[PATCHv7 2/2] arm64: add better page protections to arm64
Kees Cook
keescook at chromium.org
Tue Jan 20 10:19:23 PST 2015
On Tue, Jan 20, 2015 at 10:14 AM, Catalin Marinas
<catalin.marinas at arm.com> wrote:
> On Sat, Jan 17, 2015 at 12:26:59AM +0000, Laura Abbott wrote:
>> On 1/15/2015 1:44 AM, Ard Biesheuvel wrote:
>> > On 14 January 2015 at 22:59, Laura Abbott <lauraa at codeaurora.org> wrote:
>> >> Add page protections for arm64 similar to those in arm.
>> >> This is for security reasons to prevent certain classes
>> >> of exploits. The current method:
>> >>
>> >> - Map all memory as either RWX or RW. We round to the nearest
>> >> section to avoid creating page tables before everything is mapped
>> >> - Once everything is mapped, if either end of the RWX section should
>> >> not be X, we split the PMD and remap as necessary
>> >> - When initmem is to be freed, we change the permissions back to
>> >> RW (using stop machine if necessary to flush the TLB)
>> >> - If CONFIG_DEBUG_RODATA is set, the read only sections are set
>> >> read only.
>> >>
>> >> Tested-by: Kees Cook <keescook at chromium.org>
>> >> Signed-off-by: Laura Abbott <lauraa at codeaurora.org>
>> >> ---
>> >> v7: Rebased on Ard's patch series. Addressed minor comments from
>> >> Catalin.
>> >> ---
>> >
>> > Acked-by: Ard Biesheuvel <ard.biesheuvel at linaro.org>
>> > Tested-by: Ard Biesheuvel <ard.biesheuvel at linaro.org>
>> >
>> > With setting DEBUG_RODATA, I lose the ability to write to variables in
>> > the rodata section. I have not tested executing from !X sections
>> > though.
>> >
>> > My single objection to this patch would be that it is presented as a
>> > debug option, which I think is a mistake. Especially now, we are in a
>> > time window with lots of momentum in the arm64 kernel developer
>> > community and little hardware in the field yet, so we have a huge
>> > opportunity to make features such as this one opt-out rather than
>> > opt-in, without having to worry about backward compatibility. This
>> > applies equally to STRICT_DEVMEM, for instance, which is something
>> > that is on our radar at Linaro, and will be addressed in the 3.21
>> > timeframe.
>
> I agree with STRICT_DEVMEM.
>
>> I agree. I fully support making this default on if possible. My goal
>> for the first pass was to get the infrastructure in and then figure
>> out how to make this default later.
>
> I don't mind dropping the "debug" naming part from this feature but I
> wouldn't go as far as making it the default. Do we have any information
> on what the performance impact is? We lose some big block mappings
> (could even be 1GB with the right RAM alignment) once we want finer
> grained permissions.
I prefer keeping the CONFIG_DEBUG_RODATA name to match the other
architectures. My plan was to globally change this for all
architectures once RODATA lands for arm64, and convert all of the
CONFIG_DEBUG_RODATA uses into ARCH_HAS_RODATA or something similar.
If, however, only the name is stopping it from landing in arm64, then
I don't care what it's called. ;)
-Kees
--
Kees Cook
Chrome OS Security
More information about the linux-arm-kernel
mailing list