[PATCH] arm64: enable CONFIG_DEBUG_RODATA by default
Ard Biesheuvel
ard.biesheuvel at linaro.org
Thu Mar 3 08:56:33 PST 2016
On 3 March 2016 at 17:50, Kees Cook <keescook at chromium.org> wrote:
> On Thu, Mar 3, 2016 at 6:10 AM, Ard Biesheuvel
> <ard.biesheuvel at linaro.org> wrote:
>> In spite of its name, CONFIG_DEBUG_RODATA is an important hardening feature
>> for production kernels, and distros all enable it by default in their
>> kernel configs. However, since enabling it used to result in more granular,
>> and thus less efficient kernel mappings, it is not enabled by default for
>> performance reasons.
>>
>> However, since commit 2f39b5f91eb4 ("arm64: mm: Mark .rodata as RO"), the
>> various kernel segments (.text, .rodata, .init and .data) are already
>> mapped individually, and the only effect of setting CONFIG_DEBUG_RODATA is
>> that the existing .text and .rodata mappings are updated late in the boot
>> sequence to have their read-only attributes set, which means that any
>> performance concerns related to enabling CONFIG_DEBUG_RODATA are no longer
>> valid.
>>
>> So from now on, make CONFIG_DEBUG_RODATA default to 'y'
>>
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel at linaro.org>
>
> Acked-by: Kees Cook <keescook at chromium.org>
>
> If this doesn't cause any problems, perhaps we can make it always 'y' soon?
>
You mean remove the option altogether? I would not mind, although
arguably, being able to map .text and .rodata writable could be
considered a useful debug option (and then it would almost, but not
quite, live up to its name)
--
Ard.
More information about the linux-arm-kernel
mailing list