X-Git-Url: http://git.openwrt.org/?a=blobdiff_plain;f=config%2FConfig-kernel.in;h=e993dc0d8cc764bae63ba5025f3b72c9c563dc71;hb=786cbf0fa4212baaa88dad9602d6467061333dc7;hp=8a78e297cbef0ecb442befc44c0eaa8fc8a53922;hpb=412dc26c99beeeeace3e56321fc392e590f4144d;p=openwrt%2Fstaging%2Fjow.git diff --git a/config/Config-kernel.in b/config/Config-kernel.in index 8a78e297cb..e993dc0d8c 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -1,8 +1,6 @@ -# Copyright (C) 2006-2014 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. +# SPDX-License-Identifier: GPL-2.0-only # +# Copyright (C) 2006-2014 OpenWrt.org config KERNEL_BUILD_USER string "Custom Kernel Build User Name" @@ -116,6 +114,16 @@ config KERNEL_UBSAN_ALIGNMENT Enabling this option on architectures that support unaligned accesses may produce a lot of false positives. +config KERNEL_UBSAN_BOUNDS + bool "Perform array index bounds checking" + depends on KERNEL_UBSAN + help + This option enables detection of directly indexed out of bounds array + accesses, where the array size is known at compile time. Note that + this does not protect array overflows via bad calls to the + {str,mem}*cpy() family of functions (that is addressed by + FORTIFY_SOURCE). + config KERNEL_UBSAN_NULL bool "Enable checking of null pointers" depends on KERNEL_UBSAN @@ -123,6 +131,19 @@ config KERNEL_UBSAN_NULL This option enables detection of memory accesses via a null pointer. +config KERNEL_UBSAN_TRAP + bool "On Sanitizer warnings, abort the running kernel code" + depends on KERNEL_UBSAN + help + Building kernels with Sanitizer features enabled tends to grow the + kernel size by around 5%, due to adding all the debugging text on + failure paths. To avoid this, Sanitizer instrumentation can just + issue a trap. This reduces the kernel size overhead but turns all + warnings (including potentially harmless conditions) into full + exceptions that abort the running kernel code (regardless of context, + locks held, etc), which may destabilize the system. For some system + builders this is an acceptable trade-off. + config KERNEL_KASAN bool "Compile the kernel with KASan: runtime memory debugger" select KERNEL_SLUB_DEBUG @@ -149,6 +170,30 @@ config KERNEL_KASAN_EXTRA compile time. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715 has more +config KERNEL_KASAN_VMALLOC + bool "Back mappings in vmalloc space with real shadow memory" + depends on KERNEL_KASAN + help + By default, the shadow region for vmalloc space is the read-only + zero page. This means that KASAN cannot detect errors involving + vmalloc space. + + Enabling this option will hook in to vmap/vmalloc and back those + mappings with real shadow memory allocated on demand. This allows + for KASAN to detect more sorts of errors (and to support vmapped + stacks), but at the cost of higher memory usage. + + This option depends on HAVE_ARCH_KASAN_VMALLOC, but we can't + depend on that in here, so it is possible that enabling this + will have no effect. + +if KERNEL_KASAN + config KERNEL_KASAN_GENERIC + def_bool y + + config KERNEL_KASAN_SW_TAGS + def_bool n +endif choice prompt "Instrumentation type" @@ -365,10 +410,6 @@ config KERNEL_KPROBES instrumentation and testing. If in doubt, say "N". -config KERNEL_KPROBE_EVENT - bool - default y if KERNEL_KPROBES - config KERNEL_KPROBE_EVENTS bool default y if KERNEL_KPROBES @@ -442,34 +483,22 @@ config KERNEL_PROVE_LOCKING select KERNEL_DEBUG_KERNEL default n -config KERNEL_LOCKUP_DETECTOR - bool "Compile the kernel with detect Hard and Soft Lockups" +config KERNEL_SOFTLOCKUP_DETECTOR + bool "Compile the kernel with detect Soft Lockups" depends on KERNEL_DEBUG_KERNEL help Say Y here to enable the kernel to act as a watchdog to detect - hard and soft lockups. + soft lockups. Softlockups are bugs that cause the kernel to loop in kernel mode for more than 20 seconds, without giving other tasks a chance to run. The current stack trace is displayed upon detection and the system will stay locked up. - Hardlockups are bugs that cause the CPU to loop in kernel mode - for more than 10 seconds, without letting other interrupts have a - chance to run. The current stack trace is displayed upon detection - and the system will stay locked up. - - The overhead should be minimal. A periodic hrtimer runs to - generate interrupts and kick the watchdog task every 4 seconds. - An NMI is generated every 10 seconds or so to check for hardlockups. - - The frequency of hrtimer and NMI events and the soft and hard lockup - thresholds can be controlled through the sysctl watchdog_thresh. - config KERNEL_DETECT_HUNG_TASK bool "Compile the kernel with detect Hung Tasks" depends on KERNEL_DEBUG_KERNEL - default KERNEL_LOCKUP_DETECTOR + default KERNEL_SOFTLOCKUP_DETECTOR help Say Y here to enable the kernel to detect "hung tasks", which are bugs that cause the task to be stuck in @@ -1130,7 +1159,7 @@ config KERNEL_SQUASHFS_XATTR bool "Squashfs XATTR support" # -# compile optimiziation setting +# compile optimization setting # choice prompt "Compiler optimization level" @@ -1180,6 +1209,16 @@ config KERNEL_SECURITY_SELINUX_DEVELOP depends on KERNEL_SECURITY_SELINUX default y +config KERNEL_SECURITY_SELINUX_SIDTAB_HASH_BITS + int + depends on KERNEL_SECURITY_SELINUX + default 9 + +config KERNEL_SECURITY_SELINUX_SID2STR_CACHE_SIZE + int + depends on KERNEL_SECURITY_SELINUX + default 256 + config KERNEL_LSM string default "lockdown,yama,loadpin,safesetid,integrity,selinux"