From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Tue, 14 Feb 2017 17:54:05 +0000 From: Mark Rutland Message-ID: <20170214175405.GL23718@leverpostej> References: <1486844586-26135-1-git-send-email-ard.biesheuvel@linaro.org> <1486844586-26135-5-git-send-email-ard.biesheuvel@linaro.org> <20170214155704.GE23718@leverpostej> <651D9CBB-3E64-41CE-BF85-D2FF0CB927B7@linaro.org> <20170214174029.GJ23718@leverpostej> <42A48E4E-EF3C-4F28-A660-AFEBB238B698@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <42A48E4E-EF3C-4F28-A660-AFEBB238B698@linaro.org> Subject: [kernel-hardening] Re: [PATCH v2 4/5] arm64: mmu: map .text as read-only from the outset To: Ard Biesheuvel Cc: linux-arm-kernel@lists.infradead.org, catalin.marinas@arm.com, will.deacon@arm.com, labbott@fedoraproject.org, kvmarm@lists.cs.columbia.edu, marc.zyngier@arm.com, andre.przywara@arm.com, Suzuki.Poulose@arm.com, james.morse@arm.com, keescook@chromium.org, kernel-hardening@lists.openwall.com, nd@arm.com List-ID: On Tue, Feb 14, 2017 at 05:49:19PM +0000, Ard Biesheuvel wrote: > > > On 14 Feb 2017, at 17:40, Mark Rutland wrote: > > > >> On Tue, Feb 14, 2017 at 04:15:11PM +0000, Ard Biesheuvel wrote: > >> Having trivial 'off' switches for security features makes me feel > >> uneasy (although this is orthogonal to this patch) > > > > From my PoV, external debuggers are the sole reason to allow rodata=off > > for arm64, and we already allow rodata=off. > > > > > > Indeed. If that is how it works currently, we shouldn't interfere with > it. If we ever get anywhere with the lockdown patches, we should > blacklist this parameter (or rather, not whitelist it, since > blacklisting kernel params to enforce security is infeasible imo) Agreed on all counts! Mark. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark Rutland Subject: Re: [PATCH v2 4/5] arm64: mmu: map .text as read-only from the outset Date: Tue, 14 Feb 2017 17:54:05 +0000 Message-ID: <20170214175405.GL23718@leverpostej> References: <1486844586-26135-1-git-send-email-ard.biesheuvel@linaro.org> <1486844586-26135-5-git-send-email-ard.biesheuvel@linaro.org> <20170214155704.GE23718@leverpostej> <651D9CBB-3E64-41CE-BF85-D2FF0CB927B7@linaro.org> <20170214174029.GJ23718@leverpostej> <42A48E4E-EF3C-4F28-A660-AFEBB238B698@linaro.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 438144092C for ; Tue, 14 Feb 2017 12:53:32 -0500 (EST) Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UTuYyNqFNPLi for ; Tue, 14 Feb 2017 12:53:31 -0500 (EST) Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30077.outbound.protection.outlook.com [40.107.3.77]) by mm01.cs.columbia.edu (Postfix) with ESMTPS id A18D340905 for ; Tue, 14 Feb 2017 12:53:30 -0500 (EST) Content-Disposition: inline In-Reply-To: <42A48E4E-EF3C-4F28-A660-AFEBB238B698@linaro.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kvmarm-bounces@lists.cs.columbia.edu Sender: kvmarm-bounces@lists.cs.columbia.edu To: Ard Biesheuvel Cc: keescook@chromium.org, marc.zyngier@arm.com, catalin.marinas@arm.com, kernel-hardening@lists.openwall.com, will.deacon@arm.com, andre.przywara@arm.com, nd@arm.com, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org, labbott@fedoraproject.org List-Id: kvmarm@lists.cs.columbia.edu On Tue, Feb 14, 2017 at 05:49:19PM +0000, Ard Biesheuvel wrote: > > > On 14 Feb 2017, at 17:40, Mark Rutland wrote: > > > >> On Tue, Feb 14, 2017 at 04:15:11PM +0000, Ard Biesheuvel wrote: > >> Having trivial 'off' switches for security features makes me feel > >> uneasy (although this is orthogonal to this patch) > > > > From my PoV, external debuggers are the sole reason to allow rodata=off > > for arm64, and we already allow rodata=off. > > > > > > Indeed. If that is how it works currently, we shouldn't interfere with > it. If we ever get anywhere with the lockdown patches, we should > blacklist this parameter (or rather, not whitelist it, since > blacklisting kernel params to enforce security is infeasible imo) Agreed on all counts! Mark. From mboxrd@z Thu Jan 1 00:00:00 1970 From: mark.rutland@arm.com (Mark Rutland) Date: Tue, 14 Feb 2017 17:54:05 +0000 Subject: [PATCH v2 4/5] arm64: mmu: map .text as read-only from the outset In-Reply-To: <42A48E4E-EF3C-4F28-A660-AFEBB238B698@linaro.org> References: <1486844586-26135-1-git-send-email-ard.biesheuvel@linaro.org> <1486844586-26135-5-git-send-email-ard.biesheuvel@linaro.org> <20170214155704.GE23718@leverpostej> <651D9CBB-3E64-41CE-BF85-D2FF0CB927B7@linaro.org> <20170214174029.GJ23718@leverpostej> <42A48E4E-EF3C-4F28-A660-AFEBB238B698@linaro.org> Message-ID: <20170214175405.GL23718@leverpostej> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On Tue, Feb 14, 2017 at 05:49:19PM +0000, Ard Biesheuvel wrote: > > > On 14 Feb 2017, at 17:40, Mark Rutland wrote: > > > >> On Tue, Feb 14, 2017 at 04:15:11PM +0000, Ard Biesheuvel wrote: > >> Having trivial 'off' switches for security features makes me feel > >> uneasy (although this is orthogonal to this patch) > > > > From my PoV, external debuggers are the sole reason to allow rodata=off > > for arm64, and we already allow rodata=off. > > > > > > Indeed. If that is how it works currently, we shouldn't interfere with > it. If we ever get anywhere with the lockdown patches, we should > blacklist this parameter (or rather, not whitelist it, since > blacklisting kernel params to enforce security is infeasible imo) Agreed on all counts! Mark.