From d2ccde1c8e90d38cee87a1b0309ad2827f3fd30d Mon Sep 17 00:00:00 2001 From: hc <hc@nodka.com> Date: Mon, 11 Dec 2023 02:45:28 +0000 Subject: [PATCH] add boot partition size --- kernel/arch/Kconfig | 483 +++++++++++++++++++++++++++++++++++++---------------- 1 files changed, 336 insertions(+), 147 deletions(-) diff --git a/kernel/arch/Kconfig b/kernel/arch/Kconfig index 8e0c3bb..3d427a6 100644 --- a/kernel/arch/Kconfig +++ b/kernel/arch/Kconfig @@ -18,16 +18,26 @@ select CRASH_CORE bool +config KEXEC_ELF + bool + config HAVE_IMA_KEXEC + bool + +config SET_FS bool config HOTPLUG_SMT bool +config GENERIC_ENTRY + bool + config OPROFILE tristate "OProfile system profiling" depends on PROFILING depends on HAVE_OPROFILE + depends on !PREEMPT_RT select RING_BUFFER select RING_BUFFER_ALLOW_SWAP help @@ -69,11 +79,11 @@ If in doubt, say "N". config JUMP_LABEL - bool "Optimize very unlikely/likely branches" - depends on HAVE_ARCH_JUMP_LABEL - depends on CC_HAS_ASM_GOTO - help - This option enables a transparent branch optimization that + bool "Optimize very unlikely/likely branches" + depends on HAVE_ARCH_JUMP_LABEL + depends on CC_HAS_ASM_GOTO + help + This option enables a transparent branch optimization that makes certain almost-always-true or almost-always-false branch conditions even cheaper to execute within the kernel. @@ -81,7 +91,7 @@ scheduler functionality, networking code and KVM have such branches and include support for this optimization technique. - If it is detected that the compiler has support for "asm goto", + If it is detected that the compiler has support for "asm goto", the kernel will compile such branches with just a nop instruction. When the condition flag is toggled to true, the nop will be converted to a jump instruction to execute the @@ -100,10 +110,16 @@ help Boot time self-test of the branch patching code. +config STATIC_CALL_SELFTEST + bool "Static call selftest" + depends on HAVE_STATIC_CALL + help + Boot time self-test of the call patching code. + config OPTPROBES def_bool y depends on KPROBES && HAVE_OPTPROBES - select TASKS_RCU if PREEMPT + select TASKS_RCU if PREEMPTION config KPROBES_ON_FTRACE def_bool y @@ -160,12 +176,12 @@ problems with received packets if doing so would not help much. - See Documentation/unaligned-memory-access.txt for more + See Documentation/core-api/unaligned-memory-access.rst for more information on the topic of unaligned memory accesses. config ARCH_USE_BUILTIN_BSWAP - bool - help + bool + help Modern versions of GCC (since 4.4) have builtin functions for handling byte-swapping. Using these, instead of the old inline assembler that the architecture code provides in the @@ -234,10 +250,10 @@ bool config GENERIC_SMP_IDLE_THREAD - bool + bool config GENERIC_IDLE_POLL_SETUP - bool + bool config ARCH_HAS_FORTIFY_SOURCE bool @@ -245,13 +261,39 @@ An architecture should select this when it can successfully build and run with CONFIG_FORTIFY_SOURCE. +# +# Select if the arch provides a historic keepinit alias for the retain_initrd +# command line option +# +config ARCH_HAS_KEEPINITRD + bool + # Select if arch has all set_memory_ro/rw/x/nx() functions in asm/cacheflush.h config ARCH_HAS_SET_MEMORY bool +# Select if arch has all set_direct_map_invalid/default() functions +config ARCH_HAS_SET_DIRECT_MAP + bool + +# +# Select if the architecture provides the arch_dma_set_uncached symbol to +# either provide an uncached segement alias for a DMA allocation, or +# to remap the page tables in place. +# +config ARCH_HAS_DMA_SET_UNCACHED + bool + +# +# Select if the architectures provides the arch_dma_clear_uncached symbol +# to undo an in-place page table remap for uncached access. +# +config ARCH_HAS_DMA_CLEAR_UNCACHED + bool + # Select if arch init_task must go in the __init_task_data section config ARCH_TASK_STRUCT_ON_STACK - bool + bool # Select