From: Mark Rutland <mark.rutland@arm.com>
To: Laura Abbott <labbott@redhat.com>
Cc: Kees Cook <keescook@chromium.org>,
Jason Wessel <jason.wessel@windriver.com>,
Jonathan Corbet <corbet@lwn.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"James E.J. Bottomley" <jejb@parisc-linux.org>,
Helge Deller <deller@gmx.de>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Rob Herring <robh@kernel.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
Jessica Yu <jeyu@redhat.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.i
Subject: Re: [PATCH 1/2] security: Change name of CONFIG_DEBUG_RODATA
Date: Thu, 19 Jan 2017 10:56:46 +0000 [thread overview]
Message-ID: <20170119105646.GA11176@leverpostej> (raw)
In-Reply-To: <1484789346-21012-2-git-send-email-labbott@redhat.com>
Hi Laura,
On Wed, Jan 18, 2017 at 05:29:05PM -0800, Laura Abbott wrote:
>
> Despite the word 'debug' in CONFIG_DEBUG_RODATA, this kernel option
> provides key security features that are to be expected on a modern
> system. Change the name to CONFIG_HARDENED_PAGE_MAPPINGS which more
> accurately describes what this option is intended to do.
This generally sounds good. Thanks for attacking this!
On the bikeshedding front, *maybe* it would be nice to mention
permissions in the name, something like STRICT_KERNEL_RWX. That might
also prevent the reading of 'hardened' as 'optional overhead'.
That said, the proposed name is fine by me -- I'm happy so long as
'DEBUG' goes.
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 1117421..06fed56 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -11,6 +11,7 @@ config ARM64
> select ARCH_HAS_ELF_RANDOMIZE
> select ARCH_HAS_GCOV_PROFILE_ALL
> select ARCH_HAS_GIGANTIC_PAGE
> + select ARCH_HAS_HARDENED_MAPPINGS
> select ARCH_HAS_KCOV
> select ARCH_HAS_SG_CHAIN
> select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
> @@ -123,9 +124,6 @@ config ARCH_PHYS_ADDR_T_64BIT
> config MMU
> def_bool y
>
> -config DEBUG_RODATA
> - def_bool y
> -
> diff --git a/security/Kconfig b/security/Kconfig
> index 118f454..ad6ce82 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -158,6 +158,22 @@ config HARDENED_USERCOPY_PAGESPAN
> been removed. This config is intended to be used only while
> trying to find such users.
>
> +config ARCH_HAS_HARDENED_MAPPINGS
> + def_bool n
> +
> +config HARDENED_PAGE_MAPPINGS
> + bool "Mark kernel mappings with stricter permissions (RO/W^X)"
> + default y
> + depends on ARCH_HAS_HARDENED_MAPPINGS
> + help
> + If this is set, kernel text and rodata memory will be made read-only,
> + and non-text memory will be made non-executable. This provides
> + protection against certain security attacks (e.g. executing the heap
> + or modifying text).
> +
> + Unless your system has known restrictions or performance issues, it
> + is recommended to say Y here.
It's somewhat unfortunate that this means the feature is no longer
mandatory on arm64 (and s390+x86). We have a boot-time switch to turn
the protections off, so I was hoping we could make this mandatory on all
architectures with support.
It would be good to see if we could make this mandatory for arm and
parisc, or if it really needs to be optional for either of those.
Thanks,
Mark.
next prev parent reply other threads:[~2017-01-19 10:56 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-19 1:29 [RFC][PATCH 0/2] Better hardening names Laura Abbott
2017-01-19 1:29 ` [PATCH 1/2] security: Change name of CONFIG_DEBUG_RODATA Laura Abbott
2017-01-19 7:53 ` Pavel Machek
2017-01-25 11:21 ` Laura Abbott
2017-01-25 13:51 ` Pavel Machek
2017-01-19 10:56 ` Mark Rutland [this message]
2017-01-19 11:33 ` Heiko Carstens
2017-01-19 21:17 ` Helge Deller
2017-01-25 11:37 ` Laura Abbott
2017-01-19 22:00 ` Kees Cook
2017-01-25 11:25 ` Laura Abbott
2017-01-19 21:57 ` Kees Cook
2017-01-19 1:29 ` [PATCH 2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX Laura Abbott
2017-01-19 11:11 ` Mark Rutland
2017-01-19 11:34 ` Heiko Carstens
2017-01-19 11:43 ` Robin Murphy
2017-01-25 11:44 ` Laura Abbott
2017-01-20 5:46 ` kbuild test robot
2017-01-19 22:08 ` [RFC][PATCH 0/2] Better hardening names Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170119105646.GA11176@leverpostej \
--to=mark.rutland@arm.com \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=deller@gmx.de \
--cc=heiko.carstens@de.ibm.com \
--cc=hpa@zytor.com \
--cc=jason.wessel@windriver.com \
--cc=jejb@parisc-linux.org \
--cc=jeyu@redhat.com \
--cc=keescook@chromium.org \
--cc=labbott@redhat.com \
--cc=len.brown@intel.com \
--cc=linux-arm-kernel@lists.i \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mingo@redhat.com \
--cc=pavel@ucw.cz \
--cc=rjw@rjwysocki.net \
--cc=robh@kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).