Changes in Kconfig

595b893e - randstruct: Reorganize Kconfigs and attribute macros

Tue, 03 May 2022 20:55:00 +0000

randstruct: Reorganize Kconfigs and attribute macrosIn preparation for Clang supporting randstruct, reorganize the Kconfigs,move the attribute macros, and generalize the feature to be namedCONFIG_RANDSTRUCT for on/off, CONFIG_RANDSTRUCT_FULL for the fullrandomization mode, and CONFIG_RANDSTRUCT_PERFORMANCE for the cache-linesized mode.Cc: linux-hardening@vger.kernel.orgSigned-off-by: Kees Cook Link: https://lore.kernel.org/r/20220503205503.3054173-4-keescook@chromium.org List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

b4d89579 - gcc-plugins: Remove cyc_complexity

Wed, 20 Oct 2021 17:35:54 +0000

gcc-plugins: Remove cyc_complexityThis plugin has no impact on the resulting binary, is disabledunder COMPILE_TEST, and is not enabled on any builds I'm aware of.Additionally, given the clarified purpose of GCC plugins in the kernel,remove cyc_complexity.Cc: Masahiro Yamada Cc: Michal Marek Cc: Nick Desaulniers Cc: Jonathan Corbet Cc: linux-hardening@vger.kernel.orgCc: linux-kbuild@vger.kernel.orgCc: linux-doc@vger.kernel.orgSigned-off-by: Kees Cook Reviewed-by: Miguel Ojeda Reviewed-by: Nathan Chancellor Acked-by: Nick Desaulniers Acked-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20211020173554.38122-3-keescook@chromium.org List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

8bd51a2b - gcc-plugins: Explicitly document purpose and deprecation schedule

Wed, 20 Oct 2021 17:35:53 +0000

gcc-plugins: Explicitly document purpose and deprecation scheduleGCC plugins should only exist when some compiler feature needs to beproven but does not exist in either GCC nor Clang. For example, if adesired feature is already in Clang, it should be added to GCC upstream.Document this explicitly.Additionally, mark the plugins with matching upstream GCC features asremovable past their respective GCC versions.Cc: Masahiro Yamada Cc: Michal Marek Cc: Nick Desaulniers Cc: Jonathan Corbet Cc: James Morris Cc: "Serge E. Hallyn" Cc: Nathan Chancellor Cc: linux-hardening@vger.kernel.orgCc: linux-kbuild@vger.kernel.orgCc: linux-doc@vger.kernel.orgCc: linux-security-module@vger.kernel.orgCc: llvm@lists.linux.devSigned-off-by: Kees Cook Reviewed-by: Nathan Chancellor Reviewed-by: Miguel Ojeda Acked-by: Nick Desaulniers Acked-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20211020173554.38122-2-keescook@chromium.org List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

1e860048 - gcc-plugins: simplify GCC plugin-dev capability test

Thu, 03 Dec 2020 12:57:00 +0000

gcc-plugins: simplify GCC plugin-dev capability testLinus pointed out a third of the time in the Kconfig parse stage comesfrom the single invocation of cc1plus in scripts/gcc-plugin.sh [1],and directly testing plugin-version.h for existence cuts down theoverhead a lot. [2]This commit takes one step further to kill the build test entirely.The small piece of code was probably intended to test the C++ designatedinitializer, which was not supported until C++20.In fact, with -pedantic option given, both GCC and Clang emit a warning.$ echo 'class test { public: int test; } test = { .test = 1 };' | g++ -x c++ -pedantic - -fsyntax-only:1:43: warning: C++ designated initializers only available with '-std=c++2a' or '-std=gnu++2a' [-Wpedantic]$ echo 'class test { public: int test; } test = { .test = 1 };' | clang++ -x c++ -pedantic - -fsyntax-only:1:43: warning: designated initializers are a C++20 extension [-Wc++20-designator]class test { public: int test; } test = { .test = 1 }; ^1 warning generated.Otherwise, modern C++ compilers should be able to build the code, andhopefully skipping this test should not make any practical problem.Checking the existence of plugin-version.h is still needed to ensurethe plugin-dev package is installed. The test code is now small enoughto be embedded in scripts/gcc-plugins/Kconfig.[1] https://lore.kernel.org/lkml/CAHk-=wjU4DCuwQ4pXshRbwDCUQB31ScaeuDo1tjoZ0_PjhLHzQ@mail.gmail.com/[2] https://lore.kernel.org/lkml/CAHk-=whK0aQxs6Q5ijJmYF1n2ch8cVFSUzU5yUM_HOjig=+vnw@mail.gmail.com/Reported-by: Linus Torvalds Signed-off-by: Masahiro Yamada Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20201203125700.161354-1-masahiroy@kernel.org List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

