提交 ad21fc4f 编写于 作者: L Laura Abbott 提交者: Kees Cook

arch: Move CONFIG_DEBUG_RODATA and CONFIG_SET_MODULE_RONX to be common

There are multiple architectures that support CONFIG_DEBUG_RODATA and
CONFIG_SET_MODULE_RONX. These options also now have the ability to be
turned off at runtime. Move these to an architecture independent
location and make these options def_bool y for almost all of those
arches.
Signed-off-by: NLaura Abbott <labbott@redhat.com>
Acked-by: NIngo Molnar <mingo@kernel.org>
Acked-by: NHeiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: NKees Cook <keescook@chromium.org>
上级 0c744ea4
...@@ -56,6 +56,12 @@ CONFIG_DEBUG_SET_MODULE_RONX, which seek to make sure that code is not ...@@ -56,6 +56,12 @@ CONFIG_DEBUG_SET_MODULE_RONX, which seek to make sure that code is not
writable, data is not executable, and read-only data is neither writable writable, data is not executable, and read-only data is neither writable
nor executable. nor executable.
Most architectures have these options on by default and not user selectable.
For some architectures like arm that wish to have these be selectable,
the architecture Kconfig can select ARCH_OPTIONAL_KERNEL_RWX to enable
a Kconfig prompt. CONFIG_ARCH_OPTIONAL_KERNEL_RWX_DEFAULT determines
the default setting when ARCH_OPTIONAL_KERNEL_RWX is enabled.
#### Function pointers and sensitive variables must not be writable #### Function pointers and sensitive variables must not be writable
Vast areas of kernel memory contain function pointers that are looked Vast areas of kernel memory contain function pointers that are looked
......
...@@ -781,4 +781,38 @@ config VMAP_STACK ...@@ -781,4 +781,38 @@ config VMAP_STACK
the stack to map directly to the KASAN shadow map using a formula the stack to map directly to the KASAN shadow map using a formula
that is incorrect if the stack is in vmalloc space. that is incorrect if the stack is in vmalloc space.
config ARCH_OPTIONAL_KERNEL_RWX
def_bool n
config ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
def_bool n
config ARCH_HAS_STRICT_KERNEL_RWX
def_bool n
config DEBUG_RODATA
bool "Make kernel text and rodata read-only" if ARCH_OPTIONAL_KERNEL_RWX
depends on ARCH_HAS_STRICT_KERNEL_RWX
default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
help
If this is set, kernel text and rodata memory will be made read-only,
and non-text memory will be made non-executable. This provides
protection against certain security exploits (e.g. executing the heap
or modifying text)
These features are considered standard security practice these days.
You should say Y here in almost all cases.
config ARCH_HAS_STRICT_MODULE_RWX
def_bool n
config DEBUG_SET_MODULE_RONX
bool "Set loadable kernel module data as NX and text as RO" if ARCH_OPTIONAL_KERNEL_RWX
depends on ARCH_HAS_STRICT_MODULE_RWX && MODULES
default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
help
If this is set, module text and rodata memory will be made read-only,
and non-text memory will be made non-executable. This provides
protection against certain security exploits (e.g. writing to text)
source "kernel/gcov/Kconfig" source "kernel/gcov/Kconfig"
...@@ -4,10 +4,14 @@ config ARM ...@@ -4,10 +4,14 @@ config ARM
select ARCH_CLOCKSOURCE_DATA select ARCH_CLOCKSOURCE_DATA
select ARCH_HAS_DEVMEM_IS_ALLOWED select ARCH_HAS_DEVMEM_IS_ALLOWED
select ARCH_HAS_ELF_RANDOMIZE select ARCH_HAS_ELF_RANDOMIZE
select ARCH_HAS_STRICT_KERNEL_RWX if MMU && !XIP_KERNEL
select ARCH_HAS_STRICT_MODULE_RWX if MMU
select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
select ARCH_HAVE_CUSTOM_GPIO_H select ARCH_HAVE_CUSTOM_GPIO_H
select ARCH_HAS_GCOV_PROFILE_ALL select ARCH_HAS_GCOV_PROFILE_ALL
select ARCH_MIGHT_HAVE_PC_PARPORT select ARCH_MIGHT_HAVE_PC_PARPORT
select ARCH_OPTIONAL_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX
select ARCH_OPTIONAL_KERNEL_RWX_DEFAULT if CPU_V7
select ARCH_SUPPORTS_ATOMIC_RMW select ARCH_SUPPORTS_ATOMIC_RMW
select ARCH_USE_BUILTIN_BSWAP select ARCH_USE_BUILTIN_BSWAP
select ARCH_USE_CMPXCHG_LOCKREF select ARCH_USE_CMPXCHG_LOCKREF
......
