization of stack variables at
> +         function entry time. This has the possibility to have the
> +         greatest coverage (since all functions can have their
> +         variables initialized), but the performance impact depends
> +         on the function calling complexity of a given workload's
> +         syscalls.
> +
> +         This chooses the level of coverage over classes of potentially
> +         uninitialized variables. The selected class will be
> +         initialized before use in a function.
> +
> +       config INIT_STACK_NONE
> +               bool "no automatic initialization (weakest)"
> +               help
> +                 Disable automatic stack variable initialization.
> +                 This leaves the kernel vulnerable to the standard
> +                 classes of uninitialized stack variable exploits
> +                 and information exposures.
> +
> +       config GCC_PLUGIN_STRUCTLEAK_USER
> +               bool "zero-init structs marked for userspace (weak)"
> +               depends on GCC_PLUGINS
> +               select GCC_PLUGIN_STRUCTLEAK
> +               help
> +                 Zero-initialize any structures on the stack containing
> +                 a __user attribute. This can prevent some classes of
> +                 uninitialized stack variable exploits and information
> +                 exposures, like CVE-2013-2141:
> +                 https://git.kernel.org/linus/b9e146d8eb3b9eca
> +
> +       config GCC_PLUGIN_STRUCTLEAK_BYREF
> +               bool "zero-init structs passed by reference (strong)"
> +               depends on GCC_PLUGINS
> +               select GCC_PLUGIN_STRUCTLEAK
> +               help
> +                 Zero-initialize any structures on the stack that may
> +                 be passed by reference and had not already been
> +                 explicitly initialized. This can prevent most classes
> +                 of uninitialized stack variable exploits and information
> +                 exposures, like CVE-2017-1000410:
> +                 https://git.kernel.org/linus/06e7e776ca4d3654
> +
> +       config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
> +               bool "zero-init anything passed by reference (very strong)"
> +               depends on GCC_PLUGINS
> +               select GCC_PLUGIN_STRUCTLEAK
> +               help
> +                 Zero-initialize any stack variables that may be passed
> +                 by reference and had not already been explicitly
> +                 initialized. This is intended to eliminate all classes
> +                 of uninitialized stack variable exploits and information
> +                 exposures.
> +
> +endchoice



Another behavior change is
GCC_PLUGIN_STRUCTLEAK was previously enabled by all{yes,mod}config,
and in the compile-test coverage.

It will be disabled for all{yes,mod}config with this patch.

This is up to you. Just FYI.


-- 
Best Regards
Masahiro Yamada