6975031a - gcc-plugins: fix gcc-plugins directory path in documentation

Thu, 13 Feb 2020 12:24:10 +0000

gcc-plugins: fix gcc-plugins directory path in documentationFix typos "plgins" -> "plugins".Signed-off-by: Masahiro Yamada Acked-by: Kees Cook List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

5429ef62 - compiler/gcc: Raise minimum GCC version for kernel builds to 4.8

Wed, 22 Jan 2020 19:38:21 +0000

compiler/gcc: Raise minimum GCC version for kernel builds to 4.8It is very rare to see versions of GCC prior to 4.8 being used to buildthe mainline kernel. These old compilers are also know to have codegenissues which can lead to silent miscompilation:https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145Raise the minimum GCC version for kernel build to 4.8 and remove sometautological Kconfig dependencies as a consequence.Cc: Masahiro Yamada Acked-by: Arnd Bergmann Reviewed-by: Nick Desaulniers Signed-off-by: Will Deacon List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

77342a02 - gcc-plugins: drop support for GCC <= 4.7

Sun, 29 Mar 2020 11:08:32 +0000

gcc-plugins: drop support for GCC <= 4.7Nobody was opposed to raising minimum GCC version to 4.8 [1]So, we will drop GCC <= 4.7 support sooner or later.We always use C++ compiler for building plugins for GCC >= 4.8.This commit drops the plugin support for GCC <= 4.7 a bit earlier,which allows us to dump lots of code.[1] https://lkml.org/lkml/2020/1/23/545Signed-off-by: Masahiro Yamada Acked-by: Kees Cook List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

2b4cbd5c - docs: move gcc-plugins to the kbuild manual

Mon, 02 Mar 2020 22:24:04 +0000

docs: move gcc-plugins to the kbuild manualInformation about GCC plugins is relevant to kernel building, so move thisdocument to the kbuild manual.Acked-by: Masahiro Yamada Signed-off-by: Jonathan Corbet List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

a5b0dc5a - gcc-plugins: make it possible to disable CONFIG_GCC_PLUGINS again

Wed, 11 Dec 2019 13:39:28 +0000

gcc-plugins: make it possible to disable CONFIG_GCC_PLUGINS againI noticed that randconfig builds with gcc no longer produce a lot ofccache hits, unlike with clang, and traced this back to pluginsnow being enabled unconditionally if they are supported.I am now working around this by adding export CCACHE_COMPILERCHECK=/usr/bin/size -A %compiler%to my top-level Makefile. This changes the heuristic that ccache usesto determine whether the plugins are the same after a 'make clean'.However, it also seems that being able to just turn off the plugins isgenerally useful, at least for build testing it adds noticeable overheadbut does not find a lot of bugs additional bugs, and may be easier forccache users than my workaround.Fixes: 9f671e58159a ("security: Create "kernel hardening" config area")Signed-off-by: Arnd Bergmann Acked-by: Ard Biesheuvel Reviewed-by: Masahiro Yamada Link: https://lore.kernel.org/r/20191211133951.401933-1-arnd@arndb.deCc: stable@vger.kernel.orgSigned-off-by: Kees Cook List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

d5ccd65a - docs: move gcc_plugins.txt to core-api and rename to .rst

Fri, 19 Apr 2019 22:01:18 +0000

docs: move gcc_plugins.txt to core-api and rename to .rstThe gcc_plugins.txt file is already a ReST file. Move itto the core-api book while renaming it.Signed-off-by: Mauro Carvalho Chehab Acked-by: Kees Cook List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

ec8f24b7 - treewide: Add SPDX license identifier - Makefile/Kconfig

Sun, 19 May 2019 12:07:45 +0000

treewide: Add SPDX license identifier - Makefile/KconfigAdd SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any formThese files fall under the project license, GPL v2 only. The resulting SPDXlicense identifier is: GPL-2.0-onlySigned-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

b6a6a377 - security: Move stackleak config to Kconfig.hardening

Wed, 10 Apr 2019 16:04:40 +0000

security: Move stackleak config to Kconfig.hardeningThis moves the stackleak plugin options to Kconfig.hardening's memoryinitialization menu.Signed-off-by: Kees Cook Reviewed-by: Alexander Popov Acked-by: Masahiro Yamada List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

9f671e58 - security: Create "kernel hardening" config area

Wed, 10 Apr 2019 15:23:44 +0000

security: Create "kernel hardening" config areaRight now kernel hardening options are scattered around various Kconfigfiles. This can be a central place to collect these kinds of optionsgoing forward. This is initially populated with the memory initializationoptions from the gcc-plugins.Signed-off-by: Kees Cook Acked-by: Masahiro Yamada List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

7771bdbb - kasan: remove use after scope bugs detection.

