Skip to content

Commit

Permalink
randstruct: Reorganize Kconfigs and attribute macros
Browse files Browse the repository at this point in the history
In preparation for Clang supporting randstruct, reorganize the Kconfigs,
move the attribute macros, and generalize the feature to be named
CONFIG_RANDSTRUCT for on/off, CONFIG_RANDSTRUCT_FULL for the full
randomization mode, and CONFIG_RANDSTRUCT_PERFORMANCE for the cache-line
sized mode.

Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
  • Loading branch information
kees committed May 8, 2022
1 parent d364658 commit 595b893
Show file tree
Hide file tree
Showing 10 changed files with 81 additions and 66 deletions.
7 changes: 3 additions & 4 deletions Documentation/kbuild/reproducible-builds.rst
Original file line number Diff line number Diff line change
Expand Up @@ -99,10 +99,9 @@ unreproducible parts can be treated as sources:
Structure randomisation
-----------------------

If you enable ``CONFIG_GCC_PLUGIN_RANDSTRUCT``, you will need to
pre-generate the random seed in
``scripts/gcc-plugins/randomize_layout_seed.h`` so the same value
is used in rebuilds.
If you enable ``CONFIG_RANDSTRUCT``, you will need to pre-generate
the random seed in ``scripts/gcc-plugins/randomize_layout_seed.h``
so the same value is used in rebuilds.

Debug info conflicts
--------------------
Expand Down
2 changes: 1 addition & 1 deletion arch/riscv/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -468,7 +468,7 @@ config CC_HAVE_STACKPROTECTOR_TLS

config STACKPROTECTOR_PER_TASK
def_bool y
depends on !GCC_PLUGIN_RANDSTRUCT
depends on !RANDSTRUCT
depends on STACKPROTECTOR && CC_HAVE_STACKPROTECTOR_TLS

config PHYS_RAM_BASE_FIXED
Expand Down
2 changes: 1 addition & 1 deletion arch/x86/mm/pti.c
Original file line number Diff line number Diff line change
Expand Up @@ -540,7 +540,7 @@ static inline bool pti_kernel_image_global_ok(void)
* cases where RANDSTRUCT is in use to help keep the layout a
* secret.
*/
if (IS_ENABLED(CONFIG_GCC_PLUGIN_RANDSTRUCT))
if (IS_ENABLED(CONFIG_RANDSTRUCT))
return false;

return true;
Expand Down
8 changes: 0 additions & 8 deletions include/linux/compiler-gcc.h
Original file line number Diff line number Diff line change
Expand Up @@ -66,14 +66,6 @@
__builtin_unreachable(); \
} while (0)

#if defined(RANDSTRUCT_PLUGIN) && !defined(__CHECKER__)
#define __randomize_layout __attribute__((randomize_layout))
#define __no_randomize_layout __attribute__((no_randomize_layout))
/* This anon struct can add padding, so only enable it under randstruct. */
#define randomized_struct_fields_start struct {
#define randomized_struct_fields_end } __randomize_layout;
#endif

/*
* GCC 'asm goto' miscompiles certain code sequences:
*
Expand Down
14 changes: 7 additions & 7 deletions include/linux/compiler_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -242,15 +242,15 @@ struct ftrace_likely_data {
# define __latent_entropy
#endif

#ifndef __randomize_layout
#if defined(RANDSTRUCT) && !defined(__CHECKER__)
# define __randomize_layout __designated_init __attribute__((randomize_layout))
# define __no_randomize_layout __attribute__((no_randomize_layout))
/* This anon struct can add padding, so only enable it under randstruct. */
# define randomized_struct_fields_start struct {
# define randomized_struct_fields_end } __randomize_layout;
#else
# define __randomize_layout __designated_init
#endif

#ifndef __no_randomize_layout
# define __no_randomize_layout
#endif

#ifndef randomized_struct_fields_start
# define randomized_struct_fields_start
# define randomized_struct_fields_end
#endif
Expand Down
8 changes: 4 additions & 4 deletions include/linux/vermagic.h
Original file line number Diff line number Diff line change
Expand Up @@ -32,18 +32,18 @@
#else
#define MODULE_VERMAGIC_MODVERSIONS ""
#endif
#ifdef RANDSTRUCT_PLUGIN
#ifdef RANDSTRUCT
#include <generated/randomize_layout_hash.h>
#define MODULE_RANDSTRUCT_PLUGIN "RANDSTRUCT_PLUGIN_" RANDSTRUCT_HASHED_SEED
#define MODULE_RANDSTRUCT "RANDSTRUCT_" RANDSTRUCT_HASHED_SEED
#else
#define MODULE_RANDSTRUCT_PLUGIN
#define MODULE_RANDSTRUCT
#endif

#define VERMAGIC_STRING \
UTS_RELEASE " " \
MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
MODULE_ARCH_VERMAGIC \
MODULE_RANDSTRUCT_PLUGIN
MODULE_RANDSTRUCT

