| Message ID | 20220613144550.3760857-26-ardb@kernel.org (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | arm64: refactor boot flow and add support for WXN | expand |
On Mon, Jun 13, 2022 at 04:45:49PM +0200, Ard Biesheuvel wrote: > The AArch64 virtual memory system supports a global WXN control, which > can be enabled to make all writable mappings implicitly no-exec. This is > a useful hardening feature, as it prevents mistakes in managing page > table permissions from being exploited to attack the system. > > When enabled at EL1, the restrictions apply to both EL1 and EL0. EL1 is > completely under our control, and has been cleaned up to allow WXN to be > enabled from boot onwards. EL0 is not under our control, but given that > widely deployed security features such as selinux or PaX already limit > the ability of user space to create mappings that are writable and > executable at the same time, the impact of enabling this for EL0 is > expected to be limited. (For this reason, common user space libraries > that have a legitimate need for manipulating executable code already > carry fallbacks such as [0].) > > If enabled at compile time, the feature can still be disabled at boot if > needed, by passing arm64.nowxn on the kernel command line. > > [0] https://github.com/libffi/libffi/blob/master/src/closures.c#L440 > > Signed-off-by: Ard Biesheuvel <ardb@kernel.org> > --- > arch/arm64/Kconfig | 11 ++++++ > arch/arm64/include/asm/cpufeature.h | 8 +++++ > arch/arm64/include/asm/mman.h | 36 ++++++++++++++++++++ > arch/arm64/include/asm/mmu_context.h | 30 +++++++++++++++- > arch/arm64/kernel/head.S | 28 ++++++++++++++- > arch/arm64/kernel/idreg-override.c | 16 +++++++++ > arch/arm64/mm/proc.S | 6 ++++ > 7 files changed, 133 insertions(+), 2 deletions(-) > > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index 1652a9800ebe..d262d5ab4316 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -1422,6 +1422,17 @@ config RODATA_FULL_DEFAULT_ENABLED > This requires the linear region to be mapped down to pages, > which may adversely affect performance in some cases. > > +config ARM64_WXN > + bool "Enable WXN attribute so all writable mappings are non-exec" > + help > + Set the WXN bit in the SCTLR system register so that all writable > + mappings are treated as if the PXN/UXN bit is set as well. > + If this is set to Y, it can still be disabled at runtime by > + passing 'arm64.nowxn' on the kernel command line. > + > + This should only be set if no software needs to be supported that > + relies on being able to execute from writable mappings. Should this instead just be a "default value of arm64.xwn" config? It seems like it should be possible to just drop all the #ifdefs below, as XWN is arguably the default state we would want systems to move to. > + > config ARM64_SW_TTBR0_PAN > bool "Emulate Privileged Access Never using TTBR0_EL1 switching" > help > diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h > index 14a8f3d93add..fc364c4d31e2 100644 > --- a/arch/arm64/include/asm/cpufeature.h > +++ b/arch/arm64/include/asm/cpufeature.h > @@ -911,10 +911,18 @@ extern struct arm64_ftr_override id_aa64mmfr1_override; > extern struct arm64_ftr_override id_aa64pfr1_override; > extern struct arm64_ftr_override id_aa64isar1_override; > extern struct arm64_ftr_override id_aa64isar2_override; > +extern struct arm64_ftr_override sctlr_override; > > u32 get_kvm_ipa_limit(void); > void dump_cpu_features(void); > > +static inline bool arm64_wxn_enabled(void) > +{ > + if (!IS_ENABLED(CONFIG_ARM64_WXN)) > + return false; > + return (sctlr_override.val & sctlr_override.mask & 0xf) == 0; > +} > + > #endif /* __ASSEMBLY__ */ > > #endif > diff --git a/arch/arm64/include/asm/mman.h b/arch/arm64/include/asm/mman.h > index 5966ee4a6154..6d4940342ba7 100644 > --- a/arch/arm64/include/asm/mman.h > +++ b/arch/arm64/include/asm/mman.h > @@ -35,11 +35,40 @@ static inline unsigned long arch_calc_vm_flag_bits(unsigned long flags) > } > #define arch_calc_vm_flag_bits(flags) arch_calc_vm_flag_bits(flags) > > +static inline bool arm64_check_wx_prot(unsigned long prot, > + struct task_struct *tsk) > +{ > + /* > + * When we are running with SCTLR_ELx.WXN==1, writable mappings are > + * implicitly non-executable. This means we should reject such mappings > + * when user space attempts to create them using mmap() or mprotect(). If this series is respun, perhaps add to this comment a little to indicate that this is basically a hint to userspace, and not an attempt to actually provide a general W+X mapping protection: * Note that this is effectively just a hint (for things like * libffi noted below), as solving this for all mapping combinations * is a larger endeavor. (e.g. userspace setting an executable mapping * writable, changing it, and then making it read-only again.) > + */ > + if (arm64_wxn_enabled() && > + ((prot & (PROT_WRITE | PROT_EXEC)) == (PROT_WRITE | PROT_EXEC))) { > + /* > + * User space libraries such as libffi carry elaborate > + * heuristics to decide whether it is worth it to even attempt > + * to create writable executable mappings, as PaX or selinux > + * enabled systems will outright reject it. They will usually > + * fall back to something else (e.g., two separate shared > + * mmap()s of a temporary file) on failure. > + */ > + pr_info_ratelimited( > + "process %s (%d) attempted to create PROT_WRITE+PROT_EXEC mapping\n", > + tsk->comm, tsk->pid); > + return false; > + } > + return true; > +} But regardless, with or without the changes above: Reviewed-by: Kees Cook <keescook@chromium.org>
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 1652a9800ebe..d262d5ab4316 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1422,6 +1422,17 @@ config RODATA_FULL_DEFAULT_ENABLED This requires the linear region to be mapped down to pages, which may adversely affect performance in some cases. +config ARM64_WXN + bool "Enable WXN attribute so all writable mappings are non-exec" + help + Set the WXN bit in the SCTLR system register so that all writable + mappings are treated as if the PXN/UXN bit is set as well. + If this is set to Y, it can still be disabled at runtime by + passing 'arm64.nowxn' on the kernel command line. + + This should only be set if no software needs to be supported that + relies on being able to execute from writable mappings. + config ARM64_SW_TTBR0_PAN bool "Emulate Privileged Access Never using TTBR0_EL1 switching" help diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h index 14a8f3d93add..fc364c4d31e2 100644 --- a/arch/arm64/include/asm/cpufeature.h +++ b/arch/arm64/include/asm/cpufeature.h @@ -911,10 +911,18 @@ extern struct arm64_ftr_override id_aa64mmfr1_override; extern struct arm64_ftr_override id_aa64pfr1_override; extern struct arm64_ftr_override id_aa64isar1_override; extern struct arm64_ftr_override id_aa64isar2_override; +extern struct arm64_ftr_override sctlr_override; u32 get_kvm_ipa_limit(void); void dump_cpu_features(void); +static inline bool arm64_wxn_enabled(void) +{ + if (!IS_ENABLED(CONFIG_ARM64_WXN)) + return false; + return (sctlr_override.val & sctlr_override.mask & 0xf) == 0; +} + #endif /* __ASSEMBLY__ */ #endif diff --git