From: Mark Rutland <mark.rutland@arm.com>
To: Laura Abbott <labbott@redhat.com>
Cc: Kees Cook <keescook@chromium.org>,
Jason Wessel <jason.wessel@windriver.com>,
Jonathan Corbet <corbet@lwn.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"James E.J. Bottomley" <jejb@parisc-linux.org>,
Helge Deller <deller@gmx.de>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Rob Herring <robh@kernel.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
Jessica Yu <jeyu@redhat.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.i
Subject: Re: [PATCHv2 1/2] arch: Move CONFIG_DEBUG_RODATA and CONFIG_SET_MODULE_RONX to be common
Date: Fri, 3 Feb 2017 18:16:07 +0000 [thread overview]
Message-ID: <20170203181607.GA26578@leverpostej> (raw)
In-Reply-To: <1486144343-24998-2-git-send-email-labbott@redhat.com>
On Fri, Feb 03, 2017 at 09:52:21AM -0800, Laura Abbott wrote:
> There are multiple architectures that support CONFIG_DEBUG_RODATA and
> CONFIG_SET_MODULE_RONX. These options also now have the ability to be
> turned off at runtime. Move these to an architecture independent
> location and make these options def_bool y for almost all of those
> arches.
>
> Signed-off-by: Laura Abbott <labbott@redhat.com>
>From my POV this looks good. FWIW:
Acked-by: Mark Rutland <mark.rutland@arm.com>
Mark.
> ---
> v2: This patch is now doing just the refactor of the existing config options.
> ---
> arch/Kconfig | 28 ++++++++++++++++++++++++++++
> arch/arm/Kconfig | 3 +++
> arch/arm/Kconfig.debug | 11 -----------
> arch/arm/mm/Kconfig | 12 ------------
> arch/arm64/Kconfig | 5 ++---
> arch/arm64/Kconfig.debug | 11 -----------
> arch/parisc/Kconfig | 1 +
> arch/parisc/Kconfig.debug | 11 -----------
> arch/s390/Kconfig | 5 ++---
> arch/s390/Kconfig.debug | 3 ---
> arch/x86/Kconfig | 5 ++---
> arch/x86/Kconfig.debug | 11 -----------
> 12 files changed, 38 insertions(+), 68 deletions(-)
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 99839c2..22ee01e 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -781,4 +781,32 @@ config VMAP_STACK
> the stack to map directly to the KASAN shadow map using a formula
> that is incorrect if the stack is in vmalloc space.
>
> +config ARCH_NO_STRICT_RWX_DEFAULTS
> + def_bool n
> +
> +config ARCH_HAS_STRICT_KERNEL_RWX
> + def_bool n
> +
> +config DEBUG_RODATA
> + def_bool y if !ARCH_NO_STRICT_RWX_DEFAULTS
> + prompt "Make kernel text and rodata read-only" if ARCH_NO_STRICT_RWX_DEFAULTS
> + depends on ARCH_HAS_STRICT_KERNEL_RWX
> + help
> + If this is set, kernel text and rodata memory will be made read-only,
> + and non-text memory will be made non-executable. This provides
> + protection against certain security exploits (e.g. executing the heap
> + or modifying text)
> +
> +config ARCH_HAS_STRICT_MODULE_RWX
> + def_bool n
> +
> +config DEBUG_SET_MODULE_RONX
> + def_bool y if !ARCH_NO_STRICT_RWX_DEFAULTS
> + prompt "Set loadable kenrel module data as NX and text as RO" if ARCH_NO_STRICT_RWX_DEFAULTS
> + depends on ARCH_HAS_STRICT_MODULE_RWX && MODULES
> + help
> + If this is set, module text and rodata memory will be made read-only,
> + and non-text memory will be made non-executable. This provides
> + protection against certain security exploits (e.g. writing to text)
> +
> source "kernel/gcov/Kconfig"
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index 186c4c2..aa73ca8 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -4,10 +4,13 @@ config ARM
> select ARCH_CLOCKSOURCE_DATA
> select ARCH_HAS_DEVMEM_IS_ALLOWED
> select ARCH_HAS_ELF_RANDOMIZE
> + select ARCH_HAS_STRICT_KERNEL_RWX if MMU && !XIP_KERNEL
> + select ARCH_HAS_STRICT_MODULE_RWX if MMU
> select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
> select ARCH_HAVE_CUSTOM_GPIO_H
> select ARCH_HAS_GCOV_PROFILE_ALL
> select ARCH_MIGHT_HAVE_PC_PARPORT
> + select ARCH_NO_STRICT_RWX_DEFAULTS if !CPU_V7
> select ARCH_SUPPORTS_ATOMIC_RMW
> select ARCH_USE_BUILTIN_BSWAP
> select ARCH_USE_CMPXCHG_LOCKREF
> diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
> index d83f7c3..426d271 100644
> --- a/arch/arm/Kconfig.debug
> +++ b/arch/arm/Kconfig.debug
> @@ -1738,17 +1738,6 @@ config PID_IN_CONTEXTIDR
> additional instructions during context switch. Say Y here only if you
> are planning to use hardware trace tools with this kernel.