Tue, 05 Mar 2019 23:41:20 +0000

kasan: remove use after scope bugs detection.Use after scope bugs detector seems to be almost entirely useless forthe linux kernel. It exists over two years, but I've seen only onevalid bug so far [1]. And the bug was fixed before it has beenreported. There were some other use-after-scope reports, but they werefalse-positives due to different reasons like incompatibility withstructleak plugin.This feature significantly increases stack usage, especially with GCC <9 version, and causes a 32K stack overflow. It probably addsperformance penalty too.Given all that, let's remove use-after-scope detector entirely.While preparing this patch I've noticed that we mistakenly enableuse-after-scope detection for clang compiler regardless ofCONFIG_KASAN_EXTRA setting. This is also fixed now.[1] http://lkml.kernel.org/r/<20171129052106.rhgbjhhis53hkgfn@wfg-t540p.sh.intel.com>Link: http://lkml.kernel.org/r/20190111185842.13978-1-aryabinin@virtuozzo.comSigned-off-by: Andrey Ryabinin Acked-by: Will Deacon [arm64]Cc: Qian Cai Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Catalin Marinas Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

81a56f6d - gcc-plugins: structleak: Generalize to all variable types

Wed, 23 Jan 2019 23:19:29 +0000

gcc-plugins: structleak: Generalize to all variable typesThis adjusts structleak to also work with non-struct types when theyare passed by reference, since those variables may leak just likeanything else. This is exposed via an improved set of Kconfig options.(This does mean structleak is slightly misnamed now.)Building with CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL should give thekernel complete initialization coverage of all stack variables passedby reference, including padding (see lib/test_stackinit.c).Using CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE to count added initializationsunder defconfig: ..._BYREF: 5945 added initializations ..._BYREF_ALL: 16606 added initializationsThere is virtually no change to text+data size (both have less than 0.05%growth): text data bss dec hex filename19502103 5051456 1917000 26470559 193e89f vmlinux.stock19513412 5051456 1908808 26473676 193f4cc vmlinux.byref19516974 5047360 1900616 26464950 193d2b6 vmlinux.byref_allThe measured performance difference is in the noise for hackbench andkernel build benchmarks:Stock: 5x hackbench -g 20 -l 1000 Mean: 10.649s Std Dev: 0.339 5x kernel build (4-way parallel) Mean: 261.98s Std Dev: 1.53CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF: 5x hackbench -g 20 -l 1000 Mean: 10.540s Std Dev: 0.233 5x kernel build (4-way parallel) Mean: 260.52s Std Dev: 1.31CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL: 5x hackbench -g 20 -l 1000 Mean: 10.320 Std Dev: 0.413 5x kernel build (4-way parallel) Mean: 260.10 Std Dev: 0.86This does not yet solve missing padding initialization for structureson the stack that are never passed by reference (which should be a tinyminority). Hopefully this will be more easily addressed by upstreamcompiler fixes after clarifying the C11 padding initializationspecification.Signed-off-by: Kees Cook Reviewed-by: Ard Biesheuvel List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

189af465 - ARM: smp: add support for per-task stack canaries

Thu, 06 Dec 2018 08:32:57 +0000

ARM: smp: add support for per-task stack canariesOn ARM, we currently only change the value of the stack canary whenswitching tasks if the kernel was built for UP. On SMP kernels, thisis impossible since the stack canary value is obtained via a globalsymbol reference, which meansa) all running tasks on all CPUs must use the same valueb) we can only modify the value when no kernel stack frames are live on any CPU, which is effectively never.So instead, use a GCC plugin to add a RTL pass that replaces eachreference to the address of the __stack_chk_guard symbol with anexpression that produces the address of the 'stack_canary' fieldthat is added to struct thread_info. This way, each task will useits own randomized value.Cc: Russell King Cc: Kees Cook Cc: Emese Revfy Cc: Arnd Bergmann Cc: Laura Abbott Cc: kernel-hardening@lists.openwall.comAcked-by: Nicolas Pitre Signed-off-by: Ard Biesheuvel Signed-off-by: Kees Cook List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