a/arch/arm64/include/asm/mman.h b/arch/arm64/include/asm/mman.h index 5966ee4a6154..6d4940342ba7 100644 --- a/arch/arm64/include/asm/mman.h +++ b/arch/arm64/include/asm/mman.h @@ -35,11 +35,40 @@ static inline unsigned long arch_calc_vm_flag_bits(unsigned long flags) } #define arch_calc_vm_flag_bits(flags) arch_calc_vm_flag_bits(flags) +static inline bool arm64_check_wx_prot(unsigned long prot, + struct task_struct *tsk) +{ + /* + * When we are running with SCTLR_ELx.WXN==1, writable mappings are + * implicitly non-executable. This means we should reject such mappings + * when user space attempts to create them using mmap() or mprotect(). + */ + if (arm64_wxn_enabled() && + ((prot & (PROT_WRITE | PROT_EXEC)) == (PROT_WRITE | PROT_EXEC))) { + /* + * User space libraries such as libffi carry elaborate + * heuristics to decide whether it is worth it to even attempt + * to create writable executable mappings, as PaX or selinux + * enabled systems will outright reject it. They will usually + * fall back to something else (e.g., two separate shared + * mmap()s of a temporary file) on failure. + */ + pr_info_ratelimited( + "process %s (%d) attempted to create PROT_WRITE+PROT_EXEC mapping\n", + tsk->comm, tsk->pid); + return false; + } + return true; +} + static inline bool arch_validate_prot(unsigned long prot, unsigned long addr __always_unused) { unsigned long supported = PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM; + if (!arm64_check_wx_prot(prot, current)) + return false; + if (system_supports_bti()) supported |= PROT_BTI; @@ -50,6 +79,13 @@ static inline bool arch_validate_prot(unsigned long prot, } #define arch_validate_prot(prot, addr) arch_validate_prot(prot, addr) +static inline bool arch_validate_mmap_prot(unsigned long prot, + unsigned long addr) +{ + return arm64_check_wx_prot(prot, current); +} +#define arch_validate_mmap_prot arch_validate_mmap_prot + static inline bool arch_validate_flags(unsigned long vm_flags) { if (!system_supports_mte()) diff --git a/arch/arm64/include/asm/mmu_context.h b/arch/arm64/include/asm/mmu_context.h index c7ccd82db1d2..cd4bb5410a18 100644 --- a/arch/arm64/include/asm/mmu_context.h +++ b/arch/arm64/include/asm/mmu_context.h @@ -19,13 +19,41 @@ #include <asm/cacheflush.h> #include <asm/cpufeature.h> #include <asm/proc-fns.h> -#include <asm-generic/mm_hooks.h> #include <asm/cputype.h> #include <asm/sysreg.h> #include <asm/tlbflush.h> extern bool rodata_full; +static inline int arch_dup_mmap(struct mm_struct *oldmm, + struct mm_struct *mm) +{ + return 0; +} + +static inline void arch_exit_mmap(struct mm_struct *mm) +{ +} + +static inline void arch_unmap(struct mm_struct *mm, + unsigned long start, unsigned long end) +{ +} + +static inline bool arch_vma_access_permitted(struct vm_area_struct *vma, + bool write, bool execute, bool foreign) +{ + if (IS_ENABLED(CONFIG_ARM64_WXN) && execute && + (vma->vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) { + pr_warn_ratelimited( + "process %s (%d) attempted to execute from writable memory\n", + current->comm, current->pid); + /* disallow unless the nowxn override is set */ + return !arm64_wxn_enabled(); + } + return true; +} + static inline void contextidr_thread_switch(struct task_struct *next) { if (!IS_ENABLED(CONFIG_PID_IN_CONTEXTIDR)) diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S index 92cbad41eed8..834afdc1c6ff 100644 --- a/arch/arm64/kernel/head.S +++ b/arch/arm64/kernel/head.S @@ -511,6 +511,12 @@ SYM_FUNC_START_LOCAL(__primary_switched) mov x0, x20 bl switch_to_vhe // Prefer VHE if possible ldp x29, x30, [sp], #16 +#ifdef CONFIG_ARM64_WXN + ldr_l x1, sctlr_override + FTR_OVR_VAL_OFFSET + tbz x1, #0, 0f + blr lr +0: +#endif bl start_kernel ASM_BUG() SYM_FUNC_END(__primary_switched) @@ -881,5 +887,25 @@ SYM_FUNC_START_LOCAL(__primary_switch) ldr x8, =__primary_switched adrp x0, __PHYS_OFFSET - br x8 + blr x8 +#ifdef CONFIG_ARM64_WXN + /* + * If we return here, we need to disable WXN before we proceed. This + * requires the MMU to be disabled, so it needs to occur while running + * from the ID map. + */ + mrs x0, sctlr_el1 + bic x1, x0, #SCTLR_ELx_M + msr sctlr_el1, x1 + isb + + tlbi vmalle1 + dsb nsh + isb + + bic x0, x0, #SCTLR_ELx_WXN + msr sctlr_el1, x0 + isb + ret +#endif SYM_FUNC_END(__primary_switch) diff --git a/arch/arm64/kernel/idreg-override.c b/arch/arm64/kernel/idreg-override.c index f92836e196e5..85d8fa47d196 100644 --- a/arch/arm64/kernel/idreg-override.c +++ b/arch/arm64/kernel/idreg-override.c @@ -94,12 +94,27 @@ static const struct ftr_set_desc kaslr __initconst = { }, }; +#ifdef CONFIG_ARM64_WXN +asmlinkage struct arm64_ftr_override sctlr_override __ro_after_init; +static const struct ftr_set_desc sctlr __initconst = { + .name = "sctlr", + .override = &sctlr_override, + .fields = { + { "nowxn", 0 }, + {} + }, +}; +#endif + static const struct ftr_set_desc * const regs[] __initconst = { &mmfr1, &pfr1, &isar1, &isar2, &kaslr, +#ifdef CONFIG_ARM64_WXN + &sctlr, +#endif }; static const struct { @@ -115,6 +130,7 @@ static const struct { "id_aa64isar2.gpa3=0 id_aa64isar2.apa3=0" }, { "arm64.nomte", "id_aa64pfr1.mte=0" }, { "nokaslr", "kaslr.disabled=1" }, + { "arm64.nowxn", "sctlr.nowxn=1" }, }; static int __init find_field(const char *cmdline, diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S index c237e976b138..9ffdf1091d97 100644 --- a/arch/arm64/mm/proc.S +++ b/arch/arm64/mm/proc.S @@ -487,6 +487,12 @@ SYM_FUNC_START(__cpu_setup) * Prepare SCTLR */ mov_q x0, INIT_SCTLR_EL1_MMU_ON +#ifdef CONFIG_ARM64_WXN + ldr_l x1, sctlr_override + FTR_OVR_VAL_OFFSET + tst x1, #0x1 // WXN disabled on command line? + orr x1, x0, #SCTLR_ELx_WXN + csel x0, x0, x1, ne +#endif ret // return to head.S .unreq mair
The AArch64 virtual memory system supports a global WXN control, which can be enabled to make all writable mappings implicitly no-exec. This is a useful hardening feature, as it prevents mistakes in managing page table permissions from being exploited to attack the system. When enabled at EL1, the restrictions apply to both EL1 and EL0. EL1 is completely under our control, and has been cleaned up to allow WXN to be enabled from boot onwards. EL0 is not under our control, but given that widely deployed security features such as selinux or PaX already limit the ability of user space to create mappings that are writable and executable at the same time, the impact of enabling this for EL0 is expected to be limited. (For this reason, common user space libraries that have a legitimate need for manipulating executable code already carry fallbacks such as [0].) If enabled at compile time, the feature can still be disabled at boot if needed, by passing arm64.nowxn on the kernel command line. [0] https://github.com/libffi/libffi/blob/master/src/closures.c#L440 Signed-off-by: Ard Biesheuvel <ardb@kernel.org> --- arch/arm64/Kconfig | 11 ++++++ arch/arm64/include/asm/cpufeature.h | 8 +++++ arch/arm64/include/asm/mman.h | 36 ++++++++++++++++++++ arch/arm64/include/asm/mmu_context.h | 30 +++++++++++++++- arch/arm64/kernel/head.S | 28 ++++++++++++++- arch/arm64/kernel/idreg-override.c | 16 +++++++++ arch/arm64/mm/proc.S | 6 ++++ 7 files changed, 133 insertions(+), 2 deletions(-)