add boot partition size

hc

2023-12-11 d2ccde1c8e90d38cee87a1b0309ad2827f3fd30d

 kernel/security/Kconfig.hardening
..
..
@@ -22,13 +22,23 @@
22
22
 config CC_HAS_AUTO_VAR_INIT_PATTERN
23
23
 	def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
24
24
 
25
-config CC_HAS_AUTO_VAR_INIT_ZERO
25
+config CC_HAS_AUTO_VAR_INIT_ZERO_BARE
26
+	def_bool $(cc-option,-ftrivial-auto-var-init=zero)
27
+
28
+config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
29
+	# Clang 16 and later warn about using the -enable flag, but it
30
+	# is required before then.
26
31
 	def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang)
32
+	depends on !CC_HAS_AUTO_VAR_INIT_ZERO_BARE
33
+
34
+config CC_HAS_AUTO_VAR_INIT_ZERO
35
+	def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BARE || CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER
27
36
 
28
37
 choice
29
38
 	prompt "Initialize kernel stack variables at function entry"
30
39
 	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
31
40
 	default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
41
+	default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO
32
42
 	default INIT_STACK_NONE
33
43
 	help
34
44
 	  This option enables initialization of stack variables at
..
..
@@ -39,20 +49,50 @@
39
49
 	  syscalls.
40
50
 
41
51
 	  This chooses the level of coverage over classes of potentially
42
-	  uninitialized variables. The selected class will be
52
+	  uninitialized variables. The selected class of variable will be
43
53
 	  initialized before use in a function.
44
54
 
45
55
 	config INIT_STACK_NONE
46
-		bool "no automatic initialization (weakest)"
56
+		bool "no automatic stack variable initialization (weakest)"
47
57
 		help
48
58
 		  Disable automatic stack variable initialization.
49
59
 		  This leaves the kernel vulnerable to the standard
50
60
 		  classes of uninitialized stack variable exploits
51
61
 		  and information exposures.
52
62
 
53
-	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
54
-		bool "zero-init anything passed by reference (very strong)"
63
+	config GCC_PLUGIN_STRUCTLEAK_USER
64
+		bool "zero-init structs marked for userspace (weak)"
55
65
 		depends on GCC_PLUGINS
66
+		select GCC_PLUGIN_STRUCTLEAK
67
+		help
68
+		  Zero-initialize any structures on the stack containing
69
+		  a __user attribute. This can prevent some classes of
70
+		  uninitialized stack variable exploits and information
71
+		  exposures, like CVE-2013-2141:
72
+		  https://git.kernel.org/linus/b9e146d8eb3b9eca
73
+
74
+	config GCC_PLUGIN_STRUCTLEAK_BYREF
75
+		bool "zero-init structs passed by reference (strong)"
76
+		depends on GCC_PLUGINS
77
+		depends on !(KASAN && KASAN_STACK)
78
+		select GCC_PLUGIN_STRUCTLEAK
79
+		help
80
+		  Zero-initialize any structures on the stack that may
81
+		  be passed by reference and had not already been
82
+		  explicitly initialized. This can prevent most classes
83
+		  of uninitialized stack variable exploits and information
84
+		  exposures, like CVE-2017-1000410:
85
+		  https://git.kernel.org/linus/06e7e776ca4d3654
86
+
87
+		  As a side-effect, this keeps a lot of variables on the
88
+		  stack that can otherwise be optimized out, so combining
89
+		  this with CONFIG_KASAN_STACK can lead to a stack overflow
90
+		  and is disallowed.
91
+
92
+	config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
93
+		bool "zero-init everything passed by reference (very strong)"
94
+		depends on GCC_PLUGINS
95
+		depends on !(KASAN && KASAN_STACK)
56
96
 		select GCC_PLUGIN_STRUCTLEAK
57
97
 		help
58
98
 		  Zero-initialize any stack variables that may be passed
..
..
@@ -61,33 +101,44 @@
61
101
 		  of uninitialized stack variable exploits and information
62
102
 		  exposures.
63
103
 
104
+		  As a side-effect, this keeps a lot of variables on the
105
+		  stack that can otherwise be optimized out, so combining
106
+		  this with CONFIG_KASAN_STACK can lead to a stack overflow
107
+		  and is disallowed.
108
+
64
109
 	config INIT_STACK_ALL_PATTERN
65
-		bool "0xAA-init everything on the stack (strongest)"
110
+		bool "pattern-init everything (strongest)"
66
111
 		depends on CC_HAS_AUTO_VAR_INIT_PATTERN
67
112
 		help
68
-		  Initializes everything on the stack with a 0xAA
69
-		  pattern. This is intended to eliminate all classes
70
-		  of uninitialized stack variable exploits and information
71
-		  exposures, even variables that were warned to have been
72
-		  left uninitialized.
113
+		  Initializes everything on the stack (including padding)
114
+		  with a specific debug value. This is intended to eliminate
115
+		  all classes of uninitialized stack variable exploits and
116
+		  information exposures, even variables that were warned about
117
+		  having been left uninitialized.
73
118
 
