Lines Matching +full:level +full:- +full:sensitive
1 # SPDX-License-Identifier: GPL-2.0-only
12 flaws, this plugin is available to identify and zero-initialize
13 such variables, depending on the chosen level of coverage.
23 def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
26 def_bool $(cc-option,-ftrivial-auto-var-init=zero)
29 # Clang 16 and later warn about using the -enable flag, but it
31 …def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-wi…
51 This chooses the level of coverage over classes of potentially
64 bool "zero-init structs marked for userspace (weak)"
69 Zero-initialize any structures on the stack containing
72 exposures, like CVE-2013-2141:
76 bool "zero-init structs passed by reference (strong)"
82 Zero-initialize any structures on the stack that may
86 exposures, like CVE-2017-1000410:
89 As a side-effect, this keeps a lot of variables on the
95 bool "zero-init everything passed by reference (very strong)"
101 Zero-initialize any stack variables that may be passed
107 As a side-effect, this keeps a lot of variables on the
113 bool "pattern-init everything (strongest)"
125 non-NULL values, buffer sizes and indices are very big. The
126 pattern is situation-specific; Clang on 64-bit uses 0xAA
128 which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF
132 bool "zero-init everything (strongest and safest)"
143 (immediately NUL-terminated), pointers (NULL), indices
168 the lifetime of any sensitive stack contents and reduces
255 touching "cold" memory areas. Most cases see 3-5% impact. Some
259 def_bool $(cc-option,-fzero-call-used-regs=used-gpr)
261 # https://github.com/llvm/llvm-project/issues/59242
268 At the end of functions, always zero any caller-used register
274 generated "write-what-where" gadgets) in the resulting kernel
287 Minimal integrity checking in the linked-list manipulation routines
306 def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null)
308 # Clang 16 due to https://github.com/llvm/llvm-project/issues/60349
312 prompt "Randomize layout of sensitive kernel structures"
319 marked with __randomize_layout, will be randomized at compile-time.
345 Fully randomize the member layout of sensitive
357 bool "Limit randomization of structure layout to cache-lines"
361 Randomization of sensitive kernel structures will make a
362 best effort at restricting randomization to cacheline-sized