From: Mark Rutland <mark.rutland@arm.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: linux-arm-kernel@lists.infradead.org,
kernel-hardening@lists.openwall.com, catalin.marinas@arm.com,
will.deacon@arm.com, labbott@fedoraproject.org,
kvmarm@lists.cs.columbia.edu, marc.zyngier@arm.com,
keescook@chromium.org, andre.przywara@arm.com,
james.morse@arm.com, suzuki.poulose@arm.com
Subject: [kernel-hardening] Re: [PATCH v4 4/6] arm64: mmu: map .text as read-only from the outset
Date: Tue, 7 Mar 2017 14:10:14 +0000 [thread overview]
Message-ID: <20170307141014.GA3514@leverpostej> (raw)
In-Reply-To: <1488637848-13588-5-git-send-email-ard.biesheuvel@linaro.org>
On Sat, Mar 04, 2017 at 02:30:46PM +0000, Ard Biesheuvel wrote:
> Now that alternatives patching code no longer relies on the primary
> mapping of .text being writable, we can remove the code that removes
> the writable permissions post-init time, and map it read-only from
> the outset.
>
> To preserve the existing behavior under rodata=off, which is relied
> upon by external debuggers to manage software breakpoints (as pointed
> out by Mark), add an early_param() check for rodata=, and use RWX
> permissions if it set to 'off'.
>
> Reviewed-by: Laura Abbott <labbott@redhat.com>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> arch/arm64/mm/mmu.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index df377fbe464e..edd982f88714 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -416,9 +416,6 @@ void mark_rodata_ro(void)
> {
> unsigned long section_size;
>
> - section_size = (unsigned long)_etext - (unsigned long)_text;
> - update_mapping_prot(__pa_symbol(_text), (unsigned long)_text,
> - section_size, PAGE_KERNEL_ROX);
> /*
> * mark .rodata as read only. Use __init_begin rather than __end_rodata
> * to cover NOTES and EXCEPTION_TABLE.
> @@ -451,6 +448,12 @@ static void __init map_kernel_segment(pgd_t *pgd, void *va_start, void *va_end,
> vm_area_add_early(vma);
> }
>
> +static int __init parse_rodata(char *arg)
> +{
> + return strtobool(arg, &rodata_enabled);
> +}
> +early_param("rodata", parse_rodata);
> +
> /*
> * Create fine-grained mappings for the kernel.
> */
> @@ -458,7 +461,9 @@ static void __init map_kernel(pgd_t *pgd)
> {
> static struct vm_struct vmlinux_text, vmlinux_rodata, vmlinux_init, vmlinux_data;
>
> - map_kernel_segment(pgd, _text, _etext, PAGE_KERNEL_EXEC, &vmlinux_text);
> + pgprot_t text_prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC;
> +
It might be worth having a comment as to why, e.g.
/*
* External debuggers may need to write directly to the text
* mapping to install SW breakpoints. Allow this (only) when
* explicitly requested with rodata=off.
*/
... otherwise this looks fine. FWIW, either way:
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Thanks,
Mark.
> + map_kernel_segment(pgd, _text, _etext, text_prot, &vmlinux_text);
> map_kernel_segment(pgd, __start_rodata, __init_begin, PAGE_KERNEL, &vmlinux_rodata);
> map_kernel_segment(pgd, __init_begin, __init_end, PAGE_KERNEL_EXEC,
> &vmlinux_init);
> --
> 2.7.4
>
WARNING: multiple messages have this Message-ID (diff)
From: Mark Rutland <mark.rutland@arm.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: keescook@chromium.org, kernel-hardening@lists.openwall.com,
marc.zyngier@arm.com, catalin.marinas@arm.com,
will.deacon@arm.com, andre.przywara@arm.com,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org, labbott@fedoraproject.org
Subject: Re: [PATCH v4 4/6] arm64: mmu: map .text as read-only from the outset
Date: Tue, 7 Mar 2017 14:10:14 +0000 [thread overview]
Message-ID: <20170307141014.GA3514@leverpostej> (raw)
In-Reply-To: <1488637848-13588-5-git-send-email-ard.biesheuvel@linaro.org>
On Sat, Mar 04, 2017 at 02:30:46PM +0000, Ard Biesheuvel wrote:
> Now that alternatives patching code no longer relies on the primary
> mapping of .text being writable, we can remove the code that removes
> the writable permissions post-init time, and map it read-only from
> the outset.
