Linux 5.15 Adds Another Knob To Harden Against Side Channel Attacks
With the Linux 5.15 kernel is a new build-time option to further harden the kernel around side channel attacks and information leakage. Enabling this option can have some (small) performance cost and a slightly larger kernel.
The new option added for Linux 5.15 to further harden the kernel is CONFIG_ZERO_CALL_USED_REGS. Enabling this option and using the GCC 11 compiler or newer to build the kernel will enable the -fzero-call-used-regs=used-gpr compiler option.
Making use of this "zero-call-used-regs" compiler option ensures any caller-used register contents are zeroed prior to returning from a function. That focus is on ensuring temporary values are not potentially leaked outside of the function to reduce the chances of the register contents being used for side channel attacks or information exposures. As for the effectiveness of this new compiler option for building the Linux kernel, it reduced the number of ROP gadgets in the kernel image by around 20% and eliminating simple "write-what-where" gadgets.
Having CONFIG_ZERO_CALL_USED_REGS enabled was found to cause the performance to be affected on x86_64 by less than 1% for a parallel kernel build test. Other benchmark numbers were not provided. This can also increase the kernel image size by less than 1% for x86_64. However, on AArch64 it's been observed to grow the image by ~5.5% but no word there on the run-time performance impact.
GCC's "zero-call-used-regs" option is based on earlier work by Intel engineers working on Clear Linux with a previously-proposed "zero-caller-saved-regs" feature. In the case of the former Intel patch it was good enough to be used by Intel's performance-oriented Clear Linux to helping thwart ROP / COP / JOB attacks.
CONFIG_ZERO_CALL_USED_REGS is added with the hardening updates inbound for the Linux 5.15 kernel. Benchmarks looking at the performance impact of it will come soon on Phoronix but hopefully will be some boring benchmarks in terms of no major unexpected performance hits.
The new option added for Linux 5.15 to further harden the kernel is CONFIG_ZERO_CALL_USED_REGS. Enabling this option and using the GCC 11 compiler or newer to build the kernel will enable the -fzero-call-used-regs=used-gpr compiler option.
Making use of this "zero-call-used-regs" compiler option ensures any caller-used register contents are zeroed prior to returning from a function. That focus is on ensuring temporary values are not potentially leaked outside of the function to reduce the chances of the register contents being used for side channel attacks or information exposures. As for the effectiveness of this new compiler option for building the Linux kernel, it reduced the number of ROP gadgets in the kernel image by around 20% and eliminating simple "write-what-where" gadgets.
Having CONFIG_ZERO_CALL_USED_REGS enabled was found to cause the performance to be affected on x86_64 by less than 1% for a parallel kernel build test. Other benchmark numbers were not provided. This can also increase the kernel image size by less than 1% for x86_64. However, on AArch64 it's been observed to grow the image by ~5.5% but no word there on the run-time performance impact.
GCC's "zero-call-used-regs" option is based on earlier work by Intel engineers working on Clear Linux with a previously-proposed "zero-caller-saved-regs" feature. In the case of the former Intel patch it was good enough to be used by Intel's performance-oriented Clear Linux to helping thwart ROP / COP / JOB attacks.
CONFIG_ZERO_CALL_USED_REGS is added with the hardening updates inbound for the Linux 5.15 kernel. Benchmarks looking at the performance impact of it will come soon on Phoronix but hopefully will be some boring benchmarks in terms of no major unexpected performance hits.
71 Comments