diff mbox

[2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX

Message ID 1484789346-21012-3-git-send-email-labbott@redhat.com (mailing list archive)
State Not Applicable, archived
Headers show

Commit Message

Laura Abbott Jan. 19, 2017, 1:29 a.m. UTC
Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel
option provides key security features that are to be expected on a
modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which
more accurately describes what this option is intended to do.

Signed-off-by: Laura Abbott <labbott@redhat.com>
---
 Documentation/security/self-protection.txt |  2 +-
 arch/arm/Kconfig                           |  1 +
 arch/arm/Kconfig.debug                     | 11 -----------
 arch/arm/configs/aspeed_g4_defconfig       |  2 +-
 arch/arm/configs/aspeed_g5_defconfig       |  2 +-
 arch/arm/kernel/patch.c                    |  2 +-
 arch/arm64/Kconfig                         |  1 +
 arch/arm64/Kconfig.debug                   | 11 -----------
 arch/arm64/kernel/insn.c                   |  2 +-
 arch/s390/Kconfig                          |  1 +
 arch/s390/Kconfig.debug                    |  3 ---
 arch/x86/Kconfig                           |  1 +
 arch/x86/Kconfig.debug                     | 11 -----------
 include/linux/filter.h                     |  4 ++--
 include/linux/init.h                       |  2 +-
 include/linux/module.h                     |  2 +-
 init/main.c                                |  2 +-
 kernel/module.c                            |  6 +++---
 security/Kconfig                           | 16 ++++++++++++++++
 19 files changed, 33 insertions(+), 49 deletions(-)

Comments

Mark Rutland Jan. 19, 2017, 11:11 a.m. UTC | #1
Hi,

On Wed, Jan 18, 2017 at 05:29:06PM -0800, Laura Abbott wrote:
> 
> Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel
> option provides key security features that are to be expected on a
> modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which
> more accurately describes what this option is intended to do.

This looks good; my naming comments from the DEBUG_RODATA also apply
here -- the proposed name is fine.

> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 06fed56..2fe0e98 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -12,6 +12,7 @@ config ARM64
>  	select ARCH_HAS_GCOV_PROFILE_ALL
>  	select ARCH_HAS_GIGANTIC_PAGE
>  	select ARCH_HAS_HARDENED_MAPPINGS
> +	select ARCH_HAS_HARDENED_MODULE_MAPPINGS
>  	select ARCH_HAS_KCOV
>  	select ARCH_HAS_SG_CHAIN
>  	select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
> index a26d27f..1eebe1f 100644
> --- a/arch/arm64/Kconfig.debug
> +++ b/arch/arm64/Kconfig.debug
> @@ -71,17 +71,6 @@ config DEBUG_WX
>  
>  	  If in doubt, say "Y".
>  
> -config DEBUG_SET_MODULE_RONX
> -	bool "Set loadable kernel module data as NX and text as RO"
> -	depends on MODULES
> -	default y
> -	help
> -	  Is this is set, kernel module text and rodata will be made read-only.
> -	  This is to help catch accidental or malicious attempts to change the
> -	  kernel's executable code.
> -
> -	  If in doubt, say Y.
> -

> +config ARCH_HAS_HARDENED_MODULE_MAPPINGS
> +	def_bool n
> +
> +config HARDENED_MODULE_MAPPINGS
> +	bool "Mark module mappings with stricter permissions (RO/W^X)"
> +	default y
> +	depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS
> +	help
> +	  If this is set, module text and rodata memory will be made read-only,
> +	  and non-text memory will be made non-executable. This provides
> +	  protection against certain security vulnerabilities (e.g. modifying
> +	  code)
> +
> +	  Unless your system has known restrictions or performance issues, it
> +	  is recommended to say Y here.
> +

I was hoping that we'd make this mandatory, as we'd already done for
DEBUG_RODATA.

Takahiro-san did a bit of work towards that in commit 39290b389ea2654f
("module: extend 'rodata=off' boot cmdline parameter to module
mappings").