if arch has its private alloc_task_struct() function config ARCH_TASK_STRUCT_ALLOCATOR @@ -276,6 +318,23 @@ config ARCH_WANTS_DYNAMIC_TASK_STRUCT bool +config ARCH_32BIT_OFF_T + bool + depends on !64BIT + help + All new 32-bit architectures should have 64-bit off_t type on + userspace side which corresponds to the loff_t kernel type. This + is the requirement for modern ABIs. Some existing architectures + still support 32-bit off_t. This option is enabled for all such + architectures explicitly. + +config HAVE_ASM_MODVERSIONS + bool + help + This symbol should be selected by an architecure if it provides + <asm/asm-prototypes.h> to support the module versioning for symbols + exported from assembly code. + config HAVE_REGS_AND_STACK_ACCESS_API bool help @@ -291,11 +350,12 @@ This symbol should be selected by an architecture if it supports an implementation of restartable sequences. -config HAVE_CLK +config HAVE_FUNCTION_ARG_ACCESS_API bool help - The <linux/clk.h> calls support software clock gating and - thus are a key power management tool on many systems. + This symbol should be selected by an architecure if it supports + the API needed to access function arguments from pt_regs, + declared in asm/ptrace.h config HAVE_HW_BREAKPOINT bool @@ -360,11 +420,25 @@ config HAVE_ARCH_JUMP_LABEL bool -config HAVE_RCU_TABLE_FREE +config HAVE_ARCH_JUMP_LABEL_RELATIVE bool -config HAVE_RCU_TABLE_INVALIDATE +config MMU_GATHER_TABLE_FREE bool + +config MMU_GATHER_RCU_TABLE_FREE + bool + select MMU_GATHER_TABLE_FREE + +config MMU_GATHER_PAGE_SIZE + bool + +config MMU_GATHER_NO_RANGE + bool + +config MMU_GATHER_NO_GATHER + bool + depends on MMU_GATHER_TABLE_FREE config ARCH_WANT_IRQS_OFF_ACTIVATE_MM bool @@ -403,10 +477,23 @@ select ARCH_WANT_COMPAT_IPC_PARSE_VERSION bool -config HAVE_ARCH_SECCOMP_FILTER +config HAVE_ARCH_SECCOMP bool help + An arch should select this symbol to support seccomp mode 1 (the fixed + syscall policy), and must provide an overrides for __NR_seccomp_sigreturn, + and compat syscalls if the asm-generic/seccomp.h defaults need adjustment: + - __NR_seccomp_read_32 + - __NR_seccomp_write_32 + - __NR_seccomp_exit_32 + - __NR_seccomp_sigreturn_32 + +config HAVE_ARCH_SECCOMP_FILTER + bool + select HAVE_ARCH_SECCOMP + help An arch should select this symbol if it provides all of these things: + - all the requirements for HAVE_ARCH_SECCOMP - syscall_get_arch() - syscall_get_arguments() - syscall_rollback() @@ -416,6 +503,23 @@ - secure_computing return value is checked and a return value of -1 results in the system call being skipped immediately. - seccomp syscall wired up + +config SECCOMP + prompt "Enable seccomp to safely execute untrusted bytecode" + def_bool y + depends on HAVE_ARCH_SECCOMP + help + This kernel feature is useful for number crunching applications + that may need to handle untrusted bytecode during their + execution. By using pipes or other transports made available + to the process as file descriptors supporting the read/write + syscalls, it's possible to isolate those applications in their + own address space using seccomp. Once seccomp is enabled via + prctl(PR_SET_SECCOMP) or the seccomp() syscall, it cannot be + disabled and the task is only allowed to execute a few safe + syscalls defined by each seccomp mode. + + If unsure, say Y. config SECCOMP_FILTER def_bool y @@ -427,14 +531,18 @@ See Documentation/userspace-api/seccomp_filter.rst for details. +config HAVE_ARCH_STACKLEAK + bool + help + An architecture should select this if it has the code which + fills the used part of the kernel stack with the STACKLEAK_POISON + value before returning from system calls. + config HAVE_STACKPROTECTOR bool help An arch should select this symbol if: - it has implemented a stack canary (e.g. __stack_chk_guard) - -config CC_HAS_STACKPROTECTOR_NONE - def_bool $(cc-option,-fno-stack-protector) config STACKPROTECTOR bool "Stack Protector buffer overflow detection" @@ -482,117 +590,143 @@ about 20% of all kernel functions, which increases the kernel code size by about 2%. +config ARCH_SUPPORTS_SHADOW_CALL_STACK + bool + help + An architecture should select this if it supports Clang's Shadow + Call Stack and implements runtime support for shadow stack + switching. + +config SHADOW_CALL_STACK + bool "Clang Shadow Call Stack" + depends on CC_IS_CLANG && ARCH_SUPPORTS_SHADOW_CALL_STACK + depends on DYNAMIC_FTRACE_WITH_REGS || !FUNCTION_GRAPH_TRACER + help + This option enables Clang's Shadow Call Stack, which uses a + shadow stack to protect function return addresses from being + overwritten by an attacker. More information can be found in + Clang's documentation: + + https://clang.llvm.org/docs/ShadowCallStack.html + + Note that security guarantees in the kernel differ from the + ones documented for user space. The kernel must store addresses + of shadow stacks in memory, which means an attacker capable of + reading and writing arbitrary memory may be able to locate them + and hijack control flow by modifying the stacks. + config LTO - def_bool n + bool + help + Selected if the kernel will be built using the compiler's LTO feature. + +config LTO_CLANG + bool + select LTO + help + Selected if the kernel will be built using Clang's LTO feature. config ARCH_SUPPORTS_LTO_CLANG bool help An architecture should select this option if it supports: - - compiling with clang, - - compiling inline assembly with clang's integrated assembler, + - compiling with Clang, + - compiling inline assembly with Clang's integrated assembler, - and linking with LLD. -config ARCH_SUPPORTS_THINLTO +config ARCH_SUPPORTS_LTO_CLANG_THIN bool help - An architecture should select this if it supports clang's ThinLTO. + An architecture should select this option if it can support Clang's + ThinLTO mode. -config THINLTO - bool "Use clang ThinLTO (EXPERIMENTAL)" - depends on LTO_CLANG && ARCH_SUPPORTS_THINLTO - default y +config HAS_LTO_CLANG + def_bool y + # Clang >= 11: https://github.com/ClangBuiltLinux/linux/issues/510 + depends on CC_IS_CLANG && CLANG_VERSION >= 110000 && LD_IS_LLD + depends on $(success,test $(LLVM) -eq 1) + depends on $(success,test $(LLVM_IAS) -eq 1) + depends on $(success,$(NM) --help | head -n 1 | grep -qi llvm) + depends on $(success,$(AR) --help | head -n 1 | grep -qi llvm) + depends on ARCH_SUPPORTS_LTO_CLANG + depends on !FTRACE_MCOUNT_USE_RECORDMCOUNT + depends on !KASAN || KASAN_HW_TAGS + depends on !GCOV_KERNEL help - Use ThinLTO to speed up Link Time Optimization. + The compiler and Kconfig options support building with Clang's + LTO. choice - prompt "Link-Time Optimization (LTO) (EXPERIMENTAL)" + prompt "Link Time Optimization (LTO)" default LTO_NONE help - This option turns on Link-Time Optimization (LTO). + This option enables Link Time Optimization (LTO), which allows the + compiler to optimize binaries globally. + + If unsure, select LTO_NONE. Note that LTO is very resource-intensive + so it's disabled by default. config LTO_NONE bool "None" - -config LTO_CLANG - bool "Use clang Link Time Optimization (LTO) (EXPERIMENTAL)" - depends on ARCH_SUPPORTS_LTO_CLANG - depends on !FTRACE_MCOUNT_RECORD || HAVE_C_RECORDMCOUNT - depends on !KASAN - depends on CC_IS_CLANG && LD_IS_LLD - select LTO help - This option enables clang's Link Time Optimization (LTO), which allows - the compiler to optimize the kernel globally at link time. If you - enable this option, the compiler generates LLVM IR instead of object - files, and the actual compilation from IR occurs at the LTO link step, - which may take several minutes. + Build the kernel normally, without Link Time Optimization (LTO). - If you select this option, you must compile the kernel with clang and - LLD. +config LTO_CLANG_FULL + bool "Clang Full LTO (EXPERIMENTAL)" + depends on HAS_LTO_CLANG + depends on !COMPILE_TEST + select LTO_CLANG + help + This option enables Clang's full Link Time Optimization (LTO), which + allows the compiler to optimize the kernel globally. If you enable + this option, the compiler generates LLVM bitcode instead of ELF + object files, and the actual compilation from bitcode happens at + the LTO link step, which may take several minutes depending on the + kernel configuration. More information can be found from LLVM's + documentation: + https://llvm.org/docs/LinkTimeOptimization.html + + During link time, this option can use a large amount of RAM, and + may take much longer than the ThinLTO option. + +config LTO_CLANG_THIN + bool "Clang ThinLTO (EXPERIMENTAL)" + depends on HAS_LTO_CLANG && ARCH_SUPPORTS_LTO_CLANG_THIN + select LTO_CLANG + help + This option enables Clang's ThinLTO, which allows for parallel + optimization and faster incremental compiles compared to the + CONFIG_LTO_CLANG_FULL option. More information can be found + from Clang's documentation: + + https://clang.llvm.org/docs/ThinLTO.html + + If unsure, say Y. endchoice -config CFI - bool - -config CFI_PERMISSIVE - bool "Use CFI in permissive mode" - depends on CFI - help - When selected, Control Flow Integrity (CFI) violations result in a - warning instead of a kernel panic. This option is useful for finding - CFI violations in drivers during development. - config CFI_CLANG - bool "Use clang Control Flow Integrity (CFI) (EXPERIMENTAL)" - depends on LTO_CLANG - depends on KALLSYMS - select CFI + bool "Use Clang's Control Flow Integrity (CFI)" + depends on LTO_CLANG && KALLSYMS help - This option enables clang Control Flow Integrity (CFI), which adds + This option enables Clang's Control Flow Integrity (CFI), which adds runtime checking for indirect function calls. config CFI_CLANG_SHADOW bool "Use CFI shadow to speed up cross-module checks" default y - depends on CFI_CLANG + depends on CFI_CLANG && MODULES help If you select this option, the kernel builds a fast look-up table of CFI check functions in loaded modules to reduce overhead. -config ARCH_SUPPORTS_SHADOW_CALL_STACK - bool +config CFI_PERMISSIVE + bool "Use CFI in permissive mode" + depends on CFI_CLANG help - An architecture should select this if it supports Clang's Shadow - Call Stack, has asm/scs.h, and implements runtime support for shadow - stack switching. - -config SHADOW_CALL_STACK - bool "Clang Shadow Call Stack" - depends on ARCH_SUPPORTS_SHADOW_CALL_STACK - help - This option enables Clang's Shadow Call Stack, which uses a - shadow stack to protect function return addresses from being - overwritten by an attacker. More information can be found from - Clang's documentation: - - https://clang.llvm.org/docs/ShadowCallStack.html - - Note that security guarantees in the kernel differ from the ones - documented for user space. The kernel must store addresses of shadow - stacks used by other tasks and interrupt handlers in memory, which - means an attacker capable reading and writing arbitrary memory may - be able to locate them and hijack control flow by modifying shadow - stacks that are not currently in use. - -config SHADOW_CALL_STACK_VMAP - bool "Use virtually mapped shadow call stacks" - depends on SHADOW_CALL_STACK - help - Use virtually mapped shadow call stacks. Selecting this option - provides better stack exhaustion protection, but increases per-thread - memory consumption as a full page is allocated for each shadow stack. + When selected, Control Flow Integrity (CFI) violations result in a + warning instead of a kernel panic. This option is useful for finding + CFI violations during development. config HAVE_ARCH_WITHIN_STACK_FRAMES bool @@ -608,14 +742,26 @@ help Provide kernel/user boundaries probes necessary for