...@@ -1738,17 +1738,6 @@ config PID_IN_CONTEXTIDR ...@@ -1738,17 +1738,6 @@ config PID_IN_CONTEXTIDR
additional instructions during context switch. Say Y here only if you additional instructions during context switch. Say Y here only if you
are planning to use hardware trace tools with this kernel. are planning to use hardware trace tools with this kernel.
config DEBUG_SET_MODULE_RONX
bool "Set loadable kernel module data as NX and text as RO"
depends on MODULES && MMU
---help---
This option helps catch unintended modifications to loadable
kernel module's text and read-only data. It also prevents execution
of module data. Such protection may interfere with run-time code
patching and dynamic kernel tracing - and they might also protect
against certain classes of kernel exploits.
If in doubt, say "N".
source "drivers/hwtracing/coresight/Kconfig" source "drivers/hwtracing/coresight/Kconfig"
endmenu endmenu
...@@ -1051,18 +1051,6 @@ config ARCH_SUPPORTS_BIG_ENDIAN ...@@ -1051,18 +1051,6 @@ config ARCH_SUPPORTS_BIG_ENDIAN
This option specifies the architecture can support big endian This option specifies the architecture can support big endian
operation. operation.
config DEBUG_RODATA
bool "Make kernel text and rodata read-only"
depends on MMU && !XIP_KERNEL
default y if CPU_V7
help
If this is set, kernel text and rodata memory will be made
read-only, and non-text kernel memory will be made non-executable.
The tradeoff is that each region is padded to section-size (1MiB)
boundaries (because their permissions are different and splitting
the 1M pages into 4K ones causes TLB performance problems), which
can waste memory.
config DEBUG_ALIGN_RODATA config DEBUG_ALIGN_RODATA
bool "Make rodata strictly non-executable" bool "Make rodata strictly non-executable"
depends on DEBUG_RODATA depends on DEBUG_RODATA
......
...@@ -13,6 +13,8 @@ config ARM64 ...@@ -13,6 +13,8 @@ config ARM64
select ARCH_HAS_GIGANTIC_PAGE select ARCH_HAS_GIGANTIC_PAGE
select ARCH_HAS_KCOV select ARCH_HAS_KCOV
select ARCH_HAS_SG_CHAIN select ARCH_HAS_SG_CHAIN
select ARCH_HAS_STRICT_KERNEL_RWX
select ARCH_HAS_STRICT_MODULE_RWX
select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
select ARCH_USE_CMPXCHG_LOCKREF select ARCH_USE_CMPXCHG_LOCKREF
select ARCH_SUPPORTS_ATOMIC_RMW select ARCH_SUPPORTS_ATOMIC_RMW
...@@ -123,9 +125,6 @@ config ARCH_PHYS_ADDR_T_64BIT ...@@ -123,9 +125,6 @@ config ARCH_PHYS_ADDR_T_64BIT
config MMU config MMU
def_bool y def_bool y
config DEBUG_RODATA
def_bool y
config ARM64_PAGE_SHIFT config ARM64_PAGE_SHIFT
int int
default 16 if ARM64_64K_PAGES default 16 if ARM64_64K_PAGES
......
...@@ -71,17 +71,6 @@ config DEBUG_WX ...@@ -71,17 +71,6 @@ config DEBUG_WX
If in doubt, say "Y". If in doubt, say "Y".
config DEBUG_SET_MODULE_RONX
bool "Set loadable kernel module data as NX and text as RO"
depends on MODULES
default y
help
Is this is set, kernel module text and rodata will be made read-only.
This is to help catch accidental or malicious attempts to change the
kernel's executable code.
If in doubt, say Y.
config DEBUG_ALIGN_RODATA config DEBUG_ALIGN_RODATA
depends on DEBUG_RODATA depends on DEBUG_RODATA
bool "Align linker sections up to SECTION_SIZE" bool "Align linker sections up to SECTION_SIZE"
......
...@@ -8,6 +8,7 @@ config PARISC ...@@ -8,6 +8,7 @@ config PARISC
select HAVE_SYSCALL_TRACEPOINTS select HAVE_SYSCALL_TRACEPOINTS
select ARCH_WANT_FRAME_POINTERS select ARCH_WANT_FRAME_POINTERS
select ARCH_HAS_ELF_RANDOMIZE select ARCH_HAS_ELF_RANDOMIZE
select ARCH_HAS_STRICT_KERNEL_RWX
select RTC_CLASS select RTC_CLASS
select RTC_DRV_GENERIC select RTC_DRV_GENERIC
select INIT_ALL_POSSIBLE select INIT_ALL_POSSIBLE
......