>
> -config DEBUG_SET_MODULE_RONX
> - bool "Set loadable kernel module data as NX and text as RO"
> - depends on MODULES && MMU
> - ---help---
> - This option helps catch unintended modifications to loadable
> - kernel module's text and read-only data. It also prevents execution
> - of module data. Such protection may interfere with run-time code
> - patching and dynamic kernel tracing - and they might also protect
> - against certain classes of kernel exploits.
> - If in doubt, say "N".
> -
> source "drivers/hwtracing/coresight/Kconfig"
>
> endmenu
> diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
> index f68e8ec..419a035 100644
> --- a/arch/arm/mm/Kconfig
> +++ b/arch/arm/mm/Kconfig
> @@ -1051,18 +1051,6 @@ config ARCH_SUPPORTS_BIG_ENDIAN
> This option specifies the architecture can support big endian
> operation.
>
> -config DEBUG_RODATA
> - bool "Make kernel text and rodata read-only"
> - depends on MMU && !XIP_KERNEL
> - default y if CPU_V7
> - help
> - If this is set, kernel text and rodata memory will be made
> - read-only, and non-text kernel memory will be made non-executable.
> - The tradeoff is that each region is padded to section-size (1MiB)
> - boundaries (because their permissions are different and splitting
> - the 1M pages into 4K ones causes TLB performance problems), which
> - can waste memory.
> -
> config DEBUG_ALIGN_RODATA
> bool "Make rodata strictly non-executable"
> depends on DEBUG_RODATA
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 1117421..e1efbcc 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -13,6 +13,8 @@ config ARM64
> select ARCH_HAS_GIGANTIC_PAGE
> select ARCH_HAS_KCOV
> select ARCH_HAS_SG_CHAIN
> + select ARCH_HAS_STRICT_KERNEL_RWX
> + select ARCH_HAS_STRICT_MODULE_RWX
> select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
> select ARCH_USE_CMPXCHG_LOCKREF
> select ARCH_SUPPORTS_ATOMIC_RMW
> @@ -123,9 +125,6 @@ config ARCH_PHYS_ADDR_T_64BIT
> config MMU
> def_bool y
>
> -config DEBUG_RODATA
> - def_bool y
> -
> config ARM64_PAGE_SHIFT
> int
> default 16 if ARM64_64K_PAGES
> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
> index d1ebd46..939815e 100644
> --- a/arch/arm64/Kconfig.debug
> +++ b/arch/arm64/Kconfig.debug
> @@ -71,17 +71,6 @@ config DEBUG_WX
>
> If in doubt, say "Y".
>
> -config DEBUG_SET_MODULE_RONX
> - bool "Set loadable kernel module data as NX and text as RO"
> - depends on MODULES
> - default y
> - help
> - Is this is set, kernel module text and rodata will be made read-only.
> - This is to help catch accidental or malicious attempts to change the
> - kernel's executable code.
> -
> - If in doubt, say Y.
> -
> config DEBUG_ALIGN_RODATA
> depends on DEBUG_RODATA
> bool "Align linker sections up to SECTION_SIZE"
> diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
> index 3a71f38..ad294b3 100644
> --- a/arch/parisc/Kconfig
> +++ b/arch/parisc/Kconfig
> @@ -8,6 +8,7 @@ config PARISC
> select HAVE_SYSCALL_TRACEPOINTS
> select ARCH_WANT_FRAME_POINTERS
> select ARCH_HAS_ELF_RANDOMIZE
> + select ARCH_HAS_STRICT_KERNEL_RWX
> select RTC_CLASS
> select RTC_DRV_GENERIC
> select INIT_ALL_POSSIBLE
> diff --git a/arch/parisc/Kconfig.debug b/arch/parisc/Kconfig.debug
> index 68b7cbd..0d856b9 100644
> --- a/arch/parisc/Kconfig.debug
> +++ b/arch/parisc/Kconfig.debug
> @@ -5,15 +5,4 @@ source "lib/Kconfig.debug"
> config TRACE_IRQFLAGS_SUPPORT
> def_bool y
>
> -config DEBUG_RODATA
> - bool "Write protect kernel read-only data structures"
> - depends on DEBUG_KERNEL
> - default y
> - help
> - Mark the kernel read-only data as write-protected in the pagetables,
> - in order to catch accidental (and incorrect) writes to such const
> - data. This option may have a slight performance impact because a
> - portion of the kernel code won't be covered by a TLB anymore.
> - If in doubt, say "N".
