linux/security/Kconfig.hardening
<<
>>
Prefs
   1menu "Kernel hardening options"
   2
   3config INIT_ON_ALLOC_DEFAULT_ON
   4        bool "Enable heap memory zeroing on allocation by default"
   5        help
   6          This has the effect of setting "init_on_alloc=1" on the kernel
   7          command line. This can be disabled with "init_on_alloc=0".
   8          When "init_on_alloc" is enabled, all page allocator and slab
   9          allocator memory will be zeroed when allocated, eliminating
  10          many kinds of "uninitialized heap memory" flaws, especially
  11          heap content exposures. The performance impact varies by
  12          workload, but most cases see <1% impact. Some synthetic
  13          workloads have measured as high as 7%.
  14
  15config INIT_ON_FREE_DEFAULT_ON
  16        bool "Enable heap memory zeroing on free by default"
  17        help
  18          This has the effect of setting "init_on_free=1" on the kernel
  19          command line. This can be disabled with "init_on_free=0".
  20          Similar to "init_on_alloc", when "init_on_free" is enabled,
  21          all page allocator and slab allocator memory will be zeroed
  22          when freed, eliminating many kinds of "uninitialized heap memory"
  23          flaws, especially heap content exposures. The primary difference
  24          with "init_on_free" is that data lifetime in memory is reduced,
  25          as anything freed is wiped immediately, making live forensics or
  26          cold boot memory attacks unable to recover freed memory contents.
  27          The performance impact varies by workload, but is more expensive
  28          than "init_on_alloc" due to the negative cache effects of
  29          touching "cold" memory areas. Most cases see 3-5% impact. Some
  30          synthetic workloads have measured as high as 8%.
  31
  32endmenu
  33