Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3971734yba;
        Tue, 23 Apr 2019 12:43:52 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyqLMY6JafHDQpmDtZteeMNVLtdVgNcV4ou9khV+uWCIBF0Tfl7sRtADpewaCGkORvFs4qZ
X-Received: by 2002:aa7:8edd:: with SMTP id b29mr29425729pfr.241.1556048631974;
        Tue, 23 Apr 2019 12:43:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1556048631; cv=none;
        d=google.com; s=arc-20160816;
        b=C1gUD5ocyXjxoQjUxpBIl4G7vHsp0RYqfIFeYnZJQ40WvM/+lY9jWKtPSEhM7oLMS3
         ozIsg3A8Q9OwLdbu+aHrZJBsPyK2OrVXjkniDpJ2sleIroYrx+aPKGdtn9Y7vUl9YM0B
         LdeOCEgQXyyb4NbfCx+1vUu+AkVG+sULyA+I5vCwAb+8FNlhkMzn7Vz7eJmShbxsIOc4
         JsNM6SfWGFDbP6I1LZMqF+jLetw68SJPdWnAjaDGIGaWfvWAoF/2pphlDIVqKPhaTs9X
         AFq7UwyRDyUfhj7OMxikgggo3M82b3jWptxrvMdZ5BFAGyPD6U+/sOOIfa4p3tgS+n3n
         5fmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=nfae1L7qQtGmcEC0kaUhc8lAK/W6bAcsEpn3yxXkxig=;
        b=QgHqtVtXRcLH5p5r7cpE1cG8hUwbDcfu/SZS5iDdSPYcUU3nRju4Lwvg/aABIY9dzu
         h8K+cUpsblOgBM1W1vL0TLKn6fFUpEpoVOETxngTUDGSboF2I785K62M1zr96vC0bSiq
         qRZYqRowhv2m+k0eUnvIFvSAWC86FNpHqgPm9rM+9V1e4CnAcMVPwDRvKL4IKL4HArvH
         U1wi1afrU8mOYrulPa7+TvVRLNK8Ild23ui1oK71tg6QlYjHnVN7y+j3GOsZLyDO6owi
         5tFfYJZ3xCWU9ioVCM+oFhJhlNyJl3MLsHyMC4FuqcPAYlm4zEKGYntIjhVV4utBO9S4
         aR1g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=UIoYEyIF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j23si2904213pff.108.2019.04.23.12.43.36;
        Tue, 23 Apr 2019 12:43:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=UIoYEyIF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726790AbfDWTmF (ORCPT <rfc822;rmelvin.vger@gmail.com>
        + 99 others); Tue, 23 Apr 2019 15:42:05 -0400
Received: from mail-vs1-f65.google.com ([209.85.217.65]:34389 "EHLO
        mail-vs1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725945AbfDWTmF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Apr 2019 15:42:05 -0400
Received: by mail-vs1-f65.google.com with SMTP id n17so695729vsr.1
        for <linux-kernel@vger.kernel.org>; Tue, 23 Apr 2019 12:42:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=nfae1L7qQtGmcEC0kaUhc8lAK/W6bAcsEpn3yxXkxig=;
        b=UIoYEyIFIWQgCLjOzYoQ6qTU+folQszrYetmsA9uX1etgnIt/SniEXJwDIr+waZZBy
         u7oyknqBHgkluOmDWiVGxLC/JLF862NLsCuWt/cC2ebLFszfLNOoxcd1OgHzFLE3Yp3O
         4HTySG1EgUuCUJ9tbK0cmMBdiR2/bEN9lpvCQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=nfae1L7qQtGmcEC0kaUhc8lAK/W6bAcsEpn3yxXkxig=;
        b=gwnsFbM843CZ05/VHA5ya2Exk50SARxD1RopapDXAPJ1qinhGM24Y62TUR6r5t78xC
         96pMKxNukRhA1JaEGWvzJ7u7H4iwrOvGeDGtqyCaz+LoBKLsz0/fh7VPZj8Tai1IX5VI
         GHiK9yIP5joAn5BiRFBqqlvSCVVqnL58ZNWoZuzzTv1RZL7Akdau4S0NkAmBkAl4Hgj7
         9G4IPaEZUKLhb9/KOT6QFwKrA0KFB5xcoOPqtI27/e+S+5t03yAfQGq1cDmRnKmIVA/S
         fvAwGtUGA4zBVtcVwEPTnqT0mxraoF4nqdp/YwoLIGIqz9EdxZWFtHmrfWOzqAo2wbSU
         cb2Q==
X-Gm-Message-State: APjAAAX3SbIGRYTiMrrYaIFsrglqlnmsg0tABHxHPA8OKSG9/4Jn/GAp
        103AkKtdb5zc+utpB4zt6pgibakQq2w=
X-Received: by 2002:a67:ea53:: with SMTP id r19mr14684987vso.12.1556048523856;
        Tue, 23 Apr 2019 12:42:03 -0700 (PDT)
Received: from mail-vs1-f45.google.com (mail-vs1-f45.google.com. [209.85.217.45])
        by smtp.gmail.com with ESMTPSA id 2sm18645652vke.27.2019.04.23.12.42.03
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128);
        Tue, 23 Apr 2019 12:42:03 -0700 (PDT)
Received: by mail-vs1-f45.google.com with SMTP id d8so8943328vsp.2
        for <linux-kernel@vger.kernel.org>; Tue, 23 Apr 2019 12:42:03 -0700 (PDT)
X-Received: by 2002:a67:f849:: with SMTP id b9mr14431245vsp.188.1556048215473;
 Tue, 23 Apr 2019 12:36:55 -0700 (PDT)
MIME-Version: 1.0
References: <20190411180117.27704-1-keescook@chromium.org> <20190411180117.27704-2-keescook@chromium.org>
