tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

randstruct: Reorganize Kconfigs and attribute macros

In preparation for Clang supporting randstruct, reorganize the Kconfigs,
move the attribute macros, and generalize the feature to be named
CONFIG_RANDSTRUCT for on/off, CONFIG_RANDSTRUCT_FULL for the full
randomization mode, and CONFIG_RANDSTRUCT_PERFORMANCE for the cache-line
sized mode.

Cc: linux-hardening@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220503205503.3054173-4-keescook@chromium.org

Kees Cook 595b893e d3646589

+81 -66
+3 -4
Documentation/kbuild/reproducible-builds.rst
··· 99 99 Structure randomisation 100 100 ----------------------- 101 101 102 - If you enable ``CONFIG_GCC_PLUGIN_RANDSTRUCT``, you will need to 103 - pre-generate the random seed in 104 - ``scripts/gcc-plugins/randomize_layout_seed.h`` so the same value 105 - is used in rebuilds. 102 + If you enable ``CONFIG_RANDSTRUCT``, you will need to pre-generate 103 + the random seed in ``scripts/gcc-plugins/randomize_layout_seed.h`` 104 + so the same value is used in rebuilds. 106 105 107 106 Debug info conflicts 108 107 --------------------
+1 -1
arch/riscv/Kconfig
··· 468 468 469 469 config STACKPROTECTOR_PER_TASK 470 470 def_bool y 471 - depends on !GCC_PLUGIN_RANDSTRUCT 471 + depends on !RANDSTRUCT 472 472 depends on STACKPROTECTOR && CC_HAVE_STACKPROTECTOR_TLS 473 473 474 474 config PHYS_RAM_BASE_FIXED
+1 -1
arch/x86/mm/pti.c
··· 540 540 * cases where RANDSTRUCT is in use to help keep the layout a 541 541 * secret. 542 542 */ 543 - if (IS_ENABLED(CONFIG_GCC_PLUGIN_RANDSTRUCT)) 543 + if (IS_ENABLED(CONFIG_RANDSTRUCT)) 544 544 return false; 545 545 546 546 return true;
-8
include/linux/compiler-gcc.h
··· 66 66 __builtin_unreachable(); \ 67 67 } while (0) 68 68 69 - #if defined(RANDSTRUCT_PLUGIN) && !defined(__CHECKER__) 70 - #define __randomize_layout __attribute__((randomize_layout)) 71 - #define __no_randomize_layout __attribute__((no_randomize_layout)) 72 - /* This anon struct can add padding, so only enable it under randstruct. */ 73 - #define randomized_struct_fields_start struct { 74 - #define randomized_struct_fields_end } __randomize_layout; 75 - #endif 76 - 77 69 /* 78 70 * GCC 'asm goto' miscompiles certain code sequences: 79 71 *
+7 -7
include/linux/compiler_types.h
··· 242 242 # define __latent_entropy 243 243 #endif 244 244 245 - #ifndef __randomize_layout 245 + #if defined(RANDSTRUCT) && !defined(__CHECKER__) 246 + # define __randomize_layout __designated_init __attribute__((randomize_layout)) 247 + # define __no_randomize_layout __attribute__((no_randomize_layout)) 248 + /* This anon struct can add padding, so only enable it under randstruct. */ 249 + # define randomized_struct_fields_start struct { 250 + # define randomized_struct_fields_end } __randomize_layout; 251 + #else 246 252 # define __randomize_layout __designated_init 247 - #endif 248 - 249 - #ifndef __no_randomize_layout 250 253 # define __no_randomize_layout 251 - #endif 252 - 253 - #ifndef randomized_struct_fields_start 254 254 # define randomized_struct_fields_start 255 255 # define randomized_struct_fields_end 256 256 #endif
+4 -4
include/linux/vermagic.h
··· 32 32 #else 33 33 #define MODULE_VERMAGIC_MODVERSIONS "" 34 34 #endif 35 - #ifdef RANDSTRUCT_PLUGIN 35 + #ifdef RANDSTRUCT 36 36 #include <generated/randomize_layout_hash.h> 37 - #define MODULE_RANDSTRUCT_PLUGIN "RANDSTRUCT_PLUGIN_" RANDSTRUCT_HASHED_SEED 37 + #define MODULE_RANDSTRUCT "RANDSTRUCT_" RANDSTRUCT_HASHED_SEED 38 38 #else 39 - #define MODULE_RANDSTRUCT_PLUGIN 39 + #define MODULE_RANDSTRUCT 40 40 #endif 41 41 42 42 #define VERMAGIC_STRING \ ··· 44 44 MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \ 45 45 MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \ 46 46 MODULE_ARCH_VERMAGIC \ 47 - MODULE_RANDSTRUCT_PLUGIN 47 + MODULE_RANDSTRUCT 48 48 49 49 #endif /* _LINUX_VERMAGIC_H */
+1 -1
kernel/panic.c
··· 48 48 49 49 int panic_on_oops = CONFIG_PANIC_ON_OOPS_VALUE; 50 50 static unsigned long tainted_mask = 51 - IS_ENABLED(CONFIG_GCC_PLUGIN_RANDSTRUCT) ? (1 << TAINT_RANDSTRUCT) : 0; 51 + IS_ENABLED(CONFIG_RANDSTRUCT) ? (1 << TAINT_RANDSTRUCT) : 0; 52 52 static int pause_on_oops; 53 53 static int pause_on_oops_flag; 54 54 static DEFINE_SPINLOCK(pause_on_oops_lock);
+2 -2
scripts/Makefile.gcc-plugins
··· 24 24 25 25 gcc-plugin-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) += randomize_layout_plugin.so 26 26 gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \ 27 - += -DRANDSTRUCT_PLUGIN 28 - gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE) \ 27 + += -DRANDSTRUCT 28 + gcc-plugin-cflags-$(CONFIG_RANDSTRUCT_PERFORMANCE) \ 29 29 += -fplugin-arg-randomize_layout_plugin-performance-mode 30 30 31 31 gcc-plugin-$(CONFIG_GCC_PLUGIN_STACKLEAK) += stackleak_plugin.so