It would be good to know if there's any reason we can't do that.

Otherwise, this looks fine.

Thanks,
Mark.
--
To unsubscribe from this list: send the line "unsubscribe linux-pm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Heiko Carstens Jan. 19, 2017, 11:34 a.m. UTC | #2
On Thu, Jan 19, 2017 at 11:11:18AM +0000, Mark Rutland wrote:
> > +config HARDENED_MODULE_MAPPINGS
> > +	bool "Mark module mappings with stricter permissions (RO/W^X)"
> > +	default y
> > +	depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS
> > +	help
> > +	  If this is set, module text and rodata memory will be made read-only,
> > +	  and non-text memory will be made non-executable. This provides
> > +	  protection against certain security vulnerabilities (e.g. modifying
> > +	  code)
> > +
> > +	  Unless your system has known restrictions or performance issues, it
> > +	  is recommended to say Y here.
> > +
> 
> I was hoping that we'd make this mandatory, as we'd already done for
> DEBUG_RODATA.

Same for s390: would be good to make this mandatory.

--
To unsubscribe from this list: send the line "unsubscribe linux-pm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Robin Murphy Jan. 19, 2017, 11:43 a.m. UTC | #3
Hi Laura,

On 19/01/17 01:29, Laura Abbott wrote:
> 
> Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel
> option provides key security features that are to be expected on a
> modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which
> more accurately describes what this option is intended to do.
> 
> Signed-off-by: Laura Abbott <labbott@redhat.com>
> ---

[...]

> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index 09aff28..ef852e4 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -8,6 +8,7 @@ config ARM
>  	select ARCH_HAVE_CUSTOM_GPIO_H
>  	select ARCH_HAS_GCOV_PROFILE_ALL
>  	select ARCH_HAS_HARDENED_MAPPINGS if MMU && !XIP_KERNEL
> +	select ARCH_HAS_HARDENED_MODULE_MAPPINGS if MMU
>  	select ARCH_MIGHT_HAVE_PC_PARPORT
>  	select ARCH_SUPPORTS_ATOMIC_RMW
>  	select ARCH_USE_BUILTIN_BSWAP
> diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
> index d83f7c3..426d271 100644
> --- a/arch/arm/Kconfig.debug
> +++ b/arch/arm/Kconfig.debug
> @@ -1738,17 +1738,6 @@ config PID_IN_CONTEXTIDR
>  	  additional instructions during context switch. Say Y here only if you
>  	  are planning to use hardware trace tools with this kernel.
>  
> -config DEBUG_SET_MODULE_RONX
> -	bool "Set loadable kernel module data as NX and text as RO"
> -	depends on MODULES && MMU
> -	---help---
> -	  This option helps catch unintended modifications to loadable
> -	  kernel module's text and read-only data. It also prevents execution
> -	  of module data. Such protection may interfere with run-time code
> -	  patching and dynamic kernel tracing - and they might also protect
> -	  against certain classes of kernel exploits.
> -	  If in doubt, say "N".
> -
>  source "drivers/hwtracing/coresight/Kconfig"
>  
>  endmenu

[...]

> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -12,6 +12,7 @@ config ARM64
>  	select ARCH_HAS_GCOV_PROFILE_ALL
>  	select ARCH_HAS_GIGANTIC_PAGE
>  	select ARCH_HAS_HARDENED_MAPPINGS
> +	select ARCH_HAS_HARDENED_MODULE_MAPPINGS
>  	select ARCH_HAS_KCOV
>  	select ARCH_HAS_SG_CHAIN
>  	select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
> index a26d27f..1eebe1f 100644
> --- a/arch/arm64/Kconfig.debug
> +++ b/arch/arm64/Kconfig.debug
> @@ -71,17 +71,6 @@ config DEBUG_WX
>  
>  	  If in doubt, say "Y".
>  
> -config DEBUG_SET_MODULE_RONX
> -	bool "Set loadable kernel module data as NX and text as RO"
> -	depends on MODULES
> -	default y
> -	help
> -	  Is this is set, kernel module text and rodata will be made read-only.
> -	  This is to help catch accidental or malicious attempts to change the
> -	  kernel's executable code.
> -
> -	  If in doubt, say Y.
> -
>  config DEBUG_ALIGN_RODATA
>  	depends on ARCH_HAS_HARDENED_MAPPINGS
>  	bool "Align linker sections up to SECTION_SIZE"

[...]

