arch: Move CONFIG_DEBUG_RODATA and CONFIG_SET_MODULE_RONX to be common
There are multiple architectures that support CONFIG_DEBUG_RODATA and CONFIG_SET_MODULE_RONX. These options also now have the ability to be turned off at runtime. Move these to an architecture independent location and make these options def_bool y for almost all of those arches. Signed-off-by: Laura Abbott <labbott@redhat.com> Acked-by: Ingo Molnar <mingo@kernel.org> Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
parent
0c744ea4f7
commit
ad21fc4faa
13 changed files with 51 additions and 68 deletions
|
@ -56,6 +56,12 @@ CONFIG_DEBUG_SET_MODULE_RONX, which seek to make sure that code is not
|
|||
writable, data is not executable, and read-only data is neither writable
|
||||
nor executable.
|
||||
|
||||
Most architectures have these options on by default and not user selectable.
|
||||
For some architectures like arm that wish to have these be selectable,
|
||||
the architecture Kconfig can select ARCH_OPTIONAL_KERNEL_RWX to enable
|
||||
a Kconfig prompt. CONFIG_ARCH_OPTIONAL_KERNEL_RWX_DEFAULT determines
|
||||
the default setting when ARCH_OPTIONAL_KERNEL_RWX is enabled.
|
||||
|
||||
#### Function pointers and sensitive variables must not be writable
|
||||
|
||||
Vast areas of kernel memory contain function pointers that are looked
|
||||
|
|
34
arch/Kconfig
34
arch/Kconfig
|
@ -781,4 +781,38 @@ config VMAP_STACK
|
|||
the stack to map directly to the KASAN shadow map using a formula
|
||||
that is incorrect if the stack is in vmalloc space.
|
||||
|
||||
config ARCH_OPTIONAL_KERNEL_RWX
|
||||
def_bool n
|
||||
|
||||
config ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
|
||||
def_bool n
|
||||
|
||||
config ARCH_HAS_STRICT_KERNEL_RWX
|
||||
def_bool n
|
||||
|
||||
config DEBUG_RODATA
|
||||
bool "Make kernel text and rodata read-only" if ARCH_OPTIONAL_KERNEL_RWX
|
||||
depends on ARCH_HAS_STRICT_KERNEL_RWX
|
||||
default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
|
||||
help
|
||||
If this is set, kernel text and rodata memory will be made read-only,
|
||||
and non-text memory will be made non-executable. This provides
|
||||
protection against certain security exploits (e.g. executing the heap
|
||||
or modifying text)
|
||||
|
||||
These features are considered standard security practice these days.
|
||||
You should say Y here in almost all cases.
|
||||
|
||||
config ARCH_HAS_STRICT_MODULE_RWX
|
||||
def_bool n
|
||||
|
||||
config DEBUG_SET_MODULE_RONX
|
||||
bool "Set loadable kernel module data as NX and text as RO" if ARCH_OPTIONAL_KERNEL_RWX
|
||||
depends on ARCH_HAS_STRICT_MODULE_RWX && MODULES
|
||||
default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
|
||||
help
|
||||
If this is set, module text and rodata memory will be made read-only,
|
||||
and non-text memory will be made non-executable. This provides
|
||||
protection against certain security exploits (e.g. writing to text)
|
||||
|
||||
source "kernel/gcov/Kconfig"
|
||||
|
|
|
@ -4,10 +4,14 @@ config ARM
|
|||
select ARCH_CLOCKSOURCE_DATA
|
||||
select ARCH_HAS_DEVMEM_IS_ALLOWED
|
||||
select ARCH_HAS_ELF_RANDOMIZE
|
||||
select ARCH_HAS_STRICT_KERNEL_RWX if MMU && !XIP_KERNEL
|
||||
select ARCH_HAS_STRICT_MODULE_RWX if MMU
|
||||
select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
|
||||
select ARCH_HAVE_CUSTOM_GPIO_H
|
||||
select ARCH_HAS_GCOV_PROFILE_ALL
|
||||
select ARCH_MIGHT_HAVE_PC_PARPORT
|
||||
select ARCH_OPTIONAL_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX
|
||||
select ARCH_OPTIONAL_KERNEL_RWX_DEFAULT if CPU_V7
|
||||
select ARCH_SUPPORTS_ATOMIC_RMW
|
||||
select ARCH_USE_BUILTIN_BSWAP
|
||||
select ARCH_USE_CMPXCHG_LOCKREF
|
||||
|
|
|
@ -1738,17 +1738,6 @@ config PID_IN_CONTEXTIDR
|
|||
additional instructions during context switch. Say Y here only if you
|
||||
are planning to use hardware trace tools with this kernel.
