From patchwork Fri Jun 14 14:57:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Denis 'GNUtoo' Carikli X-Patchwork-Id: 10995771 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EF80976 for ; Fri, 14 Jun 2019 15:10:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DFD16286E2 for ; Fri, 14 Jun 2019 15:10:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D3EF9286FE; Fri, 14 Jun 2019 15:10:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id A7F98286E2 for ; Fri, 14 Jun 2019 15:10:18 +0000 (UTC) Received: (qmail 9758 invoked by uid 550); 14 Jun 2019 15:10:17 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Delivered-To: moderator for kernel-hardening@lists.openwall.com Received: (qmail 18149 invoked from network); 14 Jun 2019 14:58:29 -0000 From: Denis 'GNUtoo' Carikli To: Kees Cook , Emese Revfy , Paul Kocialkowski Cc: kernel-hardening@lists.openwall.com, Denis 'GNUtoo' Carikli Subject: [PATCH] security: do not enable CONFIG_GCC_PLUGINS by default Date: Fri, 14 Jun 2019 16:57:54 +0200 Message-Id: <20190614145755.10926-1-GNUtoo@cyberdimension.org> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP On a Galaxy SIII (I9300), the patch mentioned below broke boot: - The display still had the bootloader logo, while with this patch, the 4 Tux logo appears. - No print appeared on the serial port anymore after the kernel was loaded, whereas with this patch, we have the serial console working, and the device booting. Booting was broken by the following commit: 9f671e58159a ("security: Create "kernel hardening" config area") As the bootloader of this device enables the MMU, I had the following patch applied during the tests: Author: Arve Hjønnevåg Date: Fri Nov 30 17:05:40 2012 -0800 ANDROID: arm: decompressor: Flush tlb before swiching domain 0 to client mode If the bootloader used a page table that is incompatible with domain 0 in client mode, and boots with the mmu on, then swithing domain 0 to client mode causes a fault if we don't flush the tlb after updating the page table pointer. v2: Add ISB before loading dacr. diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S index 7135820f76d4..6e87ceda3b29 100644 --- a/arch/arm/boot/compressed/head.S +++ b/arch/arm/boot/compressed/head.S @@ -837,6 +837,8 @@ __armv7_mmu_cache_on: bic r6, r6, #1 << 31 @ 32-bit translation system bic r6, r6, #(7 << 0) | (1 << 4) @ use only ttbr0 mcrne p15, 0, r3, c2, c0, 0 @ load page table pointer + mcrne p15, 0, r0, c8, c7, 0 @ flush I,D TLBs + mcr p15, 0, r0, c7, c5, 4 @ ISB mcrne p15, 0, r1, c3, c0, 0 @ load domain access control mcrne p15, 0, r6, c2, c0, 2 @ load ttb control #endif Signed-off-by: Denis 'GNUtoo' Carikli --- scripts/gcc-plugins/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index e9c677a53c74..afa1db3d3471 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig @@ -18,7 +18,6 @@ config GCC_PLUGINS bool depends on HAVE_GCC_PLUGINS depends on PLUGIN_HOSTCC != "" - default y help GCC plugins are loadable modules that provide extra features to the compiler. They are useful for runtime instrumentation and static analysis.