> --- a/arch/s390/Kconfig
> +++ b/arch/s390/Kconfig
> @@ -69,6 +69,7 @@ config S390
>  	select ARCH_HAS_GCOV_PROFILE_ALL
>  	select ARCH_HAS_GIGANTIC_PAGE
>  	select ARCH_HAS_HARDENED_MAPPINGS
> +	select ARCH_HAS_HARDENED_MODULE_MAPPINGS
>  	select ARCH_HAS_KCOV
>  	select ARCH_HAS_SG_CHAIN
>  	select ARCH_HAS_UBSAN_SANITIZE_ALL
> diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug
> index 26c5d5be..57f8ea9 100644
> --- a/arch/s390/Kconfig.debug
> +++ b/arch/s390/Kconfig.debug
> @@ -17,7 +17,4 @@ config S390_PTDUMP
>  	  kernel.
>  	  If in doubt, say "N"
>  
> -config DEBUG_SET_MODULE_RONX
> -	def_bool y
> -	depends on MODULES
>  endmenu
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 9d80cd8..38ce850 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -51,6 +51,7 @@ config X86
>  	select ARCH_HAS_FAST_MULTIPLIER
>  	select ARCH_HAS_GCOV_PROFILE_ALL
>  	select ARCH_HAS_HARDENED_MAPPINGS
> +	select ARCH_HAS_HARDENED_MODULE_MAPPINGS
>  	select ARCH_HAS_KCOV			if X86_64
>  	select ARCH_HAS_MMIO_FLUSH
>  	select ARCH_HAS_PMEM_API		if X86_64
> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
> index 67eec55..69cdd0b 100644
> --- a/arch/x86/Kconfig.debug
> +++ b/arch/x86/Kconfig.debug
> @@ -109,17 +109,6 @@ config DEBUG_WX
>  
>  	  If in doubt, say "Y".
>  
> -config DEBUG_SET_MODULE_RONX
> -	bool "Set loadable kernel module data as NX and text as RO"
> -	depends on MODULES
> -	---help---
> -	  This option helps catch unintended modifications to loadable
> -	  kernel module's text and read-only data. It also prevents execution
> -	  of module data. Such protection may interfere with run-time code
> -	  patching and dynamic kernel tracing - and they might also protect
> -	  against certain classes of kernel exploits.
> -	  If in doubt, say "N".
> -
>  config DEBUG_NX_TEST
>  	tristate "Testcase for the NX non-executable stack feature"
>  	depends on DEBUG_KERNEL && m

[...]

> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -174,6 +174,22 @@ config HARDENED_PAGE_MAPPINGS
>  	  Unless your system has known restrictions or performance issues, it
>  	  is recommended to say Y here.
>  
> +config ARCH_HAS_HARDENED_MODULE_MAPPINGS
> +	def_bool n
> +
> +config HARDENED_MODULE_MAPPINGS
> +	bool "Mark module mappings with stricter permissions (RO/W^X)"
> +	default y
> +	depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS

It would seem that this ends up losing the previous dependency on
MODULES - is that intentional?

Robin.

