From: =?UTF-8?B?dGlwLWJvdCBmb3IgS2VlcyBDb29rIDx0aXBib3RAenl0b3IuY29tPg==?=@zytor.com
To: =?UTF-8?B?bGludXgtdGlwLWNvbW1pdHNAdmdlci5rZXJuZWwub3Jn?=@zytor.com
Cc: peterz@infradead.org, minipli@googlemail.com,
keescook@chromium.org, pageexec@freemail.hu, re.emese@gmail.com,
linux-arch@vger.kernel.org, hpa@zytor.com,
david.brown@linaro.org, mingo@kernel.org,
linux-kernel@vger.kernel.org, spender@grsecurity.net,
arnd@arndb.de, tglx@linutronix.de, bp@alien8.de,
dvlasenk@redhat.com, torvalds@linux-foundation.org,
brgerst@gmail.com, mpe@ellerman.id.au, luto@amacapital.net
Subject: [tip:mm/readonly] arch: Introduce post-init read-only memory
Date: Mon, 22 Feb 2016 04:19:33 -0800 [thread overview]
Message-ID: <tip-c74ba8b3480da6ddaea17df2263ec09b869ac496@git.kernel.org> (raw)
In-Reply-To: <1455748879-21872-5-git-send-email-keescook@chromium.org>
Commit-ID: c74ba8b3480da6ddaea17df2263ec09b869ac496
Gitweb: http://git.kernel.org/tip/c74ba8b3480da6ddaea17df2263ec09b869ac496
Author: Kees Cook <keescook@chromium.org>
AuthorDate: Wed, 17 Feb 2016 14:41:15 -0800
Committer: Ingo Molnar <mingo@kernel.org>
CommitDate: Mon, 22 Feb 2016 08:51:38 +0100
arch: Introduce post-init read-only memory
One of the easiest ways to protect the kernel from attack is to reduce
the internal attack surface exposed when a "write" flaw is available. By
making as much of the kernel read-only as possible, we reduce the
attack surface.
Many things are written to only during __init, and never changed
again. These cannot be made "const" since the compiler will do the wrong
thing (we do actually need to write to them). Instead, move these items
into a memory region that will be made read-only during mark_rodata_ro()
which happens after all kernel __init code has finished.
This introduces __ro_after_init as a way to mark such memory, and adds
some documentation about the existing __read_mostly marking.
This improves the security of the Linux kernel by marking formerly
read-write memory regions as read-only on a fully booted up system.
Based on work by PaX Team and Brad Spengler.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Brown <david.brown@linaro.org>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathias Krause <minipli@googlemail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-hardening@lists.openwall.com
Cc: linux-arch <linux-arch@vger.kernel.org>
Link: http://lkml.kernel.org/r/1455748879-21872-5-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/parisc/include/asm/cache.h | 3 +++
include/asm-generic/vmlinux.lds.h | 1 +
include/linux/cache.h | 14 ++++++++++++++
3 files changed, 18 insertions(+)
diff --git a/arch/parisc/include/asm/cache.h b/arch/parisc/include/asm/cache.h
index 3d0e17b..df0f52b 100644
--- a/arch/parisc/include/asm/cache.h
+++ b/arch/parisc/include/asm/cache.h
@@ -22,6 +22,9 @@
#define __read_mostly __attribute__((__section__(".data..read_mostly")))
+/* Read-only memory is marked before mark_rodata_ro() is called. */
+#define __ro_after_init __read_mostly
+
void parisc_cache_init(void); /* initializes cache-flushing */
void disable_sr_hashing_asm(int); /* low level support for above */
void disable_sr_hashing(void); /* turns off space register hashing */
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index c4bd0e2..772c784 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -256,6 +256,7 @@
.rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
VMLINUX_SYMBOL(__start_rodata) = .; \
*(.rodata) *(.rodata.*) \
+ *(.data..ro_after_init) /* Read only after init */ \
*(__vermagic) /* Kernel version magic */ \
. = ALIGN(8); \
VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
diff --git a/include/linux/cache.h b/include/linux/cache.h
index 17e7e82..1be04f8 100644
--- a/include/linux/cache.h
+++ b/include/linux/cache.h
@@ -12,10 +12,24 @@
#define SMP_CACHE_BYTES L1_CACHE_BYTES
#endif
+/*
+ * __read_mostly is used to keep rarely changing variables out of frequently
+ * updated cachelines. If an architecture doesn't support it, ignore the
+ * hint.
+ */
#ifndef __read_mostly
#define __read_mostly
#endif
+/*
+ * __ro_after_init is used to mark things that are read-only after init (i.e.
+ * after mark_rodata_ro() has been called). These are effectively read-only,
+ * but may get written to during init, so can't live in .rodata (via "const").