subsystems that need it, such as userspace RCU extended quiescent state. - Syscalls need to be wrapped inside user_exit()-user_enter() through - the slow path using TIF_NOHZ flag. Exceptions handlers must be - wrapped as well. Irqs are already protected inside - rcu_irq_enter/rcu_irq_exit() but preemption or signal handling on - irq exit still need to be protected. + Syscalls need to be wrapped inside user_exit()-user_enter(), either + optimized behind static key or through the slow path using TIF_NOHZ + flag. Exceptions handlers must be wrapped as well. Irqs are already + protected inside rcu_irq_enter/rcu_irq_exit() but preemption or signal + handling on irq exit still need to be protected. + +config HAVE_TIF_NOHZ + bool + help + Arch relies on TIF_NOHZ and syscall slow path to implement context + tracking calls to user_enter()/user_exit(). config HAVE_VIRT_CPU_ACCOUNTING bool + +config HAVE_VIRT_CPU_ACCOUNTING_IDLE + bool + help + Architecture has its own way to account idle CPU time and therefore + doesn't implement vtime_account_idle(). config ARCH_HAS_SCALED_CPUTIME bool @@ -631,12 +777,23 @@ some 32-bit arches may require multiple accesses, so proper locking is needed to protect against concurrent accesses. - config HAVE_IRQ_TIME_ACCOUNTING bool help Archs need to ensure they use a high enough resolution clock to support irq time accounting and then call enable_sched_clock_irqtime(). + +config HAVE_MOVE_PUD + bool + help + Architectures that select this are able to move page tables at the + PUD level. If there are only 3 page table levels, the move effectively + happens at the PGD level. + +config HAVE_MOVE_PMD + bool + help + Archs that select this are able to move page tables at the PMD level. config HAVE_ARCH_TRANSPARENT_HUGEPAGE bool @@ -645,6 +802,9 @@ bool config HAVE_ARCH_HUGE_VMAP + bool + +config ARCH_WANT_HUGE_PMD_SHARE bool config HAVE_ARCH_SOFT_DIRTY @@ -771,12 +931,16 @@ and vice-versa 32-bit applications to call 64-bit mmap(). Required for applications doing different bitness syscalls. -config HAVE_COPY_THREAD_TLS +# This allows to use a set of generic functions to determine mmap base +# address by giving priority to top-down scheme only if the process +# is not in legacy mode (compat task, unlimited stack size or +# sysctl_legacy_va_layout). +# Architecture that selects this option can provide its own version of: +# - STACK_RND_MASK +config ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT bool - help - Architecture provides copy_thread_tls to accept tls argument via - normal C parameter passing, rather than extracting the syscall - argument from pt_regs. + depends on MMU + select ARCH_HAS_ELF_RANDOMIZE config HAVE_STACK_VALIDATION bool @@ -787,8 +951,9 @@ config HAVE_RELIABLE_STACKTRACE bool help - Architecture has a save_stack_trace_tsk_reliable() function which - only returns a stack trace if it can guarantee the trace is reliable. + Architecture has either save_stack_trace_tsk_reliable() or + arch_stack_walk_reliable() function which only returns a stack trace + if it can guarantee the trace is reliable. config HAVE_ARCH_HASH bool @@ -797,6 +962,9 @@ If this is set, the architecture provides an <asm/hash.h> file which provides platform-specific implementations of some functions in <linux/hash.h> or fs/namei.c. + +config HAVE_ARCH_NVRAM_OPS + bool config ISA_BUS_API def_bool ISA @@ -847,25 +1015,18 @@ config COMPAT_OLD_SIGACTION bool -config 64BIT_TIME - def_bool ARCH_HAS_64BIT_TIME - help - This should be selected by all architectures that need to support - new system calls with a 64-bit time_t. This is relevant on all 32-bit - architectures, and 64-bit architectures as part of compat syscall - handling. - config COMPAT_32BIT_TIME - def_bool (!64BIT && 64BIT_TIME) || COMPAT + bool "Provide system calls for 32-bit time_t" + default !64BIT || COMPAT