From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: Laura Abbott <labbott@redhat.com>,
Kees Cook <keescook@chromium.org>,
Jason Wessel <jason.wessel@windriver.com>,
Jonathan Corbet <corbet@lwn.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"James E.J. Bottomley" <jejb@parisc-linux.org>,
Helge Deller <deller@gmx.de>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Rob Herring <robh@kernel.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
Jessica Yu <jeyu@redhat.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-parisc@vger.kernel.org, linux-s390@vger.kernel.org,
linux-pm@vger.kernel.org, kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH 1/2] security: Change name of CONFIG_DEBUG_RODATA
Date: Thu, 19 Jan 2017 12:33:05 +0100 [thread overview]
Message-ID: <20170119113305.GB5110@osiris> (raw)
In-Reply-To: <20170119105646.GA11176@leverpostej>
On Thu, Jan 19, 2017 at 10:56:46AM +0000, Mark Rutland wrote:
> > +config HARDENED_PAGE_MAPPINGS
> > + bool "Mark kernel mappings with stricter permissions (RO/W^X)"
> > + default y
> > + depends on ARCH_HAS_HARDENED_MAPPINGS
> > + help
> > + If this is set, kernel text and rodata memory will be made read-only,
> > + and non-text memory will be made non-executable. This provides
> > + protection against certain security attacks (e.g. executing the heap
> > + or modifying text).
> > +
> > + Unless your system has known restrictions or performance issues, it
> > + is recommended to say Y here.
>
> It's somewhat unfortunate that this means the feature is no longer
> mandatory on arm64 (and s390+x86). We have a boot-time switch to turn
> the protections off, so I was hoping we could make this mandatory on all
> architectures with support.
>
> It would be good to see if we could make this mandatory for arm and
> parisc, or if it really needs to be optional for either of those.
Looks like the config option is a no-op on parisc just like it is on
s390. Irrelavant of the config option at least on s390 the page tables for
kernel text and rodata will be read-only anyway.
This works since ages and I don't see a reason why this should be
changed. Also trying to disable this with the "rodata=" command line option
does not work at least on s390, and I guess this is true for parisc as
well.
The only thing implemented with CONFIG_DEBUG_RODATA on both architectures
is to emit a message that states memory has been protected
(mark_rodata_ro).
This just avoids a wrong "Kernel memory protection disabled." message.
So yes, I'd really like to keep this option mandatory.
WARNING: multiple messages have this Message-ID (diff)
From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: Laura Abbott <labbott@redhat.com>,
Kees Cook <keescook@chromium.org>,
Jason Wessel <jason.wessel@windriver.com>,
Jonathan Corbet <corbet@lwn.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"James E.J. Bottomley" <jejb@parisc-linux.org>,
Helge Deller <deller@gmx.de>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Rob Herring <robh@kernel.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
Jessica Yu <jeyu@redhat.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, linux-parisc@vger.k
Subject: Re: [PATCH 1/2] security: Change name of CONFIG_DEBUG_RODATA
Date: Thu, 19 Jan 2017 12:33:05 +0100 [thread overview]
Message-ID: <20170119113305.GB5110@osiris> (raw)
In-Reply-To: <20170119105646.GA11176@leverpostej>
On Thu, Jan 19, 2017 at 10:56:46AM +0000, Mark Rutland wrote:
> > +config HARDENED_PAGE_MAPPINGS
> > + bool "Mark kernel mappings with stricter permissions (RO/W^X)"
> > + default y
> > + depends on ARCH_HAS_HARDENED_MAPPINGS
> > + help
> > + If this is set, kernel text and rodata memory will be made read-only,
> > + and non-text memory will be made non-executable. This provides
> > + protection against certain security attacks (e.g. executing the heap
> > + or modifying text).
> > +
> > + Unless your system has known restrictions or performance issues, it
> > + is recommended to say Y here.
>
> It's somewhat unfortunate that this means the feature is no longer
> mandatory on arm64 (and s390+x86). We have a boot-time switch to turn
> the protections off, so I was hoping we could make this mandatory on all
> architectures with support.
>
> It would be good to see if we could make this mandatory for arm and
> parisc, or if it really needs to be optional for either of those.
Looks like the config option is a no-op on parisc just like it is on
s390. Irrelavant of the config option at least on s390 the page tables for
kernel text and rodata will be read-only anyway.
This works since ages and I don't see a reason why this should be
changed. Also trying to disable this with the "rodata=" command line option
does not work at least on s390, and I guess this is true for parisc as
well.
The only thing implemented with CONFIG_DEBUG_RODATA on both architectures
is to emit a message that states memory has been protected
(mark_rodata_ro).
This just avoids a wrong "Kernel memory protection disabled." message.
