powerpc/mm: Mark __init memory no-execute when STRICT_KERNEL_RWX=y

[linux-2.6-microblaze.git] / arch / Kconfig

diff --git a/arch/Kconfig b/arch/Kconfig
index f76b214..cae0958 100644 (file)
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -425,7 +425,7 @@ config GCC_PLUGIN_STRUCTLEAK
        bool "Force initialization of variables containing userspace addresses"
        depends on GCC_PLUGINS
        help
-         This plugin zero-initializes any structures that containing a
+         This plugin zero-initializes any structures containing a
          __user attribute. This can prevent some classes of information
          exposures.
 
@@ -443,6 +443,45 @@ config GCC_PLUGIN_STRUCTLEAK_VERBOSE
          initialized. Since not all existing initializers are detected
          by the plugin, this can produce false positive warnings.
 
+config GCC_PLUGIN_RANDSTRUCT
+       bool "Randomize layout of sensitive kernel structures"
+       depends on GCC_PLUGINS
+       select MODVERSIONS if MODULES
+       help
+         If you say Y here, the layouts of structures explicitly
+         marked by __randomize_layout will be randomized at
+         compile-time.  This can introduce the requirement of an
+         additional information exposure vulnerability for exploits
+         targeting these structure types.
+
+         Enabling this feature will introduce some performance impact,
+         slightly increase memory usage, and prevent the use of forensic
+         tools like Volatility against the system (unless the kernel
+         source tree isn't cleaned after kernel installation).
+
+         The seed used for compilation is located at
+         scripts/gcc-plgins/randomize_layout_seed.h.  It remains after
+         a make clean to allow for external modules to be compiled with
+         the existing seed and will be removed by a make mrproper or
+         make distclean.
+
+         Note that the implementation requires gcc 4.7 or newer.
+
+         This plugin was ported from grsecurity/PaX. More information at:
+          * https://grsecurity.net/
+          * https://pax.grsecurity.net/
+
+config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
+       bool "Use cacheline-aware structure randomization"
+       depends on GCC_PLUGIN_RANDSTRUCT
+       depends on !COMPILE_TEST
+       help
+         If you say Y here, the RANDSTRUCT randomization will make a
+         best effort at restricting randomization to cacheline-sized
+         groups of elements.  It will further not randomize bitfields
+         in structures.  This reduces the performance hit of RANDSTRUCT
+         at the cost of weakened randomization.
+
 config HAVE_CC_STACKPROTECTOR
        bool
        help
@@ -511,7 +550,7 @@ config CC_STACKPROTECTOR_STRONG
 endchoice
 
 config THIN_ARCHIVES
-       bool
+       def_bool y
        help
          Select this if the architecture wants to use thin archives
          instead of ld -r to create the built-in.o files.