FS#72597 - [linux] use CONFIG_ZERO_CALL_USED_REGS

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Sunday, 31 October 2021, 22:00 GMT
Last edited by Andreas Radke (AndyRTR) - Monday, 07 February 2022, 20:08 GMT
Task Type Feature Request
Category Kernel
Status Closed
Assigned To Andreas Radke (AndyRTR)
Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Linux 5.15 introduces the CONFIG_ZERO_CALL_USED_REGS build option, which is documented in the link below. It provides a security benefit that (as far as I can tell) can't be enabled at runtime by the user. I'm therefore suggesting we enable it by default in the Arch kernel during the 5.15 update.

Additional info:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a82adfd5c7cb4b8bb37ef439aed954f9972bb618
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Monday, 07 February 2022, 20:08 GMT
Reason for closing:  Fixed
Additional comments about closing:  disabled in trunk for future builds to all kernels
Comment by T.J. Townsend (blakkheim) - Thursday, 04 November 2021, 00:27 GMT
https://github.com/archlinux/svntogit-packages/blob/96b0d90612d761f92beefcfa858bc16ba7aac8fd/trunk/config#L9914

Correct me if I'm wrong, but I think this can be closed now. Thanks!
Comment by Thibaut Sautereau (thithib) - Monday, 07 February 2022, 13:37 GMT
  • Field changed: Percent Complete (100% → 0%)
This feature brings significant performance overhead for little to no benefit; anthraxx and I decided to not enable it in the linux-hardened kernel. See e.g. this blog post for more information: https://dustri.org/b/paper-notes-clean-the-scratch-registers-a-way-to-mitigate-return-oriented-programming-attacks.html
Comment by Jan Alexander Steffens (heftig) - Monday, 07 February 2022, 18:31 GMT
Disabled in linux trunk (post-5.16.7), pending next release.

Loading...