From patchwork Wed Feb 15 15:38:01 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 9574313
Return-Path: 
 <kernel-hardening-return-6691-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B543E6045F for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 15 Feb 2017 15:39:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A613B27E5A
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 15 Feb 2017 15:39:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9ADAA284EE; Wed, 15 Feb 2017 15:39:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id BE7E327E5A
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 15 Feb 2017 15:39:49 +0000 (UTC)
Received: (qmail 7696 invoked by uid 550); 15 Feb 2017 15:39:42 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 7421 invoked from network); 15 Feb 2017 15:39:40 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=n6Zb0GrJ9HvJj6a9g6N2In/7zzjp8utXeg+PbbIpHmI=;
	b=SfNTkOX7BkecQbVZ3omBOgPV8eS73sSB1/b9I5F1VHc9GY5ZC8L3JBjDyNiiI6KpYn
	YI4Q15vjtPcUzY09iHD71A6HoFHNU0T6EP0U6ic4oZPhsFZuOWM8/YXVFH7TqtR8XNEl
	B7/4LirYGQKOb9Qt+IlA3WGbjBABTbeI2mwG0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=n6Zb0GrJ9HvJj6a9g6N2In/7zzjp8utXeg+PbbIpHmI=;
	b=A4vflFMDdUpa2znw9yTkAyAadQyezZ1bwXKHzSyViEj+fdn6rCiKv67I6HGAqAFQo/
	6aaI5Z9HUCTzdzBWh5gzEH6AXjk4JiVSFPULu170FEux7E3M6G2OblK0jCAFAbPaiXz5
	wA/ilw9w+1SZ4BTm78iQIzuZyJoiEZ/kF+3b1poB32j5UTJmqJ4x1LJSjEZdv7USgCrq
	acZ0ROmbLtktz3F+xDWS7tvSABi6YMSQnb9hHKGEVvf37d8CZiXhPCvN4CvLDO/YzYtt
	m4sFc9hXLKqqVCoUT/R3b7lQ03H75QRpP9OQLr+2Nqc6VOZ2nz5JFoyxsnbc+eSDLlGZ
	tC4Q==
X-Gm-Message-State: 
 AMke39kjUQDazLxuysErsTGstNUdQuXvviyMlA/nvN7UiqnODDOPZRKU4ub5oBQHnHDKb5OW
X-Received: by 10.28.17.20 with SMTP id 20mr8793966wmr.106.1487173168632;
	Wed, 15 Feb 2017 07:39:28 -0800 (PST)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-arm-kernel@lists.infradead.org, mark.rutland@arm.com,
	will.deacon@arm.com, catalin.marinas@arm.com, keescook@chromium.org,
	labbott@fedoraproject.org, james.morse@arm.com
Cc: kernel-hardening@lists.openwall.com,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Wed, 15 Feb 2017 15:38:01 +0000
Message-Id: <1487173081-13425-4-git-send-email-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1487173081-13425-1-git-send-email-ard.biesheuvel@linaro.org>
References: <1487173081-13425-1-git-send-email-ard.biesheuvel@linaro.org>
Subject: [kernel-hardening] [RFC PATCH 3/3] arm64: efi: use effective text
	offset when allocating Image
X-Virus-Scanned: ClamAV using ClamSMTP

Update the image allocation logic in the EFI stub so that the effective
text offset is always honoured on 4 KB pagesize kernels. This ensures
that the __init segment can be mapped without resorting to early RWX
mappings.

Note that this sacrifices 5 bits of KASLR randomization on such kernels.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm64/kernel/efi-entry.S             |  5 +++++
 arch/arm64/kernel/image.h                 |  1 +
 drivers/firmware/efi/libstub/Makefile     |  1 -
 drivers/firmware/efi/libstub/arm64-stub.c | 13 ++++++++-----
 4 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/arch/arm64/kernel/efi-entry.S b/arch/arm64/kernel/efi-entry.S
index 4e6ad355bd05..4e1cbec3c842 100644
--- a/arch/arm64/kernel/efi-entry.S
+++ b/arch/arm64/kernel/efi-entry.S
@@ -120,3 +120,8 @@ efi_load_fail:
 
