| Message ID | 20190423194925.32151-3-keescook@chromium.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Refactor memory initialization hardening | expand |
On 23.04.2019 22:49, Kees Cook wrote: > This moves the stackleak plugin options to Kconfig.hardening's memory > initialization menu. > > Signed-off-by: Kees Cook <keescook@chromium.org> Hello Kees, I see the changes in STACKLEAK help, looks good to me. For this patch - Reviewed-by: Alexander Popov <alex.popov@linux.com> By the way, for your information, GCC_PLUGIN_STRUCTLEAK help is now unreachable from 'make menuconfig'. Best regards, Alexander > --- > scripts/gcc-plugins/Kconfig | 51 --------------------------------- > security/Kconfig.hardening | 57 +++++++++++++++++++++++++++++++++++++ > 2 files changed, 57 insertions(+), 51 deletions(-) > > diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig > index 352f03878a1e..80220ed26a35 100644 > --- a/scripts/gcc-plugins/Kconfig > +++ b/scripts/gcc-plugins/Kconfig > @@ -108,57 +108,6 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE > in structures. This reduces the performance hit of RANDSTRUCT > at the cost of weakened randomization. > > -config GCC_PLUGIN_STACKLEAK > - bool "Erase the kernel stack before returning from syscalls" > - depends on GCC_PLUGINS > - depends on HAVE_ARCH_STACKLEAK > - help > - This option makes the kernel erase the kernel stack before > - returning from system calls. That reduces the information which > - kernel stack leak bugs can reveal and blocks some uninitialized > - stack variable attacks. > - > - The tradeoff is the performance impact: on a single CPU system kernel > - compilation sees a 1% slowdown, other systems and workloads may vary > - and you are advised to test this feature on your expected workload > - before deploying it. > - > - This plugin was ported from grsecurity/PaX. More information at: > - * https://grsecurity.net/ > - * https://pax.grsecurity.net/ > - > -config STACKLEAK_TRACK_MIN_SIZE > - int "Minimum stack frame size of functions tracked by STACKLEAK" > - default 100 > - range 0 4096 > - depends on GCC_PLUGIN_STACKLEAK > - help > - The STACKLEAK gcc plugin instruments the kernel code for tracking > - the lowest border of the kernel stack (and for some other purposes). > - It inserts the stackleak_track_stack() call for the functions with > - a stack frame size greater than or equal to this parameter. > - If unsure, leave the default value 100. > - > -config STACKLEAK_METRICS > - bool "Show STACKLEAK metrics in the /proc file system" > - depends on GCC_PLUGIN_STACKLEAK > - depends on PROC_FS > - help > - If this is set, STACKLEAK metrics for every task are available in > - the /proc file system. In particular, /proc/<pid>/stack_depth > - shows the maximum kernel stack consumption for the current and > - previous syscalls. Although this information is not precise, it > - can be useful for estimating the STACKLEAK performance impact for > - your workloads. > - > -config STACKLEAK_RUNTIME_DISABLE > - bool "Allow runtime disabling of kernel stack erasing" > - depends on GCC_PLUGIN_STACKLEAK > - help > - This option provides 'stack_erasing' sysctl, which can be used in > - runtime to control kernel stack erasing for kernels built with > - CONFIG_GCC_PLUGIN_STACKLEAK. > - > config GCC_PLUGIN_ARM_SSP_PER_TASK > bool > depends on GCC_PLUGINS && ARM > diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening > index 19881341f1c2..a96d4a43ca65 100644 > --- a/security/Kconfig.hardening > +++ b/security/Kconfig.hardening > @@ -88,6 +88,63 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE > initialized. Since not all existing initializers are detected > by the plugin, this can produce false positive warnings. > > +config GCC_PLUGIN_STACKLEAK > + bool "Poison kernel stack before returning from syscalls" > + depends on GCC_PLUGINS > + depends on HAVE_ARCH_STACKLEAK > + help > + This option makes the kernel erase the kernel stack before > + returning from system calls. This has the effect of leaving > + the stack initialized to the poison value, which both reduces > + the lifetime of any sensitive stack contents and reduces > + potential for uninitialized stack variable exploits or information > + exposures (it does not cover functions reaching the same stack > + depth as prior functions during the same syscall). This blocks > + most uninitialized stack variable attacks, with the performance > + impact being driven by the depth of the stack usage, rather than > + the function calling complexity. > + > + The performance impact on a single CPU system kernel compilation > + sees a 1% slowdown, other systems and workloads may vary and you > + are advised to test this feature on your expected workload before > + deploying it. > + > + This plugin was ported from grsecurity/PaX. More information at: > + * https://grsecurity.net/ > + * https://pax.grsecurity.net/ > + > +config STACKLEAK_TRACK_MIN_SIZE > + int "Minimum stack frame size of functions tracked by STACKLEAK" > + default 100 > + range 0 4096 > + depends on GCC_PLUGIN_STACKLEAK > + help > + The STACKLEAK gcc plugin instruments the kernel code for tracking > + the lowest border of the kernel stack (and for some other purposes). > + It inserts the stackleak_track_stack() call for the functions with > + a stack frame size greater than or equal to this parameter. > + If unsure, leave the default value 100. > + > +config STACKLEAK_METRICS > + bool "Show STACKLEAK metrics in the /proc file system" > + depends on GCC_PLUGIN_STACKLEAK > + depends on PROC_FS > + help > + If this is set, STACKLEAK metrics for every task are available in > + the /proc file system. In particular, /proc/<pid>/stack_depth > + shows the maximum kernel stack consumption for the current and > + previous syscalls. Although this information is not precise, it > + can be useful for estimating the STACKLEAK performance impact for > + your workloads. > + > +config STACKLEAK_RUNTIME_DISABLE > + bool "Allow runtime disabling of kernel stack erasing" > + depends on GCC_PLUGIN_STACKLEAK > + help > + This option provides 'stack_erasing' sysctl, which can be used in > + runtime to control kernel stack erasing for kernels built with > + CONFIG_GCC_PLUGIN_STACKLEAK. > + > endmenu > > endmenu >
On Wed, Apr 24, 2019 at 8:25 AM Alexander Popov <alex.popov@linux.com> wrote: > > On 23.04.2019 22:49, Kees Cook wrote: > > This moves the stackleak plugin options to Kconfig.hardening's memory > > initialization menu. > > > > Signed-off-by: Kees Cook <keescook@chromium.org> > > Hello Kees, > > I see the changes in STACKLEAK help, looks good to me. > For this patch - > Reviewed-by: Alexander Popov <alex.popov@linux.com> Thanks! > By the way, for your information, GCC_PLUGIN_STRUCTLEAK help is now unreachable > from 'make menuconfig'. Good point. I'll see if I can find a sensible place to move this to. There isn't really a place for just the plugin details any more... hmm.
diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index 352f03878a1e..80220ed26a35 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig @@ -108,57 +108,6 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE in structures. This reduces the performance hit of RANDSTRUCT at the cost of weakened randomization. -config GCC_PLUGIN_STACKLEAK - bool "Erase the kernel stack before returning from syscalls" - depends on GCC_PLUGINS - depends on HAVE_ARCH_STACKLEAK - help - This option makes the kernel erase the kernel stack before - returning from system calls. That reduces the information which - kernel stack leak bugs can reveal and blocks some uninitialized - stack variable attacks. - - The tradeoff is the performance impact: on a single CPU system kernel - compilation sees a 1% slowdown, other systems and workloads may vary - and you are advised to test this feature on your expected workload - before deploying it. - - This plugin was ported from grsecurity/PaX. More information at: - * https://grsecurity.net/ - * https://pax.grsecurity.net/ - -config STACKLEAK_TRACK_MIN_SIZE - int "Minimum stack frame size of functions tracked by STACKLEAK" - default 100 - range 0 4096 - depends on GCC_PLUGIN_STACKLEAK - help - The STACKLEAK gcc plugin instruments the kernel code for tracking - the lowest border of the kernel stack (and for some other purposes). - It inserts the stackleak_track_stack() call for the functions with - a stack frame size greater than or equal to this parameter. - If unsure, leave the default value 100. - -config STACKLEAK_METRICS - bool "Show STACKLEAK metrics in the /proc file system" - depends on GCC_PLUGIN_STACKLEAK - depends on PROC_FS - help - If this is set, STACKLEAK metrics for every task are available in - the /proc file system. In particular, /proc/<pid>/stack_depth - shows the maximum kernel stack consumption for the current and - previous syscalls. Although this information is not precise, it - can be useful for estimating the STACKLEAK performance impact for - your workloads. - -config STACKLEAK_RUNTIME_DISABLE - bool "Allow runtime disabling of kernel stack erasing" - depends on GCC_PLUGIN_STACKLEAK - help - This option provides 'stack_erasing' sysctl, which can be used in - runtime to control kernel stack erasing for kernels built with - CONFIG_GCC_PLUGIN_STACKLEAK. - config GCC_PLUGIN_ARM_SSP_PER_TASK bool depends on GCC_PLUGINS && ARM diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index 19881341f1c2..a96d4a43ca65 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -88,6 +88,63 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE initialized. Since not all existing initializers are detected by the plugin, this can produce false positive warnings. +config GCC_PLUGIN_STACKLEAK + bool "Poison kernel stack before returning from syscalls" + depends on GCC_PLUGINS + depends on HAVE_ARCH_STACKLEAK + help + This option makes the kernel erase the kernel stack before + returning from system calls. This has the effect of leaving + the stack initialized to the poison value, which both reduces + the lifetime of any sensitive stack contents and reduces + potential for uninitialized stack variable exploits or information + exposures (it does not cover functions reaching the same stack + depth as prior functions during the same syscall). This blocks + most uninitialized stack variable attacks, with the performance + impact being driven by the depth of the stack usage, rather than + the function calling complexity. + + The performance impact on a single CPU system kernel compilation + sees a 1% slowdown, other systems and workloads may vary and you + are advised to test this feature on your expected workload before + deploying it. + + This plugin was ported from grsecurity/PaX. More information at: + * https://grsecurity.net/ + * https://pax.grsecurity.net/ + +config STACKLEAK_TRACK_MIN_SIZE + int "Minimum stack frame size of functions tracked by STACKLEAK" + default 100 + range 0 4096 + depends on GCC_PLUGIN_STACKLEAK + help + The STACKLEAK gcc plugin instruments the kernel code for tracking + the lowest border of the kernel stack (and for some other purposes). + It inserts the stackleak_track_stack() call for the functions with + a stack frame size greater than or equal to this parameter. + If unsure, leave the default value 100. + +config STACKLEAK_METRICS + bool "Show STACKLEAK metrics in the /proc file system" + depends on GCC_PLUGIN_STACKLEAK + depends on PROC_FS + help + If this is set, STACKLEAK metrics for every task are available in + the /proc file system. In particular, /proc/<pid>/stack_depth + shows the maximum kernel stack consumption for the current and + previous syscalls. Although this information is not precise, it + can be useful for estimating the STACKLEAK performance impact for + your workloads. + +config STACKLEAK_RUNTIME_DISABLE + bool "Allow runtime disabling of kernel stack erasing" + depends on GCC_PLUGIN_STACKLEAK + help + This option provides 'stack_erasing' sysctl, which can be used in + runtime to control kernel stack erasing for kernels built with + CONFIG_GCC_PLUGIN_STACKLEAK. + endmenu endmenu
This moves the stackleak plugin options to Kconfig.hardening's memory initialization menu. Signed-off-by: Kees Cook <keescook@chromium.org> --- scripts/gcc-plugins/Kconfig | 51 --------------------------------- security/Kconfig.hardening | 57 +++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 51 deletions(-)