So yes, I'd really like to keep this option mandatory.
WARNING: multiple messages have this Message-ID (diff)
From: heiko.carstens@de.ibm.com (Heiko Carstens)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 1/2] security: Change name of CONFIG_DEBUG_RODATA
Date: Thu, 19 Jan 2017 12:33:05 +0100 [thread overview]
Message-ID: <20170119113305.GB5110@osiris> (raw)
In-Reply-To: <20170119105646.GA11176@leverpostej>
On Thu, Jan 19, 2017 at 10:56:46AM +0000, Mark Rutland wrote:
> > +config HARDENED_PAGE_MAPPINGS
> > + bool "Mark kernel mappings with stricter permissions (RO/W^X)"
> > + default y
> > + depends on ARCH_HAS_HARDENED_MAPPINGS
> > + help
> > + If this is set, kernel text and rodata memory will be made read-only,
> > + and non-text memory will be made non-executable. This provides
> > + protection against certain security attacks (e.g. executing the heap
> > + or modifying text).
> > +
> > + Unless your system has known restrictions or performance issues, it
> > + is recommended to say Y here.
>
> It's somewhat unfortunate that this means the feature is no longer
> mandatory on arm64 (and s390+x86). We have a boot-time switch to turn
> the protections off, so I was hoping we could make this mandatory on all
> architectures with support.
>
> It would be good to see if we could make this mandatory for arm and
> parisc, or if it really needs to be optional for either of those.
Looks like the config option is a no-op on parisc just like it is on
s390. Irrelavant of the config option at least on s390 the page tables for
kernel text and rodata will be read-only anyway.
This works since ages and I don't see a reason why this should be
changed. Also trying to disable this with the "rodata=" command line option
does not work at least on s390, and I guess this is true for parisc as
well.
The only thing implemented with CONFIG_DEBUG_RODATA on both architectures
is to emit a message that states memory has been protected
(mark_rodata_ro).
This just avoids a wrong "Kernel memory protection disabled." message.
So yes, I'd really like to keep this option mandatory.
WARNING: multiple messages have this Message-ID (diff)
From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: Laura Abbott <labbott@redhat.com>,
Kees Cook <keescook@chromium.org>,
Jason Wessel <jason.wessel@windriver.com>,
Jonathan Corbet <corbet@lwn.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"James E.J. Bottomley" <jejb@parisc-linux.org>,
Helge Deller <deller@gmx.de>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Rob Herring <robh@kernel.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
Jessica Yu <jeyu@redhat.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-parisc@vger.kernel.org, linux-s390@vger.kernel.org,
linux-pm@vger.kernel.org, kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 1/2] security: Change name of CONFIG_DEBUG_RODATA
Date: Thu, 19 Jan 2017 12:33:05 +0100 [thread overview]
Message-ID: <20170119113305.GB5110@osiris> (raw)
In-Reply-To: <20170119105646.GA11176@leverpostej>
On Thu, Jan 19, 2017 at 10:56:46AM +0000, Mark Rutland wrote:
> > +config HARDENED_PAGE_MAPPINGS
> > + bool "Mark kernel mappings with stricter permissions (RO/W^X)"
> > + default y
> > + depends on ARCH_HAS_HARDENED_MAPPINGS
> > + help
> > + If this is set, kernel text and rodata memory will be made read-only,
> > + and non-text memory will be made non-executable. This provides
> > + protection against certain security attacks (e.g. executing the heap
> > + or modifying text).
> > +
> > + Unless your system has known restrictions or performance issues, it
> > + is recommended to say Y here.
>
> It's somewhat unfortunate that this means the feature is no longer
> mandatory on arm64 (and s390+x86). We have a boot-time switch to turn
> the protections off, so I was hoping we could make this mandatory on all
> architectures with support.
>
> It would be good to see if we could make this mandatory for arm and
> parisc, or if it really needs to be optional for either of those.
Looks like the config option is a no-op on parisc just like it is on
s390. Irrelavant of the config option at least on s390 the page tables for
kernel text and rodata will be read-only anyway.
This works since ages and I don't see a reason why this should be
changed. Also trying to disable this with the "rodata=" command line option
does not work at least on s390, and I guess this is true for parisc as
well.
The only thing implemented with CONFIG_DEBUG_RODATA on both architectures
is to emit a message that states memory has been protected
(mark_rodata_ro).
This just avoids a wrong "Kernel memory protection disabled." message.