#endif /* _LINUX_VERMAGIC_H */
2 changes: 1 addition & 1 deletion kernel/panic.c
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ unsigned int __read_mostly sysctl_oops_all_cpu_backtrace;

int panic_on_oops = CONFIG_PANIC_ON_OOPS_VALUE;
static unsigned long tainted_mask =
IS_ENABLED(CONFIG_GCC_PLUGIN_RANDSTRUCT) ? (1 << TAINT_RANDSTRUCT) : 0;
IS_ENABLED(CONFIG_RANDSTRUCT) ? (1 << TAINT_RANDSTRUCT) : 0;
static int pause_on_oops;
static int pause_on_oops_flag;
static DEFINE_SPINLOCK(pause_on_oops_lock);
Expand Down
4 changes: 2 additions & 2 deletions scripts/Makefile.gcc-plugins
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_STRUCTLEAK) \

gcc-plugin-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) += randomize_layout_plugin.so
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT) \
+= -DRANDSTRUCT_PLUGIN
gcc-plugin-cflags-$(CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE) \
+= -DRANDSTRUCT
gcc-plugin-cflags-$(CONFIG_RANDSTRUCT_PERFORMANCE) \
+= -fplugin-arg-randomize_layout_plugin-performance-mode

gcc-plugin-$(CONFIG_GCC_PLUGIN_STACKLEAK) += stackleak_plugin.so
Expand Down
38 changes: 0 additions & 38 deletions scripts/gcc-plugins/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -46,44 +46,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
* https://grsecurity.net/
* https://pax.grsecurity.net/

config GCC_PLUGIN_RANDSTRUCT
bool "Randomize layout of sensitive kernel structures"
select MODVERSIONS if MODULES
help
If you say Y here, the layouts of structures that are entirely
function pointers (and have not been manually annotated with
__no_randomize_layout), or structures that have been explicitly
marked with __randomize_layout, will be randomized at compile-time.
This can introduce the requirement of an additional information
exposure vulnerability for exploits targeting these structure
types.

Enabling this feature will introduce some performance impact,
slightly increase memory usage, and prevent the use of forensic
tools like Volatility against the system (unless the kernel
source tree isn't cleaned after kernel installation).

The seed used for compilation is located at
scripts/gcc-plugins/randomize_layout_seed.h. It remains after
a make clean to allow for external modules to be compiled with
the existing seed and will be removed by a make mrproper or
make distclean.

This plugin was ported from grsecurity/PaX. More information at:
* https://grsecurity.net/
* https://pax.grsecurity.net/

config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
bool "Use cacheline-aware structure randomization"
depends on GCC_PLUGIN_RANDSTRUCT
depends on !COMPILE_TEST # do not reduce test coverage
help
If you say Y here, the RANDSTRUCT randomization will make a
best effort at restricting randomization to cacheline-sized
groups of elements. It will further not randomize bitfields
in structures. This reduces the performance hit of RANDSTRUCT
at the cost of weakened randomization.

config GCC_PLUGIN_ARM_SSP_PER_TASK
bool
depends on GCC_PLUGINS && ARM
Expand Down
62 changes: 62 additions & 0 deletions security/Kconfig.hardening
Original file line number Diff line number Diff line change
Expand Up @@ -266,4 +266,66 @@ config ZERO_CALL_USED_REGS

endmenu

choice
prompt "Randomize layout of sensitive kernel structures"
default RANDSTRUCT_FULL if COMPILE_TEST && GCC_PLUGINS
default RANDSTRUCT_NONE
help
If you enable this, the layouts of structures that are entirely
function pointers (and have not been manually annotated with
__no_randomize_layout), or structures that have been explicitly
marked with __randomize_layout, will be randomized at compile-time.
This can introduce the requirement of an additional information
exposure vulnerability for exploits targeting these structure
types.

Enabling this feature will introduce some performance impact,
slightly increase memory usage, and prevent the use of forensic
tools like Volatility against the system (unless the kernel
source tree isn't cleaned after kernel installation).

The seed used for compilation is located at
scripts/randomize_layout_seed.h. It remains after a "make clean"
to allow for external modules to be compiled with the existing
seed and will be removed by a "make mrproper" or "make distclean".

config RANDSTRUCT_NONE
bool "Disable structure layout randomization"
help
Build normally: no structure layout randomization.

config RANDSTRUCT_FULL
bool "Fully randomize structure layout"
depends on GCC_PLUGINS
select MODVERSIONS if MODULES
help
Fully randomize the member layout of sensitive
structures as much as possible, which may have both a
memory size and performance impact.

config RANDSTRUCT_PERFORMANCE
bool "Limit randomization of structure layout to cache-lines"
depends on GCC_PLUGINS
select MODVERSIONS if MODULES
help
Randomization of sensitive kernel structures will make a
best effort at restricting randomization to cacheline-sized
groups of members. It will further not randomize bitfields
in structures. This reduces the performance hit of RANDSTRUCT
at the cost of weakened randomization.
endchoice

config RANDSTRUCT
def_bool !RANDSTRUCT_NONE

config GCC_PLUGIN_RANDSTRUCT
def_bool GCC_PLUGINS && RANDSTRUCT
help
Use GCC plugin to randomize structure layout.

This plugin was ported from grsecurity/PaX. More
information at:
* https://grsecurity.net/
* https://pax.grsecurity.net/

endmenu

0 comments on commit 595b893

Please sign in to comment.