 entry_end:
 ENDPROC(entry)
+
+	__INITRODATA
+	.align	2
+ENTRY(effective_text_offset)
+	.long	__eff_text_offset
diff --git a/arch/arm64/kernel/image.h b/arch/arm64/kernel/image.h
index 98e191cd97b1..f137856f50bf 100644
--- a/arch/arm64/kernel/image.h
+++ b/arch/arm64/kernel/image.h
@@ -132,6 +132,7 @@ __efistub__text			= KALLSYMS_HIDE(_text);
 __efistub__end			= KALLSYMS_HIDE(_end);
 __efistub__edata		= KALLSYMS_HIDE(_edata);
 __efistub_screen_info		= KALLSYMS_HIDE(screen_info);
+__efistub___eff_text_offset	= KALLSYMS_HIDE(__eff_text_offset);
 
 #endif
 
diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
index d564d25df8ab..c929e787f5b3 100644
--- a/drivers/firmware/efi/libstub/Makefile
+++ b/drivers/firmware/efi/libstub/Makefile
@@ -41,7 +41,6 @@ lib-$(CONFIG_EFI_ARMSTUB)	+= arm-stub.o fdt.o string.o random.o \
 
 lib-$(CONFIG_ARM)		+= arm32-stub.o
 lib-$(CONFIG_ARM64)		+= arm64-stub.o
-CFLAGS_arm64-stub.o 		:= -DTEXT_OFFSET=$(TEXT_OFFSET)
 
 #
 # arm64 puts the stub in the kernel proper, which will unnecessarily retain all
diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c
index eae693eb3e91..b335d0483b65 100644
--- a/drivers/firmware/efi/libstub/arm64-stub.c
+++ b/drivers/firmware/efi/libstub/arm64-stub.c
@@ -17,6 +17,7 @@
 #include "efistub.h"
 
 extern bool __nokaslr;
+extern const u32 effective_text_offset;
 
 efi_status_t check_platform_features(efi_system_table_t *sys_table_arg)
 {
@@ -72,7 +73,8 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table_arg,
 	 * a 2 MB aligned base, which itself may be lower than dram_base, as
 	 * long as the resulting offset equals or exceeds it.
 	 */
-	preferred_offset = round_down(dram_base, MIN_KIMG_ALIGN) + TEXT_OFFSET;
+	preferred_offset = round_down(dram_base, MIN_KIMG_ALIGN) +
+			   effective_text_offset;
 	if (preferred_offset < dram_base)
 		preferred_offset += MIN_KIMG_ALIGN;
 
@@ -86,8 +88,9 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table_arg,
 		 * is a multiple of the minimal segment alignment (SZ_64K)
 		 */
 		u32 mask = (MIN_KIMG_ALIGN - 1) & ~(SZ_64K - 1);
-		u32 offset = !IS_ENABLED(CONFIG_DEBUG_ALIGN_RODATA) ?
-			     (phys_seed >> 32) & mask : TEXT_OFFSET;
+		u32 offset = (!IS_ENABLED(CONFIG_DEBUG_ALIGN_RODATA) &&
+			      PAGE_SIZE > SZ_4K) ? (phys_seed >> 32) & mask :
+			      effective_text_offset;
 
 		/*
 		 * If KASLR is enabled, and we have some randomness available,
@@ -124,7 +127,7 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table_arg,
 	}
 
 	if (status != EFI_SUCCESS) {
-		*reserve_size = kernel_memsize + TEXT_OFFSET;
+		*reserve_size = kernel_memsize + effective_text_offset;
 		status = efi_low_alloc(sys_table_arg, *reserve_size,
 				       MIN_KIMG_ALIGN, reserve_addr);
 
@@ -133,7 +136,7 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table_arg,
 			*reserve_size = 0;
 			return status;
 		}
-		*image_addr = *reserve_addr + TEXT_OFFSET;
+		*image_addr = *reserve_addr + effective_text_offset;
 	}
 	memcpy((void *)*image_addr, old_image_addr, kernel_size);