...@@ -5,15 +5,4 @@ source "lib/Kconfig.debug" ...@@ -5,15 +5,4 @@ source "lib/Kconfig.debug"
config TRACE_IRQFLAGS_SUPPORT config TRACE_IRQFLAGS_SUPPORT
def_bool y def_bool y
config DEBUG_RODATA
bool "Write protect kernel read-only data structures"
depends on DEBUG_KERNEL
default y
help
Mark the kernel read-only data as write-protected in the pagetables,
in order to catch accidental (and incorrect) writes to such const
data. This option may have a slight performance impact because a
portion of the kernel code won't be covered by a TLB anymore.
If in doubt, say "N".
endmenu endmenu
...@@ -62,9 +62,6 @@ config PCI_QUIRKS ...@@ -62,9 +62,6 @@ config PCI_QUIRKS
config ARCH_SUPPORTS_UPROBES config ARCH_SUPPORTS_UPROBES
def_bool y def_bool y
config DEBUG_RODATA
def_bool y
config S390 config S390
def_bool y def_bool y
select ARCH_HAS_DEVMEM_IS_ALLOWED select ARCH_HAS_DEVMEM_IS_ALLOWED
...@@ -73,6 +70,8 @@ config S390 ...@@ -73,6 +70,8 @@ config S390
select ARCH_HAS_GIGANTIC_PAGE select ARCH_HAS_GIGANTIC_PAGE
select ARCH_HAS_KCOV select ARCH_HAS_KCOV
select ARCH_HAS_SG_CHAIN select ARCH_HAS_SG_CHAIN
select ARCH_HAS_STRICT_KERNEL_RWX
select ARCH_HAS_STRICT_MODULE_RWX
select ARCH_HAS_UBSAN_SANITIZE_ALL select ARCH_HAS_UBSAN_SANITIZE_ALL
select ARCH_HAVE_NMI_SAFE_CMPXCHG select ARCH_HAVE_NMI_SAFE_CMPXCHG
select ARCH_INLINE_READ_LOCK select ARCH_INLINE_READ_LOCK
......
...@@ -17,7 +17,4 @@ config S390_PTDUMP ...@@ -17,7 +17,4 @@ config S390_PTDUMP
kernel. kernel.
If in doubt, say "N" If in doubt, say "N"
config DEBUG_SET_MODULE_RONX
def_bool y
depends on MODULES
endmenu endmenu
...@@ -54,6 +54,8 @@ config X86 ...@@ -54,6 +54,8 @@ config X86
select ARCH_HAS_MMIO_FLUSH select ARCH_HAS_MMIO_FLUSH
select ARCH_HAS_PMEM_API if X86_64 select ARCH_HAS_PMEM_API if X86_64
select ARCH_HAS_SG_CHAIN select ARCH_HAS_SG_CHAIN
select ARCH_HAS_STRICT_KERNEL_RWX
select ARCH_HAS_STRICT_MODULE_RWX
select ARCH_HAS_UBSAN_SANITIZE_ALL select ARCH_HAS_UBSAN_SANITIZE_ALL
select ARCH_HAVE_NMI_SAFE_CMPXCHG select ARCH_HAVE_NMI_SAFE_CMPXCHG
select ARCH_MIGHT_HAVE_ACPI_PDC if ACPI select ARCH_MIGHT_HAVE_ACPI_PDC if ACPI
...@@ -309,9 +311,6 @@ config ARCH_SUPPORTS_UPROBES ...@@ -309,9 +311,6 @@ config ARCH_SUPPORTS_UPROBES
config FIX_EARLYCON_MEM config FIX_EARLYCON_MEM
def_bool y def_bool y
config DEBUG_RODATA
def_bool y
config PGTABLE_LEVELS config PGTABLE_LEVELS
int int
default 4 if X86_64 default 4 if X86_64
......
...@@ -109,17 +109,6 @@ config DEBUG_WX ...@@ -109,17 +109,6 @@ config DEBUG_WX
If in doubt, say "Y". If in doubt, say "Y".
config DEBUG_SET_MODULE_RONX
bool "Set loadable kernel module data as NX and text as RO"
depends on MODULES
---help---
This option helps catch unintended modifications to loadable
kernel module's text and read-only data. It also prevents execution
of module data. Such protection may interfere with run-time code
patching and dynamic kernel tracing - and they might also protect
against certain classes of kernel exploits.
If in doubt, say "N".
config DEBUG_NX_TEST config DEBUG_NX_TEST
tristate "Testcase for the NX non-executable stack feature" tristate "Testcase for the NX non-executable stack feature"
depends on DEBUG_KERNEL && m depends on DEBUG_KERNEL && m
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册