|
||||
|
||||
config DEBUG_SET_MODULE_RONX
|
||||
bool "Set loadable kernel module data as NX and text as RO"
|
||||
depends on MODULES && MMU
|
||||
---help---
|
||||
This option helps catch unintended modifications to loadable
|
||||
kernel module's text and read-only data. It also prevents execution
|
||||
of module data. Such protection may interfere with run-time code
|
||||
patching and dynamic kernel tracing - and they might also protect
|
||||
against certain classes of kernel exploits.
|
||||
If in doubt, say "N".
|
||||
|
||||
source "drivers/hwtracing/coresight/Kconfig"
|
||||
|
||||
endmenu
|
||||
|
|
|
@ -1051,18 +1051,6 @@ config ARCH_SUPPORTS_BIG_ENDIAN
|
|||
This option specifies the architecture can support big endian
|
||||
operation.
|
||||
|
||||
config DEBUG_RODATA
|
||||
bool "Make kernel text and rodata read-only"
|
||||
depends on MMU && !XIP_KERNEL
|
||||
default y if CPU_V7
|
||||
help
|
||||
If this is set, kernel text and rodata memory will be made
|
||||
read-only, and non-text kernel memory will be made non-executable.
|
||||
The tradeoff is that each region is padded to section-size (1MiB)
|
||||
boundaries (because their permissions are different and splitting
|
||||
the 1M pages into 4K ones causes TLB performance problems), which
|
||||
can waste memory.
|
||||
|
||||
config DEBUG_ALIGN_RODATA
|
||||
bool "Make rodata strictly non-executable"
|
||||
depends on DEBUG_RODATA
|
||||
|
|
|
@ -13,6 +13,8 @@ config ARM64
|
|||
select ARCH_HAS_GIGANTIC_PAGE
|
||||
select ARCH_HAS_KCOV
|
||||
select ARCH_HAS_SG_CHAIN
|
||||
select ARCH_HAS_STRICT_KERNEL_RWX
|
||||
select ARCH_HAS_STRICT_MODULE_RWX
|
||||
select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
|
||||
select ARCH_USE_CMPXCHG_LOCKREF
|
||||
select ARCH_SUPPORTS_ATOMIC_RMW
|
||||
|
@ -123,9 +125,6 @@ config ARCH_PHYS_ADDR_T_64BIT
|
|||
config MMU
|
||||
def_bool y
|
||||
|
||||
config DEBUG_RODATA
|
||||
def_bool y
|
||||
|
||||
config ARM64_PAGE_SHIFT
|
||||
int
|
||||
default 16 if ARM64_64K_PAGES
|
||||
|
|
|
@ -71,17 +71,6 @@ config DEBUG_WX
|
|||
|
||||
If in doubt, say "Y".
|
||||
|
||||
config DEBUG_SET_MODULE_RONX
|
||||
bool "Set loadable kernel module data as NX and text as RO"
|
||||
depends on MODULES
|
||||
default y
|
||||
help
|
||||
Is this is set, kernel module text and rodata will be made read-only.
|
||||
This is to help catch accidental or malicious attempts to change the
|
||||
kernel's executable code.
|
||||
|
||||
If in doubt, say Y.