So yes, I'd really like to keep this option mandatory.
next prev parent reply other threads:[~2017-01-19 11:33 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-19 1:29 [kernel-hardening] [RFC][PATCH 0/2] Better hardening names Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 1:29 ` [kernel-hardening] [PATCH 1/2] security: Change name of CONFIG_DEBUG_RODATA Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 7:53 ` [kernel-hardening] " Pavel Machek
2017-01-19 7:53 ` Pavel Machek
2017-01-19 7:53 ` Pavel Machek
2017-01-19 7:53 ` Pavel Machek
2017-01-25 11:21 ` [kernel-hardening] " Laura Abbott
2017-01-25 11:21 ` Laura Abbott
2017-01-25 11:21 ` Laura Abbott
2017-01-25 11:21 ` Laura Abbott
2017-01-25 13:51 ` [kernel-hardening] " Pavel Machek
2017-01-25 13:51 ` Pavel Machek
2017-01-25 13:51 ` Pavel Machek
2017-01-25 13:51 ` Pavel Machek
2017-01-19 10:56 ` [kernel-hardening] " Mark Rutland
2017-01-19 10:56 ` Mark Rutland
2017-01-19 10:56 ` Mark Rutland
2017-01-19 10:56 ` Mark Rutland
2017-01-19 11:33 ` Heiko Carstens [this message]
2017-01-19 11:33 ` Heiko Carstens
2017-01-19 11:33 ` Heiko Carstens
2017-01-19 11:33 ` Heiko Carstens
2017-01-19 21:17 ` [kernel-hardening] " Helge Deller
2017-01-19 21:17 ` Helge Deller
2017-01-19 21:17 ` Helge Deller
2017-01-19 21:17 ` Helge Deller
2017-01-25 11:37 ` [kernel-hardening] " Laura Abbott
2017-01-25 11:37 ` Laura Abbott
2017-01-25 11:37 ` Laura Abbott
2017-01-25 11:37 ` Laura Abbott
2017-01-25 11:37 ` Laura Abbott
2017-01-19 22:00 ` [kernel-hardening] " Kees Cook
2017-01-19 22:00 ` Kees Cook
2017-01-19 22:00 ` Kees Cook
2017-01-19 22:00 ` Kees Cook
2017-01-19 22:00 ` Kees Cook
2017-01-25 11:25 ` [kernel-hardening] " Laura Abbott
2017-01-25 11:25 ` Laura Abbott
2017-01-25 11:25 ` Laura Abbott
2017-01-25 11:25 ` Laura Abbott
2017-01-19 21:57 ` [kernel-hardening] " Kees Cook
2017-01-19 21:57 ` Kees Cook
2017-01-19 21:57 ` Kees Cook
2017-01-19 21:57 ` Kees Cook
2017-01-19 21:57 ` Kees Cook
2017-01-19 1:29 ` [kernel-hardening] [PATCH 2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 1:29 ` Laura Abbott
2017-01-19 11:11 ` [kernel-hardening] " Mark Rutland
2017-01-19 11:11 ` Mark Rutland
2017-01-19 11:11 ` Mark Rutland
2017-01-19 11:11 ` Mark Rutland
2017-01-19 11:34 ` [kernel-hardening] " Heiko Carstens
2017-01-19 11:34 ` Heiko Carstens
2017-01-19 11:34 ` Heiko Carstens
2017-01-19 11:34 ` Heiko Carstens
2017-01-19 11:34 ` Heiko Carstens
2017-01-19 11:43 ` [kernel-hardening] " Robin Murphy
2017-01-19 11:43 ` Robin Murphy
2017-01-19 11:43 ` Robin Murphy
2017-01-19 11:43 ` Robin Murphy
2017-01-25 11:44 ` [kernel-hardening] " Laura Abbott
2017-01-25 11:44 ` Laura Abbott
2017-01-25 11:44 ` Laura Abbott
2017-01-25 11:44 ` Laura Abbott
2017-01-20 5:46 ` [kernel-hardening] " kbuild test robot
2017-01-20 5:46 ` kbuild test robot
2017-01-20 5:46 ` kbuild test robot
2017-01-20 5:46 ` kbuild test robot
2017-01-20 5:46 ` kbuild test robot
2017-01-19 22:08 ` [kernel-hardening] Re: [RFC][PATCH 0/2] Better hardening names Kees Cook
2017-01-19 22:08 ` Kees Cook
2017-01-19 22:08 ` Kees Cook
2017-01-19 22:08 ` Kees Cook
2017-01-19 22:08 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170119113305.GB5110@osiris \
--to=heiko.carstens@de.ibm.com \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=deller@gmx.de \
--cc=hpa@zytor.com \
--cc=jason.wessel@windriver.com \
--cc=jejb@parisc-linux.org \
--cc=jeyu@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=len.brown@intel.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=pavel@ucw.cz \
--cc=rjw@rjwysocki.net \
--cc=robh@kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.