From: mark.rutland@arm.com (Mark Rutland)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCHv4 4/7] arm64: Move some head.text functions to executable section
Date: Thu, 30 Oct 2014 18:45:39 +0000 [thread overview]
Message-ID: <20141030184539.GE31629@leverpostej> (raw)
In-Reply-To: <54526FFD.1070701@codeaurora.org>
On Thu, Oct 30, 2014 at 05:06:05PM +0000, Laura Abbott wrote:
> On 10/28/2014 4:10 AM, Mark Rutland wrote:
> > On Tue, Oct 28, 2014 at 08:35:37AM +0000, Ard Biesheuvel wrote:
> >> On 27 October 2014 21:12, Laura Abbott <lauraa@codeaurora.org> wrote:
> >>> The head.text section is intended to be run at early bootup
> >>> before any of the regular kernel mappings have been setup.
> >>> Parts of head.text may be freed back into the buddy allocator
> >>> due to TEXT_OFFSET so for security requirements this memory
> >>> must not be executable. The suspend/resume/hotplug code path
> >>> requires some of these head.S functions to run however which
> >>> means they need to be executable. Support these conflicting
> >>> requirements by moving the few head.text functions that need
> >>> to be executable to the text section which has the appropriate
> >>> page table permissions.
> >>>
> >>> Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
> >>> ---
> >>> v4: New apprach based on discussions with Mark
> >>> ---
> >>> arch/arm64/kernel/head.S | 4 ++++
> >>> 1 file changed, 4 insertions(+)
> >>>
> >>> diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
> >>> index 10f5cc0..dc362da 100644
> >>> --- a/arch/arm64/kernel/head.S
> >>> +++ b/arch/arm64/kernel/head.S
> >>> @@ -432,12 +432,14 @@ ENTRY(secondary_startup)
> >>> b __enable_mmu
> >>> ENDPROC(secondary_startup)
> >>>
> >>> + .pushsection .text, "ax"
> >>> ENTRY(__secondary_switched)
> >>> ldr x0, [x21] // get secondary_data.stack
> >>> mov sp, x0
> >>> mov x29, #0
> >>> b secondary_start_kernel
> >>> ENDPROC(__secondary_switched)
> >>> + .popsection
> >>> #endif /* CONFIG_SMP */
> >>>
> >>> /*
> >>> @@ -471,11 +473,13 @@ ENDPROC(__enable_mmu)
> >>> * table to map the entire function.
> >>> */
> >>> .align 4
> >>> + .pushsection .text, "ax"
> >>
> >> There is a comment before this .align that explains why it is
> >> separated from __enable_mmu, and I think jumping into another section
> >> right after it kind of defeats the purpose.
> >> Perhaps it is better to put the pushsection before __enable_mmu instead?
> >
> > To keep the alignment correct we just need to move the .align after the
> > pushsection. With that changed I think this patch is Ok.
> >
> > As __enable_mmu is only executed with the MMU off it doesn't need to be
> > moved into an executable section to prevent the MMU from blowing up in
> > our faces -- it would be wrong to call it with the MMU on anyway.
> >
> > However, this does raise a potential problem in that an attacker could
> > scribble over code executed before the MMU is on. Then they just have to
> > wait for the next CPU hotplug or suspend/resume for it to be executed.
> > So some functions including __enable_mmu and el2_setup aren't
> > necessarily safe in their current location.
> >
> > There are a few ways of solving that, either moving stuff around or
> > releasing less memory for allocation.
> >
>
> My original version of the patch did move everything around to keep
> __enable_mmu and others into the text section so they couldn't
> be modified. It seemed rather unwieldy though so I went with this
> approach. Releasing less memory for allocation is less than optimal
> so I'd prefer if we moved code around to the appropriate section.
> Any opinions about going back to my original approach of moving things
> around vs. going with more pushsection annotations?
I guess moving things around is the way to go. That will create a clear
distinction between one-time boot code and the portions which get used
repeatedly (and perhaps we can release the memory used by the former).
Looking back at v3, I think we don't need to duplicate any functions
(e.g. enable_mmu) if we replace adr uses with adrp and a :lo12:
immediate, and I think we can place the reused portions straight in
.text rather than adding .latehead.text. That should make the diffstat a
little nicer.
Thanks,
Mark.
next prev parent reply other threads:[~2014-10-30 18:45 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1414440752-9411-1-git-send-email-lauraa@codeaurora.org>
2014-10-27 20:12 ` [PATCHv4 1/7] arm64: Treat handle_arch_irq as a function pointer Laura Abbott
2014-10-28 8:11 ` Ard Biesheuvel
2014-10-28 10:25 ` Mark Rutland
2014-10-27 20:12 ` [PATCHv4 2/7] arm64: Switch to ldr for loading the stub vectors Laura Abbott
2014-10-28 8:23 ` Ard Biesheuvel
2014-10-28 9:51 ` Marc Zyngier
2014-10-28 10:27 ` Mark Rutland
2014-10-27 20:12 ` [PATCHv4 3/7] arm64: Move cpu_resume into the text section Laura Abbott
2014-10-28 8:10 ` Ard Biesheuvel
2014-10-28 8:22 ` Ard Biesheuvel
2014-10-28 12:43 ` Mark Rutland
2014-10-28 15:26 ` Lorenzo Pieralisi
2014-10-28 15:31 ` Mark Rutland
2014-10-30 16:49 ` Laura Abbott
2014-10-27 20:12 ` [PATCHv4 4/7] arm64: Move some head.text functions to executable section Laura Abbott
2014-10-28 8:35 ` Ard Biesheuvel
2014-10-28 11:10 ` Mark Rutland
2014-10-30 17:06 ` Laura Abbott
2014-10-30 18:45 ` Mark Rutland [this message]
2014-10-27 20:12 ` [PATCHv4 5/7] arm64: Factor out fixmap initialiation from ioremap Laura Abbott
2014-10-28 14:17 ` Mark Rutland
2014-10-27 20:12 ` [PATCHv4 6/7] arm64: use fixmap for text patching when text is RO Laura Abbott
2014-10-27 20:12 ` [PATCHv4 7/7] arm64: add better page protections to arm64 Laura Abbott
2014-10-28 11:29 ` Steve Capper
2014-10-28 11:44 ` Ard Biesheuvel
2014-10-28 13:40 ` Steve Capper
2014-10-30 17:12 ` Laura Abbott
2014-10-28 14:20 ` Mark Rutland
2014-10-30 17:17 ` Laura Abbott
2014-10-27 20:19 ` [PATCHv4 0/7] Better page protections for arm64 Laura Abbott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141030184539.GE31629@leverpostej \
--to=mark.rutland@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.