help This enables 32 bit time_t support in addition to 64 bit time_t support. This is relevant on all 32-bit architectures, and 64-bit architectures as part of compat syscall handling. -config ARCH_NO_COHERENT_DMA_MMAP +config ARCH_NO_PREEMPT bool -config ARCH_NO_PREEMPT +config ARCH_SUPPORTS_RT bool config CPU_NO_EFFICIENT_FFS @@ -894,16 +1055,17 @@ config VMAP_STACK default y bool "Use a virtually-mapped stack" - depends on HAVE_ARCH_VMAP_STACK && !KASAN - ---help--- + depends on HAVE_ARCH_VMAP_STACK + depends on !KASAN || KASAN_HW_TAGS || KASAN_VMALLOC + help Enable this if you want the use virtually-mapped kernel stacks with guard pages. This causes kernel stack overflows to be caught immediately rather than causing difficult-to-diagnose corruption. - This is presently incompatible with KASAN because KASAN expects - the stack to map directly to the KASAN shadow map using a formula - that is incorrect if the stack is in vmalloc space. + To use this with software KASAN modes, the architecture must support + backing virtual mappings with real shadow memory, and KASAN_VMALLOC + must be enabled. config ARCH_OPTIONAL_KERNEL_RWX def_bool n @@ -943,27 +1105,6 @@ config ARCH_HAS_PHYS_TO_DMA bool -config ARCH_HAS_REFCOUNT - bool - help - An architecture selects this when it has implemented refcount_t - using open coded assembly primitives that provide an optimized - refcount_t implementation, possibly at the expense of some full - refcount state checks of CONFIG_REFCOUNT_FULL=y. - - The refcount overflow check behavior, however, must be retained. - Catching overflows is the primary security concern for protecting - against bugs in reference counts. - -config REFCOUNT_FULL - bool "Perform full reference count validation at the expense of speed" - help - Enabling this switches the refcounting infrastructure from a fast - unchecked atomic_t implementation to a fully state checked - implementation, which can be (slightly) slower but provides protections - against various use-after-free conditions that can be used in - security flaw exploits. - config HAVE_ARCH_COMPILER_H bool help @@ -985,6 +1126,15 @@ config ARCH_USE_MEMREMAP_PROT bool +config LOCK_EVENT_COUNTS + bool "Locking event counts collection" + depends on DEBUG_FS + help + Enable light-weight counting of various locking related events + in the system with minimal performance impact. This reduces + the chance of application behavior change because of timing + differences. The counts are reported via debugfs. + # Select if the architecture has support for applying RELR relocations. config ARCH_HAS_RELR bool @@ -999,6 +1149,45 @@ well as compatible NM and OBJCOPY utilities (llvm-nm and llvm-objcopy are compatible). +config ARCH_HAS_MEM_ENCRYPT + bool + +config ARCH_HAS_CC_PLATFORM + bool + +config HAVE_SPARSE_SYSCALL_NR + bool + help + An architecture should select this if its syscall numbering is sparse + to save space. For example, MIPS architecture has a syscall array with + entries at 4000, 5000 and 6000 locations. This option turns on syscall + related optimizations for a given architecture. + +config ARCH_HAS_VDSO_DATA + bool + +config HAVE_STATIC_CALL + bool + +config HAVE_STATIC_CALL_INLINE + bool + depends on HAVE_STATIC_CALL + +config ARCH_WANT_LD_ORPHAN_WARN + bool + help + An arch should select this symbol once all linker sections are explicitly + included, size-asserted, or discarded in the linker scripts. This is + important because we never want expected sections to be placed heuristically + by the linker, since the locations of such sections can change between linker + versions. + +config ARCH_SPLIT_ARG64 + bool + help + If a 32-bit architecture requires 64-bit arguments to be split into + pairs of 32-bit arguments, select this option. + source "kernel/gcov/Kconfig" source "scripts/gcc-plugins/Kconfig" -- Gitblit v1.6.2