From patchwork Wed Feb  8 11:55:41 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 9562353
Return-Path: 
 <kernel-hardening-return-6399-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9633A6047A for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed,  8 Feb 2017 11:57:09 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 88CED284C9
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed,  8 Feb 2017 11:57:09 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7BF0A284CF; Wed,  8 Feb 2017 11:57:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 68CFE284C9
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed,  8 Feb 2017 11:57:08 +0000 (UTC)
Received: (qmail 11589 invoked by uid 550); 8 Feb 2017 11:56:40 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 10135 invoked from network); 8 Feb 2017 11:56:34 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=T6phON+cw6Yvguzp/2IUEoYgMcUEfBfLYE98/QgxkE8=;
	b=feYqr/bH147jWz2N4+TfsgH47OZbwr6mxrsFZb315dz4URxOYxh9esuCFBtleZFw8c
	qk2d+3taREaehE4O6H0gzQYgklaAa14HffQ/B7u2GLn29ikJXpaFteCClZ+vXCApzfLp
	cMMnqJXmNaQrYH3upSV0aUeKR/J3HB9JlV4Gk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=T6phON+cw6Yvguzp/2IUEoYgMcUEfBfLYE98/QgxkE8=;
	b=BLqUxECKcTU39yr1l3s5St8Nf2dM1ffr1Pmi2t/Cdj9col+CLa+0FcwfCQReaMQF1x
	LCSahVNQXfVQGc+zjidwCsqkUFcUZty5cSL/jYqgd4m0MgVMBGJ3A32aR98ZTmqtaCku
	SobjLcrpOIogSBL+K0sQ/8uRlmwKuO3AnP/rNSw121I2Q+qAooRyCYYoH1iE7brzXgZh
	QjeDGAoAfZ50GddiG17t7TtKROb4klU3Xg+NWK//+aCJ+vP07Lp8lUTItr2kS5niSsdC
	s8Qz7tRHrtS6GJ+t9HZtM2Ko6TJbEflX47PvSfOYI59oknBCfJZD4pbWXcuYcCjmIvJX
	MDvg==
X-Gm-Message-State: 
 AMke39mgT5uD+1NhZo6deB9RafA/sILnipEIn5WXW1xfX2CAUnL+XAtShOMLqNf40WkhwYAE
X-Received: by 10.28.52.19 with SMTP id b19mr18080283wma.134.1486554983540;
	Wed, 08 Feb 2017 03:56:23 -0800 (PST)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-efi@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
	mark.rutland@arm.com, leif.lindholm@linaro.org
Cc: catalin.marinas@arm.com, linux@armlinux.org.uk,
	kernel-hardening@lists.openwall.com, labbott@fedoraproject.org,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Wed,  8 Feb 2017 11:55:41 +0000
Message-Id: <1486554947-3964-9-git-send-email-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1486554947-3964-1-git-send-email-ard.biesheuvel@linaro.org>
References: <1486554947-3964-1-git-send-email-ard.biesheuvel@linaro.org>
Subject: [kernel-hardening] [PATCH v2 08/14] arm64: efi: split Image code
	and data into separate PE/COFF sections
X-Virus-Scanned: ClamAV using ClamSMTP

To prevent unintended modifications to the kernel text (malicious or
otherwise) while running the EFI stub, describe the kernel image as
two separate sections: a .text section with read-execute permissions,
covering .text, .rodata and .init.text, and a .data section with
read-write permissions, covering .init.data, .data and .bss.

This relies on the firmware to actually take the section permission
flags into account, but this is something that is currently being
implemented in EDK2, which means we will likely start seeing it in
the wild between one and two years from now.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm64/kernel/efi-header.S  | 23 +++++++++++++++-----
 arch/arm64/kernel/vmlinux.lds.S |  5 +++++
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S
index 7637226ea9ca..5870bd611498 100644
--- a/arch/arm64/kernel/efi-header.S
+++ b/arch/arm64/kernel/efi-header.S
@@ -27,8 +27,8 @@ optional_header:
 	.short	PE_OPT_MAGIC_PE32PLUS			// PE32+ format
 	.byte	0x02					// MajorLinkerVersion
 	.byte	0x14					// MinorLinkerVersion
-	.long	_end - efi_header_end			// SizeOfCode
-	.long	0					// SizeOfInitializedData
+	.long	__pecoff_data_start - efi_header_end	// SizeOfCode
+	.long	__pecoff_data_size			// SizeOfInitializedData
 	.long	0					// SizeOfUninitializedData
 	.long	__efistub_entry - _head			// AddressOfEntryPoint
 	.long	efi_header_end - _head			// BaseOfCode
@@ -74,9 +74,9 @@ extra_header_fields:
 	// Section table
 section_table:
 	.ascii	".text\0\0\0"
-	.long	_end - efi_header_end			// VirtualSize
+	.long	__pecoff_data_start - efi_header_end	// VirtualSize
 	.long	efi_header_end - _head			// VirtualAddress
-	.long	_edata - efi_header_end			// SizeOfRawData
+	.long	__pecoff_data_start - efi_header_end	// SizeOfRawData
 	.long	efi_header_end - _head			// PointerToRawData
 
 	.long	0					// PointerToRelocations
@@ -84,7 +84,20 @@ section_table:
 	.short	0					// NumberOfRelocations
 	.short	0					// NumberOfLineNumbers
 	.long	IMAGE_SCN_CNT_CODE | \
-		IMAGE_SCN_MEM_EXECUTE | \
+		IMAGE_SCN_MEM_READ | \
+		IMAGE_SCN_MEM_EXECUTE			// Characteristics
+
+	.ascii	".data\0\0\0"
+	.long	__pecoff_data_size			// VirtualSize
+	.long	__pecoff_data_start - _head		// VirtualAddress
+	.long	__pecoff_data_rawsize			// SizeOfRawData
+	.long	__pecoff_data_start - _head		// PointerToRawData
+
+	.long	0					// PointerToRelocations
+	.long	0					// PointerToLineNumbers
+	.short	0					// NumberOfRelocations
+	.short	0					// NumberOfLineNumbers
+	.long	IMAGE_SCN_CNT_INITIALIZED_DATA | \
 		IMAGE_SCN_MEM_READ | \
 		IMAGE_SCN_MEM_WRITE			// Characteristics
 
diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
index b8deffa9e1bf..a93cc2b6f50b 100644
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -149,6 +149,9 @@ SECTIONS
 		ARM_EXIT_KEEP(EXIT_TEXT)
 	}
 
+	. = ALIGN(SZ_4K);
+	__pecoff_data_start = .;
+
 	.init.data : {
 		INIT_DATA
 		INIT_SETUP(16)
@@ -206,6 +209,7 @@ SECTIONS
 	}
 
 	PECOFF_EDATA_PADDING
+	__pecoff_data_rawsize = ABSOLUTE(. - __pecoff_data_start);
 	_edata = .;
 
 	BSS_SECTION(0, 0, 0)
@@ -221,6 +225,7 @@ SECTIONS
 	. += RESERVED_TTBR0_SIZE;
 #endif
 
+	__pecoff_data_size = ABSOLUTE(. - __pecoff_data_start);
 	_end = .;
 
 	STABS_DEBUG