Add GCC plugins support to the Linux kernel and modules build
GCC plugins allow implementing some hardening policies. For example structleak initializes the data structures passed to user space.
The disadvantage (especially for randstruct) is the reduced performance.
In addition, when the GCC version changes, it might be necessary to recompile all the out-of-tree modules.
- Enable GCC plugins in the kernel (CONFIG_GCC_PLUGINS*)
- Enable the plugins (see recommendation https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings).
- Check impact on the toolchain build (additional rebuilts needed when GCC version changes?)
- For each plugin, evaluate the performance impact
- Based on the results, decide on the set of plugins available in the default toolchain
- Create a document referencing plugins and note which plugins we enable and disable, and why