> +	help
> +	  If this is set, module text and rodata memory will be made read-only,
> +	  and non-text memory will be made non-executable. This provides
> +	  protection against certain security vulnerabilities (e.g. modifying
> +	  code)
> +
> +	  Unless your system has known restrictions or performance issues, it
> +	  is recommended to say Y here.
> +
>  source security/selinux/Kconfig
>  source security/smack/Kconfig
>  source security/tomoyo/Kconfig
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-pm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
kernel test robot Jan. 20, 2017, 5:46 a.m. UTC | #4
Hi Laura,

[auto build test ERROR on linus/master]
[also build test ERROR on v4.10-rc4]
[cannot apply to next-20170119]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Laura-Abbott/Better-hardening-names/20170119-200343
config: i386-randconfig-c0-01201130 (attached as .config)
compiler: gcc-4.9 (Debian 4.9.4-2) 4.9.4
reproduce:
        # save the attached .config to linux build tree
        make ARCH=i386 

All errors (new ones prefixed by >>):

   arch/x86/built-in.o: In function `ftrace_arch_code_modify_prepare':
>> (.text+0x3fcb7): undefined reference to `set_all_modules_text_rw'
   arch/x86/built-in.o: In function `ftrace_arch_code_modify_post_process':
>> (.text+0x3fcc3): undefined reference to `set_all_modules_text_ro'