>
> To preserve the existing behavior under rodata=off, which is relied
> upon by external debuggers to manage software breakpoints (as pointed
> out by Mark), add an early_param() check for rodata=, and use RWX
> permissions if it set to 'off'.
>
> Reviewed-by: Laura Abbott <labbott@redhat.com>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> arch/arm64/mm/mmu.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index df377fbe464e..edd982f88714 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -416,9 +416,6 @@ void mark_rodata_ro(void)
> {
> unsigned long section_size;
>
> - section_size = (unsigned long)_etext - (unsigned long)_text;
> - update_mapping_prot(__pa_symbol(_text), (unsigned long)_text,
> - section_size, PAGE_KERNEL_ROX);
> /*
> * mark .rodata as read only. Use __init_begin rather than __end_rodata
> * to cover NOTES and EXCEPTION_TABLE.
> @@ -451,6 +448,12 @@ static void __init map_kernel_segment(pgd_t *pgd, void *va_start, void *va_end,
> vm_area_add_early(vma);
> }
>
> +static int __init parse_rodata(char *arg)
> +{
> + return strtobool(arg, &rodata_enabled);
> +}
> +early_param("rodata", parse_rodata);
> +
> /*
> * Create fine-grained mappings for the kernel.
> */
> @@ -458,7 +461,9 @@ static void __init map_kernel(pgd_t *pgd)
> {
> static struct vm_struct vmlinux_text, vmlinux_rodata, vmlinux_init, vmlinux_data;
>
> - map_kernel_segment(pgd, _text, _etext, PAGE_KERNEL_EXEC, &vmlinux_text);
> + pgprot_t text_prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC;
> +
It might be worth having a comment as to why, e.g.
/*
* External debuggers may need to write directly to the text
* mapping to install SW breakpoints. Allow this (only) when
* explicitly requested with rodata=off.
*/
... otherwise this looks fine. FWIW, either way:
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Thanks,
Mark.
> + map_kernel_segment(pgd, _text, _etext, text_prot, &vmlinux_text);
> map_kernel_segment(pgd, __start_rodata, __init_begin, PAGE_KERNEL, &vmlinux_rodata);
> map_kernel_segment(pgd, __init_begin, __init_end, PAGE_KERNEL_EXEC,
> &vmlinux_init);
> --
> 2.7.4
>
WARNING: multiple messages have this Message-ID (diff)
From: mark.rutland@arm.com (Mark Rutland)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v4 4/6] arm64: mmu: map .text as read-only from the outset
Date: Tue, 7 Mar 2017 14:10:14 +0000 [thread overview]
Message-ID: <20170307141014.GA3514@leverpostej> (raw)
In-Reply-To: <1488637848-13588-5-git-send-email-ard.biesheuvel@linaro.org>
On Sat, Mar 04, 2017 at 02:30:46PM +0000, Ard Biesheuvel wrote:
> Now that alternatives patching code no longer relies on the primary
> mapping of .text being writable, we can remove the code that removes
> the writable permissions post-init time, and map it read-only from
> the outset.
>
> To preserve the existing behavior under rodata=off, which is relied
> upon by external debuggers to manage software breakpoints (as pointed
> out by Mark), add an early_param() check for rodata=, and use RWX
> permissions if it set to 'off'.
>
> Reviewed-by: Laura Abbott <labbott@redhat.com>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> arch/arm64/mm/mmu.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index df377fbe464e..edd982f88714 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -416,9 +416,6 @@ void mark_rodata_ro(void)
> {
> unsigned long section_size;
>
> - section_size = (unsigned long)_etext - (unsigned long)_text;
> - update_mapping_prot(__pa_symbol(_text), (unsigned long)_text,
> - section_size, PAGE_KERNEL_ROX);
> /*
> * mark .rodata as read only. Use __init_begin rather than __end_rodata
> * to cover NOTES and EXCEPTION_TABLE.