-38
scripts/gcc-plugins/Kconfig
··· 46 46 * https://grsecurity.net/ 47 47 * https://pax.grsecurity.net/ 48 48 49 - config GCC_PLUGIN_RANDSTRUCT 50 - bool "Randomize layout of sensitive kernel structures" 51 - select MODVERSIONS if MODULES 52 - help 53 - If you say Y here, the layouts of structures that are entirely 54 - function pointers (and have not been manually annotated with 55 - __no_randomize_layout), or structures that have been explicitly 56 - marked with __randomize_layout, will be randomized at compile-time. 57 - This can introduce the requirement of an additional information 58 - exposure vulnerability for exploits targeting these structure 59 - types. 60 - 61 - Enabling this feature will introduce some performance impact, 62 - slightly increase memory usage, and prevent the use of forensic 63 - tools like Volatility against the system (unless the kernel 64 - source tree isn't cleaned after kernel installation). 65 - 66 - The seed used for compilation is located at 67 - scripts/gcc-plugins/randomize_layout_seed.h. It remains after 68 - a make clean to allow for external modules to be compiled with 69 - the existing seed and will be removed by a make mrproper or 70 - make distclean. 71 - 72 - This plugin was ported from grsecurity/PaX. More information at: 73 - * https://grsecurity.net/ 74 - * https://pax.grsecurity.net/ 75 - 76 - config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE 77 - bool "Use cacheline-aware structure randomization" 78 - depends on GCC_PLUGIN_RANDSTRUCT 79 - depends on !COMPILE_TEST # do not reduce test coverage 80 - help 81 - If you say Y here, the RANDSTRUCT randomization will make a 82 - best effort at restricting randomization to cacheline-sized 83 - groups of elements. It will further not randomize bitfields 84 - in structures. This reduces the performance hit of RANDSTRUCT 85 - at the cost of weakened randomization. 86 - 87 49 config GCC_PLUGIN_ARM_SSP_PER_TASK 88 50 bool 89 51 depends on GCC_PLUGINS && ARM
+62
security/Kconfig.hardening
··· 266 266 267 267 endmenu 268 268 269 + choice 270 + prompt "Randomize layout of sensitive kernel structures" 271 + default RANDSTRUCT_FULL if COMPILE_TEST && GCC_PLUGINS 272 + default RANDSTRUCT_NONE 273 + help 274 + If you enable this, the layouts of structures that are entirely 275 + function pointers (and have not been manually annotated with 276 + __no_randomize_layout), or structures that have been explicitly 277 + marked with __randomize_layout, will be randomized at compile-time. 278 + This can introduce the requirement of an additional information 279 + exposure vulnerability for exploits targeting these structure 280 + types. 281 + 282 + Enabling this feature will introduce some performance impact, 283 + slightly increase memory usage, and prevent the use of forensic 284 + tools like Volatility against the system (unless the kernel 285 + source tree isn't cleaned after kernel installation). 286 + 287 + The seed used for compilation is located at 288 + scripts/randomize_layout_seed.h. It remains after a "make clean" 289 + to allow for external modules to be compiled with the existing 290 + seed and will be removed by a "make mrproper" or "make distclean". 291 + 292 + config RANDSTRUCT_NONE 293 + bool "Disable structure layout randomization" 294 + help 295 + Build normally: no structure layout randomization. 296 + 297 + config RANDSTRUCT_FULL 298 + bool "Fully randomize structure layout" 299 + depends on GCC_PLUGINS 300 + select MODVERSIONS if MODULES 301 + help 302 + Fully randomize the member layout of sensitive 303 + structures as much as possible, which may have both a 304 + memory size and performance impact. 305 + 306 + config RANDSTRUCT_PERFORMANCE 307 + bool "Limit randomization of structure layout to cache-lines" 308 + depends on GCC_PLUGINS 309 + select MODVERSIONS if MODULES 310 + help 311 + Randomization of sensitive kernel structures will make a 312 + best effort at restricting randomization to cacheline-sized 313 + groups of members. It will further not randomize bitfields 314 + in structures. This reduces the performance hit of RANDSTRUCT 315 + at the cost of weakened randomization. 316 + endchoice 317 + 318 + config RANDSTRUCT 319 + def_bool !RANDSTRUCT_NONE 320 + 321 + config GCC_PLUGIN_RANDSTRUCT 322 + def_bool GCC_PLUGINS && RANDSTRUCT 323 + help 324 + Use GCC plugin to randomize structure layout. 325 + 326 + This plugin was ported from grsecurity/PaX. More 327 + information at: 328 + * https://grsecurity.net/ 329 + * https://pax.grsecurity.net/ 330 + 269 331 endmenu