|
||||
|
||||
config DEBUG_ALIGN_RODATA
|
||||
depends on DEBUG_RODATA
|
||||
bool "Align linker sections up to SECTION_SIZE"
|
||||
|
|
|
@ -8,6 +8,7 @@ config PARISC
|
|||
select HAVE_SYSCALL_TRACEPOINTS
|
||||
select ARCH_WANT_FRAME_POINTERS
|
||||
select ARCH_HAS_ELF_RANDOMIZE
|
||||
select ARCH_HAS_STRICT_KERNEL_RWX
|
||||
select RTC_CLASS
|
||||
select RTC_DRV_GENERIC
|
||||
select INIT_ALL_POSSIBLE
|
||||
|
|
|
@ -5,15 +5,4 @@ source "lib/Kconfig.debug"
|
|||
config TRACE_IRQFLAGS_SUPPORT
|
||||
def_bool y
|
||||
|
||||
config DEBUG_RODATA
|
||||
bool "Write protect kernel read-only data structures"
|
||||
depends on DEBUG_KERNEL
|
||||
default y
|
||||
help
|
||||
Mark the kernel read-only data as write-protected in the pagetables,
|
||||
in order to catch accidental (and incorrect) writes to such const
|
||||
data. This option may have a slight performance impact because a
|
||||
portion of the kernel code won't be covered by a TLB anymore.
|
||||
If in doubt, say "N".
|
||||
|
||||
endmenu
|
||||
|
|
|
@ -62,9 +62,6 @@ config PCI_QUIRKS
|
|||
config ARCH_SUPPORTS_UPROBES
|
||||
def_bool y
|
||||
|
||||
config DEBUG_RODATA
|
||||
def_bool y
|
||||
|
||||
config S390
|
||||
def_bool y
|
||||
select ARCH_HAS_DEVMEM_IS_ALLOWED
|
||||
|
@ -73,6 +70,8 @@ config S390
|
|||
select ARCH_HAS_GIGANTIC_PAGE
|
||||
select ARCH_HAS_KCOV
|
||||
select ARCH_HAS_SG_CHAIN
|
||||
select ARCH_HAS_STRICT_KERNEL_RWX
|
||||
select ARCH_HAS_STRICT_MODULE_RWX
|
||||
select ARCH_HAS_UBSAN_SANITIZE_ALL
|
||||
select ARCH_HAVE_NMI_SAFE_CMPXCHG
|
||||
select ARCH_INLINE_READ_LOCK
|
||||
|
|
|
@ -17,7 +17,4 @@ config S390_PTDUMP
|
|||
kernel.
|
||||
If in doubt, say "N"
|
||||
|
||||
config DEBUG_SET_MODULE_RONX
|
||||
def_bool y
|
||||
depends on MODULES
|
||||
endmenu
|
||||
|
|
|
@ -54,6 +54,8 @@ config X86
|
|||
select ARCH_HAS_MMIO_FLUSH
|
||||
select ARCH_HAS_PMEM_API if X86_64
|
||||
select ARCH_HAS_SG_CHAIN
|
||||
select ARCH_HAS_STRICT_KERNEL_RWX
|
||||
select ARCH_HAS_STRICT_MODULE_RWX
|
||||
select ARCH_HAS_UBSAN_SANITIZE_ALL
|
||||
select ARCH_HAVE_NMI_SAFE_CMPXCHG
|
||||
select ARCH_MIGHT_HAVE_ACPI_PDC if ACPI
|
||||
|
@ -309,9 +311,6 @@ config ARCH_SUPPORTS_UPROBES
|
|||
config FIX_EARLYCON_MEM
|
||||
def_bool y
|
||||
|
||||
config DEBUG_RODATA
|
||||
def_bool y
|
||||
|
||||
config PGTABLE_LEVELS
|
||||
int
|
||||
default 4 if X86_64
|
||||
|
|
|
@ -109,17 +109,6 @@ config DEBUG_WX
|
|||
|
||||
If in doubt, say "Y".
|
||||
|
||||
config DEBUG_SET_MODULE_RONX
|
||||
bool "Set loadable kernel module data as NX and text as RO"
|
||||
depends on MODULES
|
||||
---help---
|
||||
This option helps catch unintended modifications to loadable
|
||||
kernel module's text and read-only data. It also prevents execution
|
||||
of module data. Such protection may interfere with run-time code
|
||||
patching and dynamic kernel tracing - and they might also protect
|
||||
against certain classes of kernel exploits.
|
||||
If in doubt, say "N".
|
||||
|
||||
config DEBUG_NX_TEST
|
||||
tristate "Testcase for the NX non-executable stack feature"
|
||||
depends on DEBUG_KERNEL && m
|
||||
|
|
Loading…
Reference in a new issue