Blame - scripts/gcc-plugins/Kconfig - yocto/kernel/common

blob: 352f03878a1e2ee079008a850a6993e6e5f3098a [file] [log] [blame]

Masahiro Yamada	45332b1	2018-07-05 15:24:12 +0900	[diff] [blame]	1	preferred-plugin-hostcc := $(if-success,[ $(gcc-version) -ge 40800 ],$(HOSTCXX),$(HOSTCC))
				2
				3	config PLUGIN_HOSTCC
				4	string
Kees Cook	b044133	2018-08-22 23:02:31 -0700	[diff] [blame]	5	default "$(shell,$(srctree)/scripts/gcc-plugin.sh "$(preferred-plugin-hostcc)" "$(HOSTCXX)" "$(CC)")" if CC_IS_GCC
Masahiro Yamada	45332b1	2018-07-05 15:24:12 +0900	[diff] [blame]	6	help
				7	Host compiler used to build GCC plugins. This can be $(HOSTCXX),
				8	$(HOSTCC), or a null string if GCC plugin is unsupported.
				9
				10	config HAVE_GCC_PLUGINS
				11	bool
				12	help
				13	An arch should select this symbol if it supports building with
				14	GCC plugins.
				15
Kees Cook	9f671e5	2019-04-10 08:23:44 -0700	[diff] [blame^]	16	config GCC_PLUGINS
				17	bool
Masahiro Yamada	45332b1	2018-07-05 15:24:12 +0900	[diff] [blame]	18	depends on HAVE_GCC_PLUGINS
				19	depends on PLUGIN_HOSTCC != ""
Kees Cook	9f671e5	2019-04-10 08:23:44 -0700	[diff] [blame^]	20	default y
Masahiro Yamada	45332b1	2018-07-05 15:24:12 +0900	[diff] [blame]	21	help
				22	GCC plugins are loadable modules that provide extra features to the
				23	compiler. They are useful for runtime instrumentation and static analysis.
				24
				25	See Documentation/gcc-plugins.txt for details.
				26
Kees Cook	9f671e5	2019-04-10 08:23:44 -0700	[diff] [blame^]	27	menu "GCC plugins"
				28	depends on GCC_PLUGINS
Masahiro Yamada	45332b1	2018-07-05 15:24:12 +0900	[diff] [blame]	29
				30	config GCC_PLUGIN_CYC_COMPLEXITY
				31	bool "Compute the cyclomatic complexity of a function" if EXPERT
				32	depends on !COMPILE_TEST # too noisy
				33	help
				34	The complexity M of a function's control flow graph is defined as:
				35	M = E - N + 2P
				36	where
				37
				38	E = the number of edges
				39	N = the number of nodes
				40	P = the number of connected components (exit nodes).
				41
				42	Enabling this plugin reports the complexity to stderr during the
				43	build. It mainly serves as a simple example of how to create a
				44	gcc plugin for the kernel.
				45
				46	config GCC_PLUGIN_SANCOV
				47	bool
				48	help
				49	This plugin inserts a __sanitizer_cov_trace_pc() call at the start of
				50	basic blocks. It supports all gcc versions with plugin support (from
				51	gcc-4.5 on). It is based on the commit "Add fuzzing coverage support"
				52	by Dmitry Vyukov <dvyukov@google.com>.
				53
				54	config GCC_PLUGIN_LATENT_ENTROPY
				55	bool "Generate some entropy during boot and runtime"
				56	help
				57	By saying Y here the kernel will instrument some kernel code to
				58	extract some entropy from both original and artificially created
				59	program state. This will help especially embedded systems where
				60	there is little 'natural' source of entropy normally. The cost
				61	is some slowdown of the boot process (about 0.5%) and fork and
				62	irq processing.
				63
				64	Note that entropy extracted this way is not cryptographically
				65	secure!
				66
				67	This plugin was ported from grsecurity/PaX. More information at:
				68	* https://grsecurity.net/
				69	* https://pax.grsecurity.net/
				70
Masahiro Yamada	45332b1	2018-07-05 15:24:12 +0900	[diff] [blame]	71	config GCC_PLUGIN_RANDSTRUCT
				72	bool "Randomize layout of sensitive kernel structures"
				73	select MODVERSIONS if MODULES
				74	help
				75	If you say Y here, the layouts of structures that are entirely
				76	function pointers (and have not been manually annotated with
				77	__no_randomize_layout), or structures that have been explicitly
				78	marked with __randomize_layout, will be randomized at compile-time.
