1preferred-plugin-hostcc := $(if-success,[ $(gcc-version) -ge 40800 ],$(HOSTCXX),$(HOSTCC)) 2 3config PLUGIN_HOSTCC 4 string 5 default "$(shell,$(srctree)/scripts/gcc-plugin.sh "$(preferred-plugin-hostcc)" "$(HOSTCXX)" "$(CC)")" if CC_IS_GCC 6 help 7 Host compiler used to build GCC plugins. This can be $(HOSTCXX), 8 $(HOSTCC), or a null string if GCC plugin is unsupported. 9 10config HAVE_GCC_PLUGINS 11 bool 12 help 13 An arch should select this symbol if it supports building with 14 GCC plugins. 15 16config GCC_PLUGINS 17 bool 18 depends on HAVE_GCC_PLUGINS 19 depends on PLUGIN_HOSTCC != "" 20 default y 21 help 22 GCC plugins are loadable modules that provide extra features to the 23 compiler. They are useful for runtime instrumentation and static analysis. 24 25 See Documentation/gcc-plugins.txt for details. 26 27menu "GCC plugins" 28 depends on GCC_PLUGINS 29 30config GCC_PLUGIN_CYC_COMPLEXITY 31 bool "Compute the cyclomatic complexity of a function" if EXPERT 32 depends on !COMPILE_TEST # too noisy 33 help 34 The complexity M of a function's control flow graph is defined as: 35 M = E - N + 2P 36 where 37 38 E = the number of edges 39 N = the number of nodes 40 P = the number of connected components (exit nodes). 41 42 Enabling this plugin reports the complexity to stderr during the 43 build. It mainly serves as a simple example of how to create a 44 gcc plugin for the kernel. 45 46config GCC_PLUGIN_SANCOV 47 bool 48 help 49 This plugin inserts a __sanitizer_cov_trace_pc() call at the start of 50 basic blocks. It supports all gcc versions with plugin support (from 51 gcc-4.5 on). It is based on the commit "Add fuzzing coverage support" 52 by Dmitry Vyukov <[email protected]>. 53 54config GCC_PLUGIN_LATENT_ENTROPY 55 bool "Generate some entropy during boot and runtime" 56 help 57 By saying Y here the kernel will instrument some kernel code to 58 extract some entropy from both original and artificially created 59 program state. This will help especially embedded systems where 60 there is little 'natural' source of entropy normally. The cost 61 is some slowdown of the boot process (about 0.5%) and fork and 62 irq processing. 63 64 Note that entropy extracted this way is not cryptographically 65 secure! 66 67 This plugin was ported from grsecurity/PaX. More information at: 68 * https://grsecurity.net/ 69 * https://pax.grsecurity.net/ 70 71config GCC_PLUGIN_RANDSTRUCT 72 bool "Randomize layout of sensitive kernel structures" 73 select MODVERSIONS if MODULES 74 help 75 If you say Y here, the layouts of structures that are entirely 76 function pointers (and have not been manually annotated with 77 __no_randomize_layout), or structures that have been explicitly 78 marked with __randomize_layout, will be randomized at compile-time. 79 This can introduce the requirement of an additional information 80 exposure vulnerability for exploits targeting these structure 81 types. 82 83 Enabling this feature will introduce some performance impact, 84 slightly increase memory usage, and prevent the use of forensic 85 tools like Volatility against the system (unless the kernel 86 source tree isn't cleaned after kernel installation). 87 88 The seed used for compilation is located at 89 scripts/gcc-plgins/randomize_layout_seed.h. It remains after 90 a make clean to allow for external modules to be compiled with 91 the existing seed and will be removed by a make mrproper or 92 make distclean. 93 94 Note that the implementation requires gcc 4.7 or newer. 95 96 This plugin was ported from grsecurity/PaX. More information at: 97 * https://grsecurity.net/ 98 * https://pax.grsecurity.net/ 99 100config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE 101 bool "Use cacheline-aware structure randomization" 102 depends on GCC_PLUGIN_RANDSTRUCT 103 depends on !COMPILE_TEST # do not reduce test coverage 104 help 105 If you say Y here, the RANDSTRUCT randomization will make a 106 best effort at restricting randomization to cacheline-sized 107 groups of elements. It will further not randomize bitfields 108 in structures. This reduces the performance hit of RANDSTRUCT 109 at the cost of weakened randomization. 110 111config GCC_PLUGIN_STACKLEAK 112 bool "Erase the kernel stack before returning from syscalls" 113 depends on GCC_PLUGINS 114 depends on HAVE_ARCH_STACKLEAK 115 help 116 This option makes the kernel erase the kernel stack before 117 returning from system calls. That reduces the information which 118 kernel stack leak bugs can reveal and blocks some uninitialized 119 stack variable attacks. 120 121 The tradeoff is the performance impact: on a single CPU system kernel 122 compilation sees a 1% slowdown, other systems and workloads may vary 123 and you are advised to test this feature on your expected workload 124 before deploying it. 125 126 This plugin was ported from grsecurity/PaX. More information at: 127 * https://grsecurity.net/ 128 * https://pax.grsecurity.net/ 129 130config STACKLEAK_TRACK_MIN_SIZE 131 int "Minimum stack frame size of functions tracked by STACKLEAK" 132 default 100 133 range 0 4096 134 depends on GCC_PLUGIN_STACKLEAK 135 help 136 The STACKLEAK gcc plugin instruments the kernel code for tracking 137 the lowest border of the kernel stack (and for some other purposes). 138 It inserts the stackleak_track_stack() call for the functions with 139 a stack frame size greater than or equal to this parameter. 140 If unsure, leave the default value 100. 141 142config STACKLEAK_METRICS 143 bool "Show STACKLEAK metrics in the /proc file system" 144 depends on GCC_PLUGIN_STACKLEAK 145 depends on PROC_FS 146 help 147 If this is set, STACKLEAK metrics for every task are available in 148 the /proc file system. In particular, /proc/<pid>/stack_depth 149 shows the maximum kernel stack consumption for the current and 150 previous syscalls. Although this information is not precise, it 151 can be useful for estimating the STACKLEAK performance impact for 152 your workloads. 153 154config STACKLEAK_RUNTIME_DISABLE 155 bool "Allow runtime disabling of kernel stack erasing" 156 depends on GCC_PLUGIN_STACKLEAK 157 help 158 This option provides 'stack_erasing' sysctl, which can be used in 159 runtime to control kernel stack erasing for kernels built with 160 CONFIG_GCC_PLUGIN_STACKLEAK. 161 162config GCC_PLUGIN_ARM_SSP_PER_TASK 163 bool 164 depends on GCC_PLUGINS && ARM 165 166endmenu 167