74
119
 		  Pattern initialization is known to provoke many existing bugs
75
120
 		  related to uninitialized locals, e.g. pointers receive
76
-		  non-NULL values, buffer sizes and indices are very big.
121
+		  non-NULL values, buffer sizes and indices are very big. The
122
+		  pattern is situation-specific; Clang on 64-bit uses 0xAA
123
+		  repeating for all types and padding except float and double
124
+		  which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF
125
+		  repeating for all types and padding.
77
126
 
78
127
 	config INIT_STACK_ALL_ZERO
79
-		bool "zero-init everything on the stack (strongest and safest)"
128
+		bool "zero-init everything (strongest and safest)"
80
129
 		depends on CC_HAS_AUTO_VAR_INIT_ZERO
81
130
 		help
82
-		  Initializes everything on the stack with a zero
83
-		  value. This is intended to eliminate all classes
84
-		  of uninitialized stack variable exploits and information
85
-		  exposures, even variables that were warned to have been
86
-		  left uninitialized.
131
+		  Initializes everything on the stack (including padding)
132
+		  with a zero value. This is intended to eliminate all
133
+		  classes of uninitialized stack variable exploits and
134
+		  information exposures, even variables that were warned
135
+		  about having been left uninitialized.
87
136
 
88
-		  Zero initialization provides safe defaults for strings,
89
-		  pointers, indices and sizes, and is therefore
90
-		  more suitable as a security mitigation measure.
137
+		  Zero initialization provides safe defaults for strings
138
+		  (immediately NUL-terminated), pointers (NULL), indices
139
+		  (index 0), and sizes (0 length), so it is therefore more
140
+		  suitable as a production security mitigation than pattern
141
+		  initialization.
91
142
 
92
143
 endchoice
93
144
 
..
..
@@ -101,6 +152,63 @@
101
152
 	  initialized. Since not all existing initializers are detected
102
153
 	  by the plugin, this can produce false positive warnings.
103
154
 
155
+config GCC_PLUGIN_STACKLEAK
156
+	bool "Poison kernel stack before returning from syscalls"
157
+	depends on GCC_PLUGINS
158
+	depends on HAVE_ARCH_STACKLEAK
159
+	help
160
+	  This option makes the kernel erase the kernel stack before
161
+	  returning from system calls. This has the effect of leaving
162
+	  the stack initialized to the poison value, which both reduces
163
+	  the lifetime of any sensitive stack contents and reduces
164
+	  potential for uninitialized stack variable exploits or information
165
+	  exposures (it does not cover functions reaching the same stack
166
+	  depth as prior functions during the same syscall). This blocks
167
+	  most uninitialized stack variable attacks, with the performance
168
+	  impact being driven by the depth of the stack usage, rather than
169
+	  the function calling complexity.
170
+
171
+	  The performance impact on a single CPU system kernel compilation
172
+	  sees a 1% slowdown, other systems and workloads may vary and you
173
+	  are advised to test this feature on your expected workload before
174
+	  deploying it.
175
+
176
+	  This plugin was ported from grsecurity/PaX. More information at:
177
+	   * https://grsecurity.net/
178
+	   * https://pax.grsecurity.net/
179
+
180
+config STACKLEAK_TRACK_MIN_SIZE
181
+	int "Minimum stack frame size of functions tracked by STACKLEAK"
182
+	default 100
183
+	range 0 4096
184
+	depends on GCC_PLUGIN_STACKLEAK
185
+	help
186
+	  The STACKLEAK gcc plugin instruments the kernel code for tracking
187
+	  the lowest border of the kernel stack (and for some other purposes).
188
+	  It inserts the stackleak_track_stack() call for the functions with
189
+	  a stack frame size greater than or equal to this parameter.
190
+	  If unsure, leave the default value 100.
191
+
192
+config STACKLEAK_METRICS
193
+	bool "Show STACKLEAK metrics in the /proc file system"
194
+	depends on GCC_PLUGIN_STACKLEAK
195
+	depends on PROC_FS
196
+	help
197
+	  If this is set, STACKLEAK metrics for every task are available in
198
+	  the /proc file system. In particular, /proc/<pid>/stack_depth
199
+	  shows the maximum kernel stack consumption for the current and
200
+	  previous syscalls. Although this information is not precise, it
201
+	  can be useful for estimating the STACKLEAK performance impact for
202
+	  your workloads.
203
+
204
+config STACKLEAK_RUNTIME_DISABLE
205
+	bool "Allow runtime disabling of kernel stack erasing"
206
+	depends on GCC_PLUGIN_STACKLEAK
207
+	help
208
+	  This option provides 'stack_erasing' sysctl, which can be used in
209
+	  runtime to control kernel stack erasing for kernels built with
210
+	  CONFIG_GCC_PLUGIN_STACKLEAK.
211
+
104
212
 config INIT_ON_ALLOC_DEFAULT_ON
105
213
 	bool "Enable heap memory zeroing on allocation by default"
106
214
 	help