+ */
+#ifndef __ro_after_init
+#define __ro_after_init __attribute__((__section__(".data..ro_after_init")))
+#endif
+
#ifndef ____cacheline_aligned
#define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
#endif
next prev parent reply other threads:[~2016-02-22 12:19 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-17 22:41 [kernel-hardening] [PATCH v5 0/7] introduce post-init read-only memory Kees Cook
2016-02-17 22:41 ` Kees Cook
2016-02-17 22:41 ` [kernel-hardening] [PATCH v5 1/7] asm-generic: consolidate mark_rodata_ro() Kees Cook
2016-02-17 22:41 ` Kees Cook
2016-02-19 14:38 ` [kernel-hardening] " Will Deacon
2016-02-19 14:38 ` Will Deacon
2016-02-22 12:18 ` [tip:mm/readonly] asm-generic: Consolidate mark_rodata_ro() =?UTF-8?B?dGlwLWJvdCBmb3IgS2VlcyBDb29rIDx0aXBib3RAenl0b3IuY29tPg==?=
2016-02-17 22:41 ` [kernel-hardening] [PATCH v5 2/7] init: create cmdline param to disable readonly Kees Cook
2016-02-17 22:41 ` Kees Cook
2016-02-22 12:18 ` [tip:mm/readonly] mm/init: Add 'rodata=off' boot cmdline parameter to disable read-only kernel mappings =?UTF-8?B?dGlwLWJvdCBmb3IgS2VlcyBDb29rIDx0aXBib3RAenl0b3IuY29tPg==?=
2016-02-17 22:41 ` [kernel-hardening] [PATCH v5 3/7] x86: make CONFIG_DEBUG_RODATA non-optional Kees Cook
2016-02-17 22:41 ` Kees Cook
2016-02-22 12:19 ` [tip:mm/readonly] x86/mm: Always enable CONFIG_DEBUG_RODATA and remove the Kconfig option =?UTF-8?B?dGlwLWJvdCBmb3IgS2VlcyBDb29rIDx0aXBib3RAenl0b3IuY29tPg==?=
2016-02-17 22:41 ` [kernel-hardening] [PATCH v5 4/7] introduce post-init read-only memory Kees Cook
2016-02-17 22:41 ` Kees Cook
2016-02-22 12:19 ` =?UTF-8?B?dGlwLWJvdCBmb3IgS2VlcyBDb29rIDx0aXBib3RAenl0b3IuY29tPg==?= [this message]
2016-03-07 13:00 ` [kernel-hardening] " Christian Borntraeger
2016-03-07 13:00 ` Christian Borntraeger
2016-03-08 0:16 ` [kernel-hardening] " Kees Cook
2016-03-08 0:16 ` Kees Cook
2016-03-08 0:23 ` [kernel-hardening] " Andy Lutomirski
2016-03-08 0:23 ` Andy Lutomirski
2016-02-17 22:41 ` [kernel-hardening] [PATCH v5 5/7] lkdtm: verify that __ro_after_init works correctly Kees Cook
2016-02-17 22:41 ` Kees Cook
2016-02-22 12:19 ` [tip:mm/readonly] lkdtm: Verify that '__ro_after_init' " =?UTF-8?B?dGlwLWJvdCBmb3IgS2VlcyBDb29rIDx0aXBib3RAenl0b3IuY29tPg==?=
2016-02-17 22:41 ` [kernel-hardening] [PATCH v5 6/7] x86, vdso: mark vDSO read-only after init Kees Cook
2016-02-17 22:41 ` Kees Cook
2016-02-22 12:20 ` [tip:mm/readonly] x86/vdso: Mark the vDSO code " =?UTF-8?B?dGlwLWJvdCBmb3IgS2VlcyBDb29rIDx0aXBib3RAenl0b3IuY29tPg==?=
2016-02-17 22:41 ` [kernel-hardening] [PATCH v5 7/7] ARM: vdso: Mark vDSO code as read-only Kees Cook
2016-02-17 22:41 ` Kees Cook
2016-02-22 12:20 ` [tip:mm/readonly] ARM/vdso: Mark the vDSO code read-only after init =?UTF-8?B?dGlwLWJvdCBmb3IgRGF2aWQgQnJvd24gPHRpcGJvdEB6eXRvci5jb20+?=
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-c74ba8b3480da6ddaea17df2263ec09b869ac496@git.kernel.org \
--to==?utf-8?b?dglwlwjvdcbmb3igs2vlcybdb29ridx0axbib3raenl0b3iuy29tpg==?=@zytor.com \
--cc==?UTF-8?B?bGludXgtdGlwLWNvbW1pdHNAdmdlci5rZXJuZWwub3Jn?=@zytor.com \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=david.brown@linaro.org \
--cc=dvlasenk@redhat.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=minipli@googlemail.com \
--cc=mpe@ellerman.id.au \
--cc=pageexec@freemail.hu \
--cc=peterz@infradead.org \
--cc=re.emese@gmail.com \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.