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation
Laura Abbott Jan. 25, 2017, 11:44 a.m. UTC | #5
On 01/19/2017 12:43 PM, Robin Murphy wrote:
> Hi Laura,
>
> On 19/01/17 01:29, Laura Abbott wrote:
>>
>> Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel
>> option provides key security features that are to be expected on a
>> modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which
>> more accurately describes what this option is intended to do.
>>
>> Signed-off-by: Laura Abbott <labbott@redhat.com>
>> ---
>
> [...]
>
>> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
>> index 09aff28..ef852e4 100644
>> --- a/arch/arm/Kconfig
>> +++ b/arch/arm/Kconfig
>> @@ -8,6 +8,7 @@ config ARM
>>  	select ARCH_HAVE_CUSTOM_GPIO_H
>>  	select ARCH_HAS_GCOV_PROFILE_ALL
>>  	select ARCH_HAS_HARDENED_MAPPINGS if MMU && !XIP_KERNEL
>> +	select ARCH_HAS_HARDENED_MODULE_MAPPINGS if MMU
>>  	select ARCH_MIGHT_HAVE_PC_PARPORT
>>  	select ARCH_SUPPORTS_ATOMIC_RMW
>>  	select ARCH_USE_BUILTIN_BSWAP
>> diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
>> index d83f7c3..426d271 100644
>> --- a/arch/arm/Kconfig.debug
>> +++ b/arch/arm/Kconfig.debug
>> @@ -1738,17 +1738,6 @@ config PID_IN_CONTEXTIDR
>>  	  additional instructions during context switch. Say Y here only if you
>>  	  are planning to use hardware trace tools with this kernel.
>>
>> -config DEBUG_SET_MODULE_RONX
>> -	bool "Set loadable kernel module data as NX and text as RO"
>> -	depends on MODULES && MMU
>> -	---help---
>> -	  This option helps catch unintended modifications to loadable
>> -	  kernel module's text and read-only data. It also prevents execution
>> -	  of module data. Such protection may interfere with run-time code
>> -	  patching and dynamic kernel tracing - and they might also protect
>> -	  against certain classes of kernel exploits.
>> -	  If in doubt, say "N".
>> -
>>  source "drivers/hwtracing/coresight/Kconfig"
>>
>>  endmenu
>
> [...]
>
>> --- a/arch/arm64/Kconfig
>> +++ b/arch/arm64/Kconfig
>> @@ -12,6 +12,7 @@ config ARM64
>>  	select ARCH_HAS_GCOV_PROFILE_ALL
>>  	select ARCH_HAS_GIGANTIC_PAGE
>>  	select ARCH_HAS_HARDENED_MAPPINGS
>> +	select ARCH_HAS_HARDENED_MODULE_MAPPINGS
>>  	select ARCH_HAS_KCOV
>>  	select ARCH_HAS_SG_CHAIN
>>  	select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
>> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
>> index a26d27f..1eebe1f 100644
>> --- a/arch/arm64/Kconfig.debug
>> +++ b/arch/arm64/Kconfig.debug
>> @@ -71,17 +71,6 @@ config DEBUG_WX
>>
>>  	  If in doubt, say "Y".
>>
>> -config DEBUG_SET_MODULE_RONX
>> -	bool "Set loadable kernel module data as NX and text as RO"
>> -	depends on MODULES
>> -	default y
>> -	help
>> -	  Is this is set, kernel module text and rodata will be made read-only.
>> -	  This is to help catch accidental or malicious attempts to change the
>> -	  kernel's executable code.
>> -
>> -	  If in doubt, say Y.
>> -
>>  config DEBUG_ALIGN_RODATA
>>  	depends on ARCH_HAS_HARDENED_MAPPINGS
>>  	bool "Align linker sections up to SECTION_SIZE"
>
> [...]
>
>> --- a/arch/s390/Kconfig
>> +++ b/arch/s390/Kconfig
>> @@ -69,6 +69,7 @@ config S390
>>  	select ARCH_HAS_GCOV_PROFILE_ALL
>>  	select ARCH_HAS_GIGANTIC_PAGE
>>  	select ARCH_HAS_HARDENED_MAPPINGS
>> +	select ARCH_HAS_HARDENED_MODULE_MAPPINGS
>>  	select ARCH_HAS_KCOV
>>  	select ARCH_HAS_SG_CHAIN
>>  	select ARCH_HAS_UBSAN_SANITIZE_ALL
>> diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug
>> index 26c5d5be..57f8ea9 100644
>> --- a/arch/s390/Kconfig.debug
>> +++ b/arch/s390/Kconfig.debug
>> @@ -17,7 +17,4 @@ config S390_PTDUMP
>>  	  kernel.
>>  	  If in doubt, say "N"
>>
>> -config DEBUG_SET_MODULE_RONX
>> -	def_bool y
>> -	depends on MODULES
>>  endmenu
>> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
>> index 9d80cd8..38ce850 100644
>> --- a/arch/x86/Kconfig
>> +++ b/arch/x86/Kconfig
>> @@ -51,6 +51,7 @@ config X86
>>  	select ARCH_HAS_FAST_MULTIPLIER
>>  	select ARCH_HAS_GCOV_PROFILE_ALL
>>  	select ARCH_HAS_HARDENED_MAPPINGS
>> +	select ARCH_HAS_HARDENED_MODULE_MAPPINGS
>>  	select ARCH_HAS_KCOV			if X86_64
>>  	select ARCH_HAS_MMIO_FLUSH
>>  	select ARCH_HAS_PMEM_API		if X86_64
>> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
>> index 67eec55..69cdd0b 100644
>> --- a/arch/x86/Kconfig.debug
>> +++ b/arch/x86/Kconfig.debug
>> @@ -109,17 +109,6 @@ config DEBUG_WX
>>
>>  	  If in doubt, say "Y".
>>
>> -config DEBUG_SET_MODULE_RONX
>> -	bool "Set loadable kernel module data as NX and text as RO"
>> -	depends on MODULES
>> -	---help---
>> -	  This option helps catch unintended modifications to loadable
>> -	  kernel module's text and read-only data. It also prevents execution
>> -	  of module data. Such protection may interfere with run-time code
>> -	  patching and dynamic kernel tracing - and they might also protect
>> -	  against certain classes of kernel exploits.
>> -	  If in doubt, say "N".
>> -
>>  config DEBUG_NX_TEST
>>  	tristate "Testcase for the NX non-executable stack feature"
>>  	depends on DEBUG_KERNEL && m
>
> [...]
>
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -174,6 +174,22 @@ config HARDENED_PAGE_MAPPINGS
>>  	  Unless your system has known restrictions or performance issues, it
>>  	  is recommended to say Y here.
>>
>> +config ARCH_HAS_HARDENED_MODULE_MAPPINGS
>> +	def_bool n
>> +
>> +config HARDENED_MODULE_MAPPINGS
>> +	bool "Mark module mappings with stricter permissions (RO/W^X)"
>> +	default y
>> +	depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS
>
> It would seem that this ends up losing the previous dependency on
> MODULES - is that intentional?
>
> Robin.
>

(Apologies, my SMTP was set up incorrectly so this didn't actually
get sent out when I thought it did)

No, good catch. I missed re-adding that when doing the refactoring.