				79	This can introduce the requirement of an additional information
				80	exposure vulnerability for exploits targeting these structure
				81	types.
				82
				83	Enabling this feature will introduce some performance impact,
				84	slightly increase memory usage, and prevent the use of forensic
				85	tools like Volatility against the system (unless the kernel
				86	source tree isn't cleaned after kernel installation).
				87
				88	The seed used for compilation is located at
				89	scripts/gcc-plgins/randomize_layout_seed.h. It remains after
				90	a make clean to allow for external modules to be compiled with
				91	the existing seed and will be removed by a make mrproper or
				92	make distclean.
				93
				94	Note that the implementation requires gcc 4.7 or newer.
				95
				96	This plugin was ported from grsecurity/PaX. More information at:
				97	* https://grsecurity.net/
				98	* https://pax.grsecurity.net/
				99
				100	config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
				101	bool "Use cacheline-aware structure randomization"
				102	depends on GCC_PLUGIN_RANDSTRUCT
				103	depends on !COMPILE_TEST # do not reduce test coverage
				104	help
				105	If you say Y here, the RANDSTRUCT randomization will make a
				106	best effort at restricting randomization to cacheline-sized
				107	groups of elements. It will further not randomize bitfields
				108	in structures. This reduces the performance hit of RANDSTRUCT
				109	at the cost of weakened randomization.
				110
Alexander Popov	afaef01	2018-08-17 01:16:58 +0300	[diff] [blame]	111	config GCC_PLUGIN_STACKLEAK
				112	bool "Erase the kernel stack before returning from syscalls"
				113	depends on GCC_PLUGINS
				114	depends on HAVE_ARCH_STACKLEAK
				115	help
				116	This option makes the kernel erase the kernel stack before
				117	returning from system calls. That reduces the information which
				118	kernel stack leak bugs can reveal and blocks some uninitialized
				119	stack variable attacks.
				120
				121	The tradeoff is the performance impact: on a single CPU system kernel
				122	compilation sees a 1% slowdown, other systems and workloads may vary
				123	and you are advised to test this feature on your expected workload
				124	before deploying it.
				125
				126	This plugin was ported from grsecurity/PaX. More information at:
				127	* https://grsecurity.net/
				128	* https://pax.grsecurity.net/
				129
Alexander Popov	10e9ae9	2018-08-17 01:16:59 +0300	[diff] [blame]	130	config STACKLEAK_TRACK_MIN_SIZE
				131	int "Minimum stack frame size of functions tracked by STACKLEAK"
				132	default 100
				133	range 0 4096
				134	depends on GCC_PLUGIN_STACKLEAK
				135	help
				136	The STACKLEAK gcc plugin instruments the kernel code for tracking
				137	the lowest border of the kernel stack (and for some other purposes).
				138	It inserts the stackleak_track_stack() call for the functions with
				139	a stack frame size greater than or equal to this parameter.
				140	If unsure, leave the default value 100.
				141
Alexander Popov	c8d1262	2018-08-17 01:17:01 +0300	[diff] [blame]	142	config STACKLEAK_METRICS
				143	bool "Show STACKLEAK metrics in the /proc file system"
				144	depends on GCC_PLUGIN_STACKLEAK
				145	depends on PROC_FS
				146	help
				147	If this is set, STACKLEAK metrics for every task are available in
				148	the /proc file system. In particular, /proc/<pid>/stack_depth
				149	shows the maximum kernel stack consumption for the current and
				150	previous syscalls. Although this information is not precise, it
				151	can be useful for estimating the STACKLEAK performance impact for
				152	your workloads.
				153
Alexander Popov	964c9df	2018-08-17 01:17:03 +0300	[diff] [blame]	154	config STACKLEAK_RUNTIME_DISABLE
				155	bool "Allow runtime disabling of kernel stack erasing"
				156	depends on GCC_PLUGIN_STACKLEAK
				157	help
				158	This option provides 'stack_erasing' sysctl, which can be used in
				159	runtime to control kernel stack erasing for kernels built with
				160	CONFIG_GCC_PLUGIN_STACKLEAK.
				161
Ard Biesheuvel	189af46	2018-12-06 09:32:57 +0100	[diff] [blame]	162	config GCC_PLUGIN_ARM_SSP_PER_TASK
				163	bool
				164	depends on GCC_PLUGINS && ARM
				165
Kees Cook	9f671e5	2019-04-10 08:23:44 -0700	[diff] [blame^]	166	endmenu