[PATCH 2/2] arm64: drop kernel segment resources from /proc/iomem

Kees Cook keescook at chromium.org
Thu Jun 16 10:48:49 PDT 2016


On Thu, Jun 16, 2016 at 10:28 AM, Ard Biesheuvel
<ard.biesheuvel at linaro.org> wrote:
> On 16 June 2016 at 19:21, Kees Cook <keescook at chromium.org> wrote:
>> On Thu, Jun 16, 2016 at 5:32 AM, Ard Biesheuvel
>> <ard.biesheuvel at linaro.org> wrote:
>>> (+ James)
>>>
>>> On 16 June 2016 at 14:28, Ard Biesheuvel <ard.biesheuvel at linaro.org> wrote:
>>>> By the same reasoning as commit c4004b02f8e5 ("x86: remove the kernel
>>>> code/data/bss resources from /proc/iomem"), the kernel code and kernel
>>>> data entries in /proc/iomem probably do more harm than good on arm64 as
>>>> well. So remove them.
>>>>
>>>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel at linaro.org>
>>>
>>>
>>> Actually, Linus's patch above has been reverted again, so we have to
>>> consider whether the kexec case exists for us as well before we
>>> consider this
>>>
>>> Apologies for failing to spot that before sending
>>
>> Please leave this as it was originally. The security exposure has been
>> minimized and it would make arm64 differ from all other architectures.
>> If we remove this, it needs to be coordinated across all
>> architectures.
>>
>
> OK, fair enough

Thanks!

One thing I _would_ like to see fixed on arm64 is the misplaced
_etext, which is incorrectly covering rodata. I just sent a patch to
fix this on arm, but on arm64, the _etext use is much more embedded.

I'd like to clean this up so that I can sanely use things like
core_kernel_text() for checking addresses in the up-coming
HARDENED_USERCOPY patch series.

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security



More information about the linux-arm-kernel mailing list