From ae1f2dd6afc522b227c484f031054f45c34ab236 Mon Sep 17 00:00:00 2001
From: Rolf Neugebauer <rn@rneugeba.io>
Date: Wed, 2 Jan 2019 21:40:42 +0000
Subject: [PATCH] kernel/x86_64,arm64: Enable STACKLEAK GCC plugin

Enable the STACKLEAK GCC plugin which erases the
kernel stack before returning from system calls.
This security options has a reported performance
hit of around 1% which seem like a reasonable amount.

For more details see: https://outflux.net/blog/archives/2018/12/24/security-things-in-linux-v4-20/

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
---
 kernel/config-4.20.x-aarch64 | 5 ++++-
 kernel/config-4.20.x-x86_64  | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/kernel/config-4.20.x-aarch64 b/kernel/config-4.20.x-aarch64
index 50e7db4d3..1cdf88cde 100644
--- a/kernel/config-4.20.x-aarch64
+++ b/kernel/config-4.20.x-aarch64
@@ -692,7 +692,10 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
 # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-# CONFIG_GCC_PLUGIN_STACKLEAK is not set
+CONFIG_GCC_PLUGIN_STACKLEAK=y
+CONFIG_STACKLEAK_TRACK_MIN_SIZE=100
+# CONFIG_STACKLEAK_METRICS is not set
+# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
 CONFIG_MODULES=y
diff --git a/kernel/config-4.20.x-x86_64 b/kernel/config-4.20.x-x86_64
index 95c593e16..99fe500b1 100644
--- a/kernel/config-4.20.x-x86_64
+++ b/kernel/config-4.20.x-x86_64
@@ -773,7 +773,10 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
 # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-# CONFIG_GCC_PLUGIN_STACKLEAK is not set
+CONFIG_GCC_PLUGIN_STACKLEAK=y
+CONFIG_STACKLEAK_TRACK_MIN_SIZE=100
+# CONFIG_STACKLEAK_METRICS is not set
+# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
 CONFIG_MODULES=y