964c9dff - stackleak: Allow runtime disabling of kernel stack erasing

Thu, 16 Aug 2018 22:17:03 +0000

stackleak: Allow runtime disabling of kernel stack erasingIntroduce CONFIG_STACKLEAK_RUNTIME_DISABLE option, which provides'stack_erasing' sysctl. It can be used in runtime to control kernelstack erasing for kernels built with CONFIG_GCC_PLUGIN_STACKLEAK.Suggested-by: Ingo Molnar Signed-off-by: Alexander Popov Tested-by: Laura Abbott Signed-off-by: Kees Cook List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

c8d12627 - fs/proc: Show STACKLEAK metrics in the /proc file system

Thu, 16 Aug 2018 22:17:01 +0000

fs/proc: Show STACKLEAK metrics in the /proc file systemIntroduce CONFIG_STACKLEAK_METRICS providing STACKLEAK information abouttasks via the /proc file system. In particular, /proc//stack_depthshows the maximum kernel stack consumption for the current and previoussyscalls. Although this information is not precise, it can be useful forestimating the STACKLEAK performance impact for your workloads.Suggested-by: Ingo Molnar Signed-off-by: Alexander Popov Tested-by: Laura Abbott Signed-off-by: Kees Cook List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

10e9ae9f - gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack

Thu, 16 Aug 2018 22:16:59 +0000

gcc-plugins: Add STACKLEAK plugin for tracking the kernel stackThe STACKLEAK feature erases the kernel stack before returning fromsyscalls. That reduces the information which kernel stack leak bugs canreveal and blocks some uninitialized stack variable attacks.This commit introduces the STACKLEAK gcc plugin. It is needed fortracking the lowest border of the kernel stack, which is importantfor the code erasing the used part of the kernel stack at the endof syscalls (comes in a separate commit).The STACKLEAK feature is ported from grsecurity/PaX. More information at: https://grsecurity.net/ https://pax.grsecurity.net/This code is modified from Brad Spengler/PaX Team's code in the lastpublic patch of grsecurity/PaX based on our understanding of the code.Changes or omissions from the original code are ours and don't reflectthe original grsecurity/PaX code.Signed-off-by: Alexander Popov Tested-by: Laura Abbott Signed-off-by: Kees Cook List of files: /linux-6.15/scripts/gcc-plugins/Kconfig

afaef01c - x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls

Thu, 16 Aug 2018 22:16:58 +0000

x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscallsThe STACKLEAK feature (initially developed by PaX Team) has the followingbenefits:1. Reduces the information that can be revealed through kernel stack leak bugs. The idea of erasing the thread stack at the end of syscalls is similar to CONFIG_PAGE_POISONING and memzero_explicit() in kernel crypto, which all comply with FDP_RIP.2 (Full Residual Information Protection) of the Common Criteria standard.2. Blocks some uninitialized stack variable attacks (e.g. CVE-2017-17712, CVE-2010-2963). That kind of bugs should be killed by improving C compilers in future, which might take a long time.This commit introduces the code filling the used part of the kernelstack with a poison value before returning to userspace. FullSTACKLEAK feature also contains the gcc plugin which comes in aseparate commit.The STACKLEAK feature is ported from grsecurity/PaX. More information at: https://grsecurity.net/ https://pax.grsecurity.net/This code is modified from Brad Spengler/PaX Team's code in the lastpublic patch of grsecurity/PaX based on our understanding of the code.Changes or omissions from the original code are ours and don't reflectthe original grsecurity/PaX code.Performance impact:Hardware: Intel Core i7-4770, 16 GB RAMTest #1: building the Linux kernel on a single core 0.91% slowdownTest #2: hackbench -s 4096 -l 2000 -g 15 -f 25 -P 4.2% slowdownSo the STACKLEAK description in Kconfig includes: "The tradeoff is theperformance impact: on a single CPU system kernel compilation sees a 1%slowdown, other systems and workloads may vary and you are advised totest this feature on your expected workload before deploying it".Signed-off-by: Alexander Popov Acked-by: Thomas Gleixner Reviewed-by: Dave Hansen Acked-by: Ingo Molnar Signed-off-by: Kees Cook List of files: /linux-6.15/scripts/gcc-plugins/Kconfig