On 06/25/2018 08:08 AM, Chris von Recklinghausen wrote:
> Enabling HARDENED_USER_COPY causes measurable regressions in the
> networking performances, up to 8% under UDP flood.
>
> A generic distro may want to enable HARDENED_USER_COPY in their default
> kernel config, but at the same time, such distro may want to be able to
> avoid the performance penalties in with the default configuration and
> enable the stricter check on a per-boot basis.
>
> This change adds a config variable and a boot parameter to conditionally
> enable HARDENED_USER_COPY at boot time, and switch HUC to off if
> HUC_DEFAULT_OFF is set.
>
> Signed-off-by: Chris von Recklinghausen <creck...@redhat.com>
> ---
> .../admin-guide/kernel-parameters.rst | 2 ++
> .../admin-guide/kernel-parameters.txt | 3 ++
> include/linux/thread_info.h | 7 +++++
> mm/usercopy.c | 28 +++++++++++++++++++
> security/Kconfig | 10 +++++++
> 5 files changed, 50 insertions(+)
>
Hi,
> diff --git a/security/Kconfig b/security/Kconfig
> index c4302067a3ad..a6173897b85c 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -189,6 +189,16 @@ config HARDENED_USERCOPY_PAGESPAN
> been removed. This config is intended to be used only while
> trying to find such users.
>
> +config HUC_DEFAULT_OFF
> + bool "allow CONFIG_HARDENED_USERCOPY to be configured but disabled"
> + depends on HARDENED_USERCOPY
> + help
> + When CONFIG_HARDENED_USERCOPY is enabled, disable its
> + functionality unless it is enabled via at boot time
it is enabled at boot time
> + via the "enable_hardened_usercopy" boot parameter. This allows
> + the functionality of hardened usercopy to be present but not
> + impact performance unless it is needed.
> +
> config FORTIFY_SOURCE
> bool "Harden common str/mem functions against buffer overflows"
> depends on ARCH_HAS_FORTIFY_SOURCE
>
--
~Randy