 <CAK7LNATvNJprA94Qypfub2rpbEEJkAeV3yqVyuk2aNEraDKZ6w@mail.gmail.com>
In-Reply-To: <CAK7LNATvNJprA94Qypfub2rpbEEJkAeV3yqVyuk2aNEraDKZ6w@mail.gmail.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Tue, 23 Apr 2019 12:36:43 -0700
X-Gmail-Original-Message-ID: <CAGXu5jLNwFfG-x-_Q6nTdU21t5B9z7dCgBekRiJ+MnUE14J12A@mail.gmail.com>
Message-ID: <CAGXu5jLNwFfG-x-_Q6nTdU21t5B9z7dCgBekRiJ+MnUE14J12A@mail.gmail.com>
Subject: Re: [PATCH v2 1/3] security: Create "kernel hardening" config area
To:     Masahiro Yamada <yamada.masahiro@socionext.com>
Cc:     Alexander Potapenko <glider@google.com>,
        James Morris <jmorris@namei.org>,
        Alexander Popov <alex.popov@linux.com>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Kostya Serebryany <kcc@google.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Sandeep Patil <sspatil@android.com>,
        Laura Abbott <labbott@redhat.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Michal Marek <michal.lkml@markovi.net>,
        Emese Revfy <re.emese@gmail.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Apr 11, 2019 at 6:39 PM Masahiro Yamada
<yamada.masahiro@socionext.com> wrote:
>
> On Fri, Apr 12, 2019 at 3:01 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Right now kernel hardening options are scattered around various Kconfig
> > files. This can be a central place to collect these kinds of options
> > going forward. This is initially populated with the memory initialization
> > options from the gcc-plugins.
> >
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> >  scripts/gcc-plugins/Kconfig | 74 +++--------------------------
> >  security/Kconfig            |  2 +
> >  security/Kconfig.hardening  | 93 +++++++++++++++++++++++++++++++++++++
> >  3 files changed, 102 insertions(+), 67 deletions(-)
> >  create mode 100644 security/Kconfig.hardening
> >
> > diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig
> > index 74271dba4f94..84d471dea2b7 100644
> > --- a/scripts/gcc-plugins/Kconfig
> > +++ b/scripts/gcc-plugins/Kconfig
> > @@ -13,10 +13,11 @@ config HAVE_GCC_PLUGINS
> >           An arch should select this symbol if it supports building with
> >           GCC plugins.
> >
> > -menuconfig GCC_PLUGINS
> > -       bool "GCC plugins"
> > +config GCC_PLUGINS
> > +       bool
> >         depends on HAVE_GCC_PLUGINS
> >         depends on PLUGIN_HOSTCC != ""
> > +       default y
> >         help
> >           GCC plugins are loadable modules that provide extra features to the
> >           compiler. They are useful for runtime instrumentation and static analysis.
> > @@ -25,6 +26,8 @@ menuconfig GCC_PLUGINS
> >
> >  if GCC_PLUGINS
> >
> > +menu "GCC plugins"
> > +
>
>
>
> Just a tip to save "if" ... "endif" block.
>
>
> If you like, you can write like follows:
>
>
> menu "GCC plugins"
>           depends on GCC_PLUGINS
>
>   <menu body>
>
> endmenu

Ah yes, thanks! Adjusted.

> > +menu "Memory initialization"
> > +
> > +choice
> > +       prompt "Initialize kernel stack variables at function entry"
> > +       depends on GCC_PLUGINS
>
> On second thought,
> this 'depends on' is unnecessary
> because INIT_STACK_NONE should be always visible.

Oh yes, excellent point. Adjusted.

> Another behavior change is
> GCC_PLUGIN_STRUCTLEAK was previously enabled by all{yes,mod}config,
> and in the compile-test coverage.

I could set the defaults based on CONFIG_COMPILE_TEST, though? I.e.:

        prompt "Initialize kernel stack variables at function entry"
        default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
        default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT
        default INIT_STACK_NONE

>
> It will be disabled for all{yes,mod}config with this patch.
>
> This is up to you. Just FYI.

Thanks for looking this over!

-- 
Kees Cook