Thanks,
Laura

>>
>

--
To unsubscribe from this list: send the line "unsubscribe linux-pm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/Documentation/security/self-protection.txt b/Documentation/security/self-protection.txt
index da8cb36..eb018a1 100644
--- a/Documentation/security/self-protection.txt
+++ b/Documentation/security/self-protection.txt
@@ -52,7 +52,7 @@  made writable during the update, and then returned to the original
 permissions.)
 
 In support of this are CONFIG_HARDENED_PAGE_MAPPINGS and
-CONFIG_DEBUG_SET_MODULE_RONX, which seek to make sure that code is not
+CONFIG_HARDENED_MODULE_MAPPINGS, which seek to make sure that code is not
 writable, data is not executable, and read-only data is neither writable
 nor executable.
 
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 09aff28..ef852e4 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -8,6 +8,7 @@  config ARM
 	select ARCH_HAVE_CUSTOM_GPIO_H
 	select ARCH_HAS_GCOV_PROFILE_ALL
 	select ARCH_HAS_HARDENED_MAPPINGS if MMU && !XIP_KERNEL
+	select ARCH_HAS_HARDENED_MODULE_MAPPINGS if MMU
 	select ARCH_MIGHT_HAVE_PC_PARPORT
 	select ARCH_SUPPORTS_ATOMIC_RMW
 	select ARCH_USE_BUILTIN_BSWAP
diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
index d83f7c3..426d271 100644
--- a/arch/arm/Kconfig.debug
+++ b/arch/arm/Kconfig.debug
@@ -1738,17 +1738,6 @@  config PID_IN_CONTEXTIDR
 	  additional instructions during context switch. Say Y here only if you
 	  are planning to use hardware trace tools with this kernel.
 
-config DEBUG_SET_MODULE_RONX
-	bool "Set loadable kernel module data as NX and text as RO"
-	depends on MODULES && MMU
-	---help---
-	  This option helps catch unintended modifications to loadable
-	  kernel module's text and read-only data. It also prevents execution
-	  of module data. Such protection may interfere with run-time code
-	  patching and dynamic kernel tracing - and they might also protect
-	  against certain classes of kernel exploits.
-	  If in doubt, say "N".
-
 source "drivers/hwtracing/coresight/Kconfig"
 
 endmenu
diff --git a/arch/arm/configs/aspeed_g4_defconfig b/arch/arm/configs/aspeed_g4_defconfig
index 8ccc216..ffe2656 100644
--- a/arch/arm/configs/aspeed_g4_defconfig
+++ b/arch/arm/configs/aspeed_g4_defconfig
@@ -79,7 +79,7 @@  CONFIG_DEBUG_LL_UART_8250=y
 CONFIG_DEBUG_UART_PHYS=0x1e784000
 CONFIG_DEBUG_UART_VIRT=0xe8784000
 CONFIG_EARLY_PRINTK=y
-CONFIG_DEBUG_SET_MODULE_RONX=y
+CONFIG_HARDENED_MODULE_MAPPINGS=y
 # CONFIG_XZ_DEC_X86 is not set
 # CONFIG_XZ_DEC_POWERPC is not set
 # CONFIG_XZ_DEC_IA64 is not set
diff --git a/arch/arm/configs/aspeed_g5_defconfig b/arch/arm/configs/aspeed_g5_defconfig
index 90c5ce4..2ea444e 100644
--- a/arch/arm/configs/aspeed_g5_defconfig
+++ b/arch/arm/configs/aspeed_g5_defconfig
@@ -81,7 +81,7 @@  CONFIG_DEBUG_LL_UART_8250=y
 CONFIG_DEBUG_UART_PHYS=0x1e784000
 CONFIG_DEBUG_UART_VIRT=0xe8784000
 CONFIG_EARLY_PRINTK=y
-CONFIG_DEBUG_SET_MODULE_RONX=y
+CONFIG_HARDENED_MODULE_MAPPINGS=y
 # CONFIG_XZ_DEC_X86 is not set
 # CONFIG_XZ_DEC_POWERPC is not set
 # CONFIG_XZ_DEC_IA64 is not set
diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
index 9da1bf5..eb73a76 100644
--- a/arch/arm/kernel/patch.c
+++ b/arch/arm/kernel/patch.c
@@ -24,7 +24,7 @@  static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags)
 	bool module = !core_kernel_text(uintaddr);
 	struct page *page;
 