> -
> endmenu
> diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
> index c6722112..53bb0e3 100644
> --- a/arch/s390/Kconfig
> +++ b/arch/s390/Kconfig
> @@ -62,9 +62,6 @@ config PCI_QUIRKS
> config ARCH_SUPPORTS_UPROBES
> def_bool y
>
> -config DEBUG_RODATA
> - def_bool y
> -
> config S390
> def_bool y
> select ARCH_HAS_DEVMEM_IS_ALLOWED
> @@ -73,6 +70,8 @@ config S390
> select ARCH_HAS_GIGANTIC_PAGE
> select ARCH_HAS_KCOV
> select ARCH_HAS_SG_CHAIN
> + select ARCH_HAS_STRICT_KERNEL_RWX
> + select ARCH_HAS_STRICT_MODULE_RWX
> select ARCH_HAS_UBSAN_SANITIZE_ALL
> select ARCH_HAVE_NMI_SAFE_CMPXCHG
> select ARCH_INLINE_READ_LOCK
> diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug
> index 26c5d5be..57f8ea9 100644
> --- a/arch/s390/Kconfig.debug
> +++ b/arch/s390/Kconfig.debug
> @@ -17,7 +17,4 @@ config S390_PTDUMP
> kernel.
> If in doubt, say "N"
>
> -config DEBUG_SET_MODULE_RONX
> - def_bool y
> - depends on MODULES
> endmenu
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index e487493..13e1bf4 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -54,6 +54,8 @@ config X86
> select ARCH_HAS_MMIO_FLUSH
> select ARCH_HAS_PMEM_API if X86_64
> select ARCH_HAS_SG_CHAIN
> + select ARCH_HAS_STRICT_KERNEL_RWX
> + select ARCH_HAS_STRICT_MODULE_RWX
> select ARCH_HAS_UBSAN_SANITIZE_ALL
> select ARCH_HAVE_NMI_SAFE_CMPXCHG
> select ARCH_MIGHT_HAVE_ACPI_PDC if ACPI
> @@ -309,9 +311,6 @@ config ARCH_SUPPORTS_UPROBES
> config FIX_EARLYCON_MEM
> def_bool y
>
> -config DEBUG_RODATA
> - def_bool y
> -
> config PGTABLE_LEVELS
> int
> default 4 if X86_64
> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
> index 67eec55..69cdd0b 100644
> --- a/arch/x86/Kconfig.debug
> +++ b/arch/x86/Kconfig.debug
> @@ -109,17 +109,6 @@ config DEBUG_WX
>
> If in doubt, say "Y".
>
> -config DEBUG_SET_MODULE_RONX
> - bool "Set loadable kernel module data as NX and text as RO"
> - depends on MODULES
> - ---help---
> - This option helps catch unintended modifications to loadable
> - kernel module's text and read-only data. It also prevents execution
> - of module data. Such protection may interfere with run-time code
> - patching and dynamic kernel tracing - and they might also protect
> - against certain classes of kernel exploits.
> - If in doubt, say "N".
> -
> config DEBUG_NX_TEST
> tristate "Testcase for the NX non-executable stack feature"
> depends on DEBUG_KERNEL && m
> --
> 2.7.4
>
next prev parent reply other threads:[~2017-02-03 18:16 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-03 17:52 [PATCHv2 0/2] Hardening configs refactor/rename Laura Abbott
2017-02-03 17:52 ` [PATCHv2 1/2] arch: Move CONFIG_DEBUG_RODATA and CONFIG_SET_MODULE_RONX to be common Laura Abbott
2017-02-03 18:16 ` Mark Rutland [this message]
2017-02-03 19:45 ` Kees Cook
2017-02-03 20:29 ` Russell King - ARM Linux
2017-02-03 21:08 ` Kees Cook
2017-02-03 22:28 ` Russell King - ARM Linux
2017-02-03 23:07 ` Kees Cook
2017-02-06 18:47 ` Laura Abbott
2017-02-07 7:36 ` Pavel Machek
2017-02-03 17:52 ` [PATCHv2 2/2] arch: Rename CONFIG_DEBUG_RODATA and CONFIG_DEBUG_MODULE_RONX Laura Abbott
2017-02-03 18:26 ` Mark Rutland
2017-02-03 20:03 ` Kees Cook
2017-02-06 18:49 ` Laura Abbott
2017-02-06 20:13 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170203181607.GA26578@leverpostej \
--to=mark.rutland@arm.com \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=deller@gmx.de \
--cc=heiko.carstens@de.ibm.com \
--cc=hpa@zytor.com \
--cc=jason.wessel@windriver.com \
--cc=jejb@parisc-linux.org \
--cc=jeyu@redhat.com \
--cc=keescook@chromium.org \
--cc=labbott@redhat.com \
--cc=len.brown@intel.com \
--cc=linux-arm-kernel@lists.i \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mingo@redhat.com \
--cc=pavel@ucw.cz \
--cc=rjw@rjwysocki.net \
--cc=robh@kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).