> @@ -451,6 +448,12 @@ static void __init map_kernel_segment(pgd_t *pgd, void *va_start, void *va_end,
> vm_area_add_early(vma);
> }
>
> +static int __init parse_rodata(char *arg)
> +{
> + return strtobool(arg, &rodata_enabled);
> +}
> +early_param("rodata", parse_rodata);
> +
> /*
> * Create fine-grained mappings for the kernel.
> */
> @@ -458,7 +461,9 @@ static void __init map_kernel(pgd_t *pgd)
> {
> static struct vm_struct vmlinux_text, vmlinux_rodata, vmlinux_init, vmlinux_data;
>
> - map_kernel_segment(pgd, _text, _etext, PAGE_KERNEL_EXEC, &vmlinux_text);
> + pgprot_t text_prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC;
> +
It might be worth having a comment as to why, e.g.
/*
* External debuggers may need to write directly to the text
* mapping to install SW breakpoints. Allow this (only) when
* explicitly requested with rodata=off.
*/
... otherwise this looks fine. FWIW, either way:
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Thanks,
Mark.
> + map_kernel_segment(pgd, _text, _etext, text_prot, &vmlinux_text);
> map_kernel_segment(pgd, __start_rodata, __init_begin, PAGE_KERNEL, &vmlinux_rodata);
> map_kernel_segment(pgd, __init_begin, __init_end, PAGE_KERNEL_EXEC,
> &vmlinux_init);
> --
> 2.7.4
>
next prev parent reply other threads:[~2017-03-07 14:10 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-04 14:30 [kernel-hardening] [PATCH v4 0/6] arm64: mmu: avoid W+X mappings and re-enable PTE_CONT for kernel Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-04 14:30 ` [kernel-hardening] [PATCH v4 1/6] arm: kvm: move kvm_vgic_global_state out of .text section Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-04 14:30 ` [kernel-hardening] [PATCH v4 2/6] arm64: mmu: move TLB maintenance from callers to create_mapping_late() Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-04 14:30 ` [kernel-hardening] [PATCH v4 3/6] arm64: alternatives: apply boot time fixups via the linear mapping Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-04 14:30 ` [kernel-hardening] [PATCH v4 4/6] arm64: mmu: map .text as read-only from the outset Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-07 14:10 ` Mark Rutland [this message]
2017-03-07 14:10 ` Mark Rutland
2017-03-07 14:10 ` Mark Rutland
2017-03-04 14:30 ` [kernel-hardening] [PATCH v4 5/6] arm64: mmu: apply strict permissions to .init.text and .init.data Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-07 14:21 ` [kernel-hardening] " Mark Rutland
2017-03-07 14:21 ` Mark Rutland
2017-03-07 14:21 ` Mark Rutland
2017-03-04 14:30 ` [kernel-hardening] [PATCH v4 6/6] arm64: mm: set the contiguous bit for kernel mappings where appropriate Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-04 14:30 ` Ard Biesheuvel
2017-03-07 16:46 ` [kernel-hardening] " Mark Rutland
2017-03-07 16:46 ` Mark Rutland
2017-03-07 16:46 ` Mark Rutland
2017-03-08 10:57 ` [kernel-hardening] " Ard Biesheuvel
2017-03-08 10:57 ` Ard Biesheuvel
2017-03-08 10:57 ` Ard Biesheuvel
2017-03-08 11:22 ` [kernel-hardening] " Mark Rutland
2017-03-08 11:22 ` Mark Rutland
2017-03-08 11:22 ` Mark Rutland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170307141014.GA3514@leverpostej \
--to=mark.rutland@arm.com \
--cc=andre.przywara@arm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=james.morse@arm.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=labbott@fedoraproject.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=marc.zyngier@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.