kernel/x86_64,arm64: Enable STACKLEAK GCC plugin

Enable the STACKLEAK GCC plugin which erases the kernel stack before returning from system calls. This security options has a reported performance hit of around 1% which seem like a reasonable amount. For more details see: https://outflux.net/blog/archives/2018/12/24/security-things-in-linux-v4-20/ Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2025-07-19 09:16:29 +00:00 · 2019-01-02 21:40:42 +00:00 · 2019-01-02 21:40:42 +00:00 · ae1f2dd6af
commit ae1f2dd6af
parent ce3dc79509
2 changed files with 8 additions and 2 deletions
--- a/kernel/config-4.20.x-aarch64
+++ b/kernel/config-4.20.x-aarch64
@ -692,7 +692,10 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
 # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-# CONFIG_GCC_PLUGIN_STACKLEAK is not set
+CONFIG_GCC_PLUGIN_STACKLEAK=y
+CONFIG_STACKLEAK_TRACK_MIN_SIZE=100
+# CONFIG_STACKLEAK_METRICS is not set
+# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
 CONFIG_MODULES=y
--- a/kernel/config-4.20.x-x86_64
+++ b/kernel/config-4.20.x-x86_64
@ -773,7 +773,10 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
 # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-# CONFIG_GCC_PLUGIN_STACKLEAK is not set
+CONFIG_GCC_PLUGIN_STACKLEAK=y
+CONFIG_STACKLEAK_TRACK_MIN_SIZE=100
+# CONFIG_STACKLEAK_METRICS is not set
+# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
 CONFIG_MODULES=y