[openwrt/openwrt] kernel: Enable CONFIG_ARM64_PAN to restrict kernel access to user space memory
LEDE Commits
lede-commits at lists.infradead.org
Tue Aug 20 15:23:18 PDT 2024
hauke pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/a2662309aae1655966d7d8f31b71ddc6edbede87
commit a2662309aae1655966d7d8f31b71ddc6edbede87
Author: Hauke Mehrtens <hauke at hauke-m.de>
AuthorDate: Sat Aug 17 15:12:31 2024 +0200
kernel: Enable CONFIG_ARM64_PAN to restrict kernel access to user space memory
Enable the CONFIG_ARM64_PAN kernel security option, which leverages the
ARMv8.1 Privileged Access Never (PAN) extension to prevent the kernel
from directly accessing user space memory.
Instead, copy_to_user and similar functions must be used for data
transfer between kernel and user space. This feature is automatically
disabled at runtime on CPUs without PAN support, making it a no-op in
those cases.
Link: https://github.com/openwrt/openwrt/pull/16189
Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
target/linux/armsr/armv8/config-6.6 | 1 -
target/linux/bcm27xx/bcm2710/config-6.6 | 1 -
target/linux/bcm27xx/bcm2711/config-6.6 | 1 -
target/linux/bcm27xx/bcm2712/config-6.6 | 1 -
target/linux/generic/config-5.15 | 2 +-
target/linux/generic/config-6.1 | 2 +-
target/linux/generic/config-6.6 | 2 +-
target/linux/layerscape/armv8_64b/config-6.1 | 1 -
target/linux/layerscape/armv8_64b/config-6.6 | 1 -
target/linux/rockchip/armv8/config-6.6 | 1 -
10 files changed, 3 insertions(+), 10 deletions(-)
diff --git a/target/linux/armsr/armv8/config-6.6 b/target/linux/armsr/armv8/config-6.6
index 3ce25c60d8..64356e27f4 100644
--- a/target/linux/armsr/armv8/config-6.6
+++ b/target/linux/armsr/armv8/config-6.6
@@ -93,7 +93,6 @@ CONFIG_ARM64_HW_AFDBM=y
CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
CONFIG_ARM64_MTE=y
CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
CONFIG_ARM64_PA_BITS=48
CONFIG_ARM64_PA_BITS_48=y
CONFIG_ARM64_PTR_AUTH=y
diff --git a/target/linux/bcm27xx/bcm2710/config-6.6 b/target/linux/bcm27xx/bcm2710/config-6.6
index 4ab0e03ee2..961fd2c71e 100644
--- a/target/linux/bcm27xx/bcm2710/config-6.6
+++ b/target/linux/bcm27xx/bcm2710/config-6.6
@@ -34,7 +34,6 @@ CONFIG_ARM64_ERRATUM_843419=y
CONFIG_ARM64_HW_AFDBM=y
CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
CONFIG_ARM64_PA_BITS=48
CONFIG_ARM64_PA_BITS_48=y
CONFIG_ARM64_PTR_AUTH=y
diff --git a/target/linux/bcm27xx/bcm2711/config-6.6 b/target/linux/bcm27xx/bcm2711/config-6.6
index 915fe29cae..6aeedc1c31 100644
--- a/target/linux/bcm27xx/bcm2711/config-6.6
+++ b/target/linux/bcm27xx/bcm2711/config-6.6
@@ -29,7 +29,6 @@ CONFIG_ARM64_ERRATUM_1319367=y
CONFIG_ARM64_HW_AFDBM=y
CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
CONFIG_ARM64_PA_BITS=48
CONFIG_ARM64_PA_BITS_48=y
CONFIG_ARM64_PTR_AUTH=y
diff --git a/target/linux/bcm27xx/bcm2712/config-6.6 b/target/linux/bcm27xx/bcm2712/config-6.6
index d61796fb24..81cc66e9c4 100644
--- a/target/linux/bcm27xx/bcm2712/config-6.6
+++ b/target/linux/bcm27xx/bcm2712/config-6.6
@@ -33,7 +33,6 @@ CONFIG_ARM64_ERRATUM_3194386=y