-	if (module && IS_ENABLED(CONFIG_DEBUG_SET_MODULE_RONX))
+	if (module && IS_ENABLED(CONFIG_HARDENED_MODULE_MAPPINGS))
 		page = vmalloc_to_page(addr);
 	else if (!module && IS_ENABLED(CONFIG_HARDENED_PAGE_MAPPINGS))
 		page = virt_to_page(addr);
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 06fed56..2fe0e98 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -12,6 +12,7 @@  config ARM64
 	select ARCH_HAS_GCOV_PROFILE_ALL
 	select ARCH_HAS_GIGANTIC_PAGE
 	select ARCH_HAS_HARDENED_MAPPINGS
+	select ARCH_HAS_HARDENED_MODULE_MAPPINGS
 	select ARCH_HAS_KCOV
 	select ARCH_HAS_SG_CHAIN
 	select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
index a26d27f..1eebe1f 100644
--- a/arch/arm64/Kconfig.debug
+++ b/arch/arm64/Kconfig.debug
@@ -71,17 +71,6 @@  config DEBUG_WX
 
 	  If in doubt, say "Y".
 
-config DEBUG_SET_MODULE_RONX
-	bool "Set loadable kernel module data as NX and text as RO"
-	depends on MODULES
-	default y
-	help
-	  Is this is set, kernel module text and rodata will be made read-only.
-	  This is to help catch accidental or malicious attempts to change the
-	  kernel's executable code.
-
-	  If in doubt, say Y.
-
 config DEBUG_ALIGN_RODATA
 	depends on ARCH_HAS_HARDENED_MAPPINGS
 	bool "Align linker sections up to SECTION_SIZE"
diff --git a/arch/arm64/kernel/insn.c b/arch/arm64/kernel/insn.c
index 94b62c1..31bd53f 100644
--- a/arch/arm64/kernel/insn.c
+++ b/arch/arm64/kernel/insn.c
@@ -93,7 +93,7 @@  static void __kprobes *patch_map(void *addr, int fixmap)
 	bool module = !core_kernel_text(uintaddr);
 	struct page *page;
 
-	if (module && IS_ENABLED(CONFIG_DEBUG_SET_MODULE_RONX))
+	if (module && IS_ENABLED(CONFIG_HARDENED_MODULE_MAPPINGS))
 		page = vmalloc_to_page(addr);
 	else if (!module)
 		page = pfn_to_page(PHYS_PFN(__pa(addr)));
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 8e70ae5..b1e6ed5 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -69,6 +69,7 @@  config S390
 	select ARCH_HAS_GCOV_PROFILE_ALL
 	select ARCH_HAS_GIGANTIC_PAGE
 	select ARCH_HAS_HARDENED_MAPPINGS
+	select ARCH_HAS_HARDENED_MODULE_MAPPINGS
 	select ARCH_HAS_KCOV
 	select ARCH_HAS_SG_CHAIN
 	select ARCH_HAS_UBSAN_SANITIZE_ALL
diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug
index 26c5d5be..57f8ea9 100644
--- a/arch/s390/Kconfig.debug
+++ b/arch/s390/Kconfig.debug
@@ -17,7 +17,4 @@  config S390_PTDUMP
 	  kernel.
 	  If in doubt, say "N"
 
