| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250507181615.1947159-7-kees@kernel.org> Date: Wed, 7 May 2025 11:16:13 -0700 From: Kees Cook <kees@...nel.org> To: Arnd Bergmann <arnd@...db.de> Cc: Kees Cook <kees@...nel.org>, "Gustavo A. R. Silva" <gustavoars@...nel.org>, linux-hardening@...r.kernel.org, Christoph Hellwig <hch@....de>, Marco Elver <elver@...gle.com>, Andrey Konovalov <andreyknvl@...il.com>, Andrey Ryabinin <ryabinin.a.a@...il.com>, Ard Biesheuvel <ardb@...nel.org>, Masahiro Yamada <masahiroy@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Nicolas Schier <nicolas.schier@...ux.dev>, Nick Desaulniers <nick.desaulniers+lkml@...il.com>, Bill Wendling <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>, linux-kernel@...r.kernel.org, x86@...nel.org, kasan-dev@...glegroups.com, linux-doc@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, kvmarm@...ts.linux.dev, linux-riscv@...ts.infradead.org, linux-s390@...r.kernel.org, linux-efi@...r.kernel.org, linux-kbuild@...r.kernel.org, linux-security-module@...r.kernel.org, linux-kselftest@...r.kernel.org, sparclinux@...r.kernel.org, llvm@...ts.linux.dev Subject: [PATCH 7/8] configs/hardening: Enable CONFIG_STACKLEAK Since we can wipe the stack with both Clang and GCC plugins, enable this for the "hardening.config" for wider testing. Signed-off-by: Kees Cook <kees@...nel.org> --- Cc: "Gustavo A. R. Silva" <gustavoars@...nel.org> Cc: <linux-hardening@...r.kernel.org> --- kernel/configs/hardening.config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config index dd7c32fb5ac1..3da00926b4eb 100644 --- a/kernel/configs/hardening.config +++ b/kernel/configs/hardening.config @@ -63,6 +63,9 @@ CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # Initialize all stack variables to zero on function entry. CONFIG_INIT_STACK_ALL_ZERO=y +# Wipe kernel stack after syscall completion to reduce stale data lifetime. +CONFIG_STACKLEAK=y + # Wipe RAM at reboot via EFI. For more details, see: # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 -- 2.34.1
Powered by blists - more mailing lists