1

randstruct: Enable Clang support

Clang 15 will support randstruct via the -frandomize-layout-seed-file=...
option. Update the Kconfig and Makefile to recognize this feature.

Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: linux-kbuild@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220503205503.3054173-7-keescook@chromium.org
This commit is contained in:
Kees Cook 2022-05-03 13:55:03 -07:00
parent be2b34fa9b
commit 035f7f87b7
2 changed files with 15 additions and 2 deletions

View File

@ -7,6 +7,9 @@ randstruct-cflags-y \
+= -fplugin=$(objtree)/scripts/gcc-plugins/randomize_layout_plugin.so
randstruct-cflags-$(CONFIG_RANDSTRUCT_PERFORMANCE) \
+= -fplugin-arg-randomize_layout_plugin-performance-mode
else
randstruct-cflags-y \
+= -frandomize-layout-seed-file=$(objtree)/scripts/basic/randstruct.seed
endif
export RANDSTRUCT_CFLAGS := $(randstruct-cflags-y)

View File

@ -266,9 +266,12 @@ config ZERO_CALL_USED_REGS
endmenu
config CC_HAS_RANDSTRUCT
def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null)
choice
prompt "Randomize layout of sensitive kernel structures"
default RANDSTRUCT_FULL if COMPILE_TEST && GCC_PLUGINS
default RANDSTRUCT_FULL if COMPILE_TEST && (GCC_PLUGINS || CC_HAS_RANDSTRUCT)
default RANDSTRUCT_NONE
help
If you enable this, the layouts of structures that are entirely
@ -297,13 +300,20 @@ choice
config RANDSTRUCT_FULL
bool "Fully randomize structure layout"
depends on GCC_PLUGINS
depends on CC_HAS_RANDSTRUCT || GCC_PLUGINS
select MODVERSIONS if MODULES
help
Fully randomize the member layout of sensitive
structures as much as possible, which may have both a
memory size and performance impact.
One difference between the Clang and GCC plugin
implementations is the handling of bitfields. The GCC
plugin treats them as fully separate variables,
introducing sometimes significant padding. Clang tries
to keep adjacent bitfields together, but with their bit
ordering randomized.
config RANDSTRUCT_PERFORMANCE
bool "Limit randomization of structure layout to cache-lines"
depends on GCC_PLUGINS