1menu "Kernel hardening options" 2 3config INIT_ON_ALLOC_DEFAULT_ON 4 bool "Enable heap memory zeroing on allocation by default" 5 help 6 This has the effect of setting "init_on_alloc=1" on the kernel 7 command line. This can be disabled with "init_on_alloc=0". 8 When "init_on_alloc" is enabled, all page allocator and slab 9 allocator memory will be zeroed when allocated, eliminating 10 many kinds of "uninitialized heap memory" flaws, especially 11 heap content exposures. The performance impact varies by 12 workload, but most cases see <1% impact. Some synthetic 13 workloads have measured as high as 7%. 14 15config INIT_ON_FREE_DEFAULT_ON 16 bool "Enable heap memory zeroing on free by default" 17 help 18 This has the effect of setting "init_on_free=1" on the kernel 19 command line. This can be disabled with "init_on_free=0". 20 Similar to "init_on_alloc", when "init_on_free" is enabled, 21 all page allocator and slab allocator memory will be zeroed 22 when freed, eliminating many kinds of "uninitialized heap memory" 23 flaws, especially heap content exposures. The primary difference 24 with "init_on_free" is that data lifetime in memory is reduced, 25 as anything freed is wiped immediately, making live forensics or 26 cold boot memory attacks unable to recover freed memory contents. 27 The performance impact varies by workload, but is more expensive 28 than "init_on_alloc" due to the negative cache effects of 29 touching "cold" memory areas. Most cases see 3-5% impact. Some 30 synthetic workloads have measured as high as 8%. 31 32endmenu 33