| menu "Kernel hardening options" |
| |
| menu "Memory initialization" |
| |
| choice |
| prompt "Initialize kernel stack variables at function entry" |
| default INIT_STACK_NONE |
| help |
| This option enables initialization of stack variables at |
| function entry time. This has the possibility to have the |
| greatest coverage (since all functions can have their |
| variables initialized), but the performance impact depends |
| on the function calling complexity of a given workload's |
| syscalls. |
| |
| This chooses the level of coverage over classes of potentially |
| uninitialized variables. The selected class will be |
| initialized before use in a function. |
| |
| config INIT_STACK_NONE |
| bool "no automatic initialization (weakest)" |
| help |
| Disable automatic stack variable initialization. |
| This leaves the kernel vulnerable to the standard |
| classes of uninitialized stack variable exploits |
| and information exposures. |
| |
| config INIT_STACK_ALL |
| bool "0xAA-init everything on the stack (strongest)" |
| help |
| Initializes everything on the stack with a 0xAA |
| pattern. This is intended to eliminate all classes |
| of uninitialized stack variable exploits and information |
| exposures, even variables that were warned to have been |
| left uninitialized. |
| |
| endchoice |
| |
| endmenu |
| |
| endmenu |