linux-yocto: Add toolchain based hardening options

Document and add gcc plugin based hardening options Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>

linux-yocto: Add toolchain based hardening options
Document and add gcc plugin based hardening options Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>
9e0f899f · Bernhard Rosenkränzer · 2bd23b22 · 9e0f899f · 9e0f899f
Commit 9e0f899f authored 3 years ago by Bernhard Rosenkränzer
--- a/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc
+++ b/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc
@@ -14,6 +14,7 @@ SRC_URI += "file://hardening_dmesg.cfg"
 SRC_URI += "file://hardening_fortify_source.cfg"
 SRC_URI += "file://hardening_memory.cfg"
 # SRC_URI += "file://hardening_oops.cfg"
+SRC_URI += "file://hardening_toolchain.cfg"
 SRC_URI += "file://hardening_usercopy.cfg"
 SRC_URI += "file://hardening_validation_checks.cfg"


--- a/meta-ohos-core/recipes-kernel/linux/linux/hardening_toolchain.cfg
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_toolchain.cfg
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Hardening through toolchain features
+
+CONFIG_GCC_PLUGINS=y
+
+# More of a demo of how to write compiler plugins, not useful in production
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+
+# Generate additional entropy during boot and runtime
+CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
+
+# Randomize struct layout - this should be enabled in paranoid
+# mode, but severely impacts performance
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+
+# Randomize struct layout limited to cacheline sized groups of elements
+# This is like a compromise between GCC_PLUGIN_RANDSTRUCT and
+# maximum performance.
+CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
+
+# Adds a __sanitizer_cov_trace_pc() call to all basic blocks. This can
+# be useful during development, but shouldn't be in a product.
+# CONFIG_GCC_PLUGIN_SANCOV is not set
+
+# Erase the kernel stack before returning from system calls
+# Comes with a 1% slowdown in many situations; might be worse
+# (and worth disabling) in some use cases.
+CONFIG_GCC_PLUGIN_STACKLEAK=y
+
+# Zero-initialize structures - enables STRUCTLEAK options below
+CONFIG_GCC_PLUGIN_STRUCTLEAK=y
+
+# Zero-initialize structures that may be passed by reference
+# This should be enabled in paranoid mode, but has a significant
+# impact on performance and memory use since variables that could
+# otherwise be optimized out will remain on the stack.
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+
+# Zero-initialize structures with __user attribute
+# Introduces a small slowdown from initializing twice in many
+# cases, but can prevent some information exposures as long
+# as there are uninitialized structs in the kernel.
+CONFIG_GCC_PLUGIN_STRUCTLEAK_USER=y
+
+# More verbose output in build logs - not very useful here
+# because people are unlikely to read kernel build logs from
+# a build inside bitbake
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
+
+# Per-task stack smashing protection on ARM
+CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK=y