kernel: Enable GCC_PLUGIN_RANDSTRUCT on kernels supporting it

On 4.13 and 4.14 kernels GCC_PLUGIN_RANDSTRUCT can be use to randomise some kernel data structures such as structs with function pointers. We also select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE which tries harder to restrict randomisation to cache-lines in order to reduce performance impact. Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2025-10-31 06:39:19 +00:00 · 2017-11-20 15:10:02 +00:00
parent 8d16426644
commit 66342d0646
4 changed files with 12 additions and 8 deletions
--- a/kernel/config-4.13.x-aarch64
+++ b/kernel/config-4.13.x-aarch64
@@ -255,7 +255,8 @@ CONFIG_GCC_PLUGINS=y
 # CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
 CONFIG_GCC_PLUGIN_STRUCTLEAK=y
 # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
-# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+CONFIG_GCC_PLUGIN_RANDSTRUCT=y
+CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_HAVE_CC_STACKPROTECTOR=y
 CONFIG_CC_STACKPROTECTOR=y
 # CONFIG_CC_STACKPROTECTOR_NONE is not set
@@ -298,7 +299,7 @@ CONFIG_MODULES=y
 # CONFIG_MODULE_FORCE_LOAD is not set
 CONFIG_MODULE_UNLOAD=y
 # CONFIG_MODULE_FORCE_UNLOAD is not set
-# CONFIG_MODVERSIONS is not set
+CONFIG_MODVERSIONS=y
 # CONFIG_MODULE_SRCVERSION_ALL is not set
 # CONFIG_MODULE_SIG is not set
 # CONFIG_MODULE_COMPRESS is not set
--- a/kernel/config-4.13.x-x86_64
+++ b/kernel/config-4.13.x-x86_64
@@ -299,7 +299,8 @@ CONFIG_GCC_PLUGINS=y
 # CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
 CONFIG_GCC_PLUGIN_STRUCTLEAK=y
 # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
-# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+CONFIG_GCC_PLUGIN_RANDSTRUCT=y
+CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_HAVE_CC_STACKPROTECTOR=y
 CONFIG_CC_STACKPROTECTOR=y
 # CONFIG_CC_STACKPROTECTOR_NONE is not set
@@ -353,7 +354,7 @@ CONFIG_MODULES=y
 # CONFIG_MODULE_FORCE_LOAD is not set
 CONFIG_MODULE_UNLOAD=y
 # CONFIG_MODULE_FORCE_UNLOAD is not set
-# CONFIG_MODVERSIONS is not set
+CONFIG_MODVERSIONS=y
 # CONFIG_MODULE_SRCVERSION_ALL is not set
 # CONFIG_MODULE_SIG is not set
 # CONFIG_MODULE_COMPRESS is not set
--- a/kernel/config-4.14.x-aarch64
+++ b/kernel/config-4.14.x-aarch64
@@ -259,7 +259,8 @@ CONFIG_GCC_PLUGINS=y
 CONFIG_GCC_PLUGIN_STRUCTLEAK=y
 CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
 # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
-# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+CONFIG_GCC_PLUGIN_RANDSTRUCT=y
+CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_HAVE_CC_STACKPROTECTOR=y
 CONFIG_CC_STACKPROTECTOR=y
 # CONFIG_CC_STACKPROTECTOR_NONE is not set
@@ -303,7 +304,7 @@ CONFIG_MODULES=y
 # CONFIG_MODULE_FORCE_LOAD is not set
 CONFIG_MODULE_UNLOAD=y
 # CONFIG_MODULE_FORCE_UNLOAD is not set
-# CONFIG_MODVERSIONS is not set
+CONFIG_MODVERSIONS=y
 # CONFIG_MODULE_SRCVERSION_ALL is not set
 # CONFIG_MODULE_SIG is not set
 # CONFIG_MODULE_COMPRESS is not set
--- a/kernel/config-4.14.x-x86_64
+++ b/kernel/config-4.14.x-x86_64
@@ -302,7 +302,8 @@ CONFIG_GCC_PLUGINS=y
 CONFIG_GCC_PLUGIN_STRUCTLEAK=y
 CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
 # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
-# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+CONFIG_GCC_PLUGIN_RANDSTRUCT=y
+CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_HAVE_CC_STACKPROTECTOR=y
 CONFIG_CC_STACKPROTECTOR=y
 # CONFIG_CC_STACKPROTECTOR_NONE is not set
@@ -357,7 +358,7 @@ CONFIG_MODULES=y
 # CONFIG_MODULE_FORCE_LOAD is not set
 CONFIG_MODULE_UNLOAD=y
 # CONFIG_MODULE_FORCE_UNLOAD is not set
-# CONFIG_MODVERSIONS is not set
+CONFIG_MODVERSIONS=y
 # CONFIG_MODULE_SRCVERSION_ALL is not set
 # CONFIG_MODULE_SIG is not set
 # CONFIG_MODULE_COMPRESS is not set