CONFIG_ARM64_HW_AFDBM=y
CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
CONFIG_ARM64_PA_BITS=48
CONFIG_ARM64_PA_BITS_48=y
CONFIG_ARM64_PTR_AUTH=y
diff --git a/target/linux/generic/config-5.15 b/target/linux/generic/config-5.15
index 90650ac7dd..1b8ad1cf42 100644
--- a/target/linux/generic/config-5.15
+++ b/target/linux/generic/config-5.15
@@ -349,7 +349,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
# CONFIG_ARM64_LSE_ATOMICS is not set
CONFIG_ARM64_MODULE_PLTS=y
# CONFIG_ARM64_MTE is not set
-# CONFIG_ARM64_PAN is not set
+CONFIG_ARM64_PAN=y
# CONFIG_ARM64_PMEM is not set
# CONFIG_ARM64_PSEUDO_NMI is not set
# CONFIG_ARM64_PTDUMP_DEBUGFS is not set
diff --git a/target/linux/generic/config-6.1 b/target/linux/generic/config-6.1
index 3460be73b1..81c66f41df 100644
--- a/target/linux/generic/config-6.1
+++ b/target/linux/generic/config-6.1
@@ -383,7 +383,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
# CONFIG_ARM64_LSE_ATOMICS is not set
CONFIG_ARM64_MODULE_PLTS=y
# CONFIG_ARM64_MTE is not set
-# CONFIG_ARM64_PAN is not set
+CONFIG_ARM64_PAN=y
# CONFIG_ARM64_PMEM is not set
# CONFIG_ARM64_PSEUDO_NMI is not set
# CONFIG_ARM64_PTDUMP_DEBUGFS is not set
diff --git a/target/linux/generic/config-6.6 b/target/linux/generic/config-6.6
index c169e107df..4fcb93fd25 100644
--- a/target/linux/generic/config-6.6
+++ b/target/linux/generic/config-6.6
@@ -358,7 +358,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
# CONFIG_ARM64_HW_AFDBM is not set
# CONFIG_ARM64_LSE_ATOMICS is not set
# CONFIG_ARM64_MTE is not set
-# CONFIG_ARM64_PAN is not set
+CONFIG_ARM64_PAN=y
# CONFIG_ARM64_PMEM is not set
# CONFIG_ARM64_PSEUDO_NMI is not set
# CONFIG_ARM64_PTR_AUTH is not set
diff --git a/target/linux/layerscape/armv8_64b/config-6.1 b/target/linux/layerscape/armv8_64b/config-6.1
index 2ebe59c7cc..8693370c19 100644
--- a/target/linux/layerscape/armv8_64b/config-6.1
+++ b/target/linux/layerscape/armv8_64b/config-6.1
@@ -40,7 +40,6 @@ CONFIG_ARM64_ERRATUM_843419=y
CONFIG_ARM64_HW_AFDBM=y
CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
CONFIG_ARM64_PA_BITS=48
CONFIG_ARM64_PA_BITS_48=y
CONFIG_ARM64_PTR_AUTH=y
diff --git a/target/linux/layerscape/armv8_64b/config-6.6 b/target/linux/layerscape/armv8_64b/config-6.6
index 6d9d2ba2d5..133b75addb 100644
--- a/target/linux/layerscape/armv8_64b/config-6.6
+++ b/target/linux/layerscape/armv8_64b/config-6.6
@@ -41,7 +41,6 @@ CONFIG_ARM64_ERRATUM_843419=y
CONFIG_ARM64_HW_AFDBM=y
CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
CONFIG_ARM64_PA_BITS=48
CONFIG_ARM64_PA_BITS_48=y
CONFIG_ARM64_PTR_AUTH=y
diff --git a/target/linux/rockchip/armv8/config-6.6 b/target/linux/rockchip/armv8/config-6.6
index dd9908869f..bdb7d2b493 100644
--- a/target/linux/rockchip/armv8/config-6.6
+++ b/target/linux/rockchip/armv8/config-6.6
@@ -48,7 +48,6 @@ CONFIG_ARM64_ERRATUM_858921=y
CONFIG_ARM64_HW_AFDBM=y
CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
CONFIG_ARM64_PA_BITS=48
CONFIG_ARM64_PA_BITS_48=y
CONFIG_ARM64_PTR_AUTH=y
More information about the lede-commits
mailing list