-config DEBUG_SET_MODULE_RONX
-	def_bool y
-	depends on MODULES
 endmenu
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 9d80cd8..38ce850 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -51,6 +51,7 @@  config X86
 	select ARCH_HAS_FAST_MULTIPLIER
 	select ARCH_HAS_GCOV_PROFILE_ALL
 	select ARCH_HAS_HARDENED_MAPPINGS
+	select ARCH_HAS_HARDENED_MODULE_MAPPINGS
 	select ARCH_HAS_KCOV			if X86_64
 	select ARCH_HAS_MMIO_FLUSH
 	select ARCH_HAS_PMEM_API		if X86_64
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
index 67eec55..69cdd0b 100644
--- a/arch/x86/Kconfig.debug
+++ b/arch/x86/Kconfig.debug
@@ -109,17 +109,6 @@  config DEBUG_WX
 
 	  If in doubt, say "Y".
 
-config DEBUG_SET_MODULE_RONX
-	bool "Set loadable kernel module data as NX and text as RO"
-	depends on MODULES
-	---help---
-	  This option helps catch unintended modifications to loadable
-	  kernel module's text and read-only data. It also prevents execution
-	  of module data. Such protection may interfere with run-time code
-	  patching and dynamic kernel tracing - and they might also protect
-	  against certain classes of kernel exploits.
-	  If in doubt, say "N".
-
 config DEBUG_NX_TEST
 	tristate "Testcase for the NX non-executable stack feature"
 	depends on DEBUG_KERNEL && m
diff --git a/include/linux/filter.h b/include/linux/filter.h
index e4eb254..5426940 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -545,7 +545,7 @@  static inline bool bpf_prog_was_classic(const struct bpf_prog *prog)
 
 #define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0]))
 
-#ifdef CONFIG_DEBUG_SET_MODULE_RONX
+#ifdef CONFIG_HARDENED_MODULE_MAPPINGS
 static inline void bpf_prog_lock_ro(struct bpf_prog *fp)
 {
 	set_memory_ro((unsigned long)fp, fp->pages);
@@ -563,7 +563,7 @@  static inline void bpf_prog_lock_ro(struct bpf_prog *fp)
 static inline void bpf_prog_unlock_ro(struct bpf_prog *fp)
 {
 }
-#endif /* CONFIG_DEBUG_SET_MODULE_RONX */
+#endif /* CONFIG_HARDENED_MODULE_MAPPINGS */
 
 int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap);
 static inline int sk_filter(struct sock *sk, struct sk_buff *skb)
diff --git a/include/linux/init.h b/include/linux/init.h
index 9967bc9..5d6b0b2 100644
--- a/include/linux/init.h
+++ b/include/linux/init.h
@@ -126,7 +126,7 @@  void prepare_namespace(void);
 void __init load_default_modules(void);
 int __init init_rootfs(void);
 
-#if defined(CONFIG_HARDENED_PAGE_MAPPINGS) || defined(CONFIG_DEBUG_SET_MODULE_RONX)
+#if defined(CONFIG_HARDENED_PAGE_MAPPINGS) || defined(CONFIG_HARDENED_MODULE_MAPPINGS)
 extern bool rodata_enabled;
 #endif
 #ifdef CONFIG_HARDENED_PAGE_MAPPINGS
diff --git a/include/linux/module.h b/include/linux/module.h
index 7c84273..a4f6926 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -764,7 +764,7 @@  extern int module_sysfs_initialized;
 
 #define __MODULE_STRING(x) __stringify(x)
 
-#ifdef CONFIG_DEBUG_SET_MODULE_RONX
+#ifdef CONFIG_HARDENED_MODULE_MAPPINGS
 extern void set_all_modules_text_rw(void);
 extern void set_all_modules_text_ro(void);
 extern void module_enable_ro(const struct module *mod, bool after_init);
diff --git a/init/main.c b/init/main.c
index 4b3bcc4..1545399 100644
--- a/init/main.c
+++ b/init/main.c
@@ -925,7 +925,7 @@  static int try_to_run_init_process(const char *init_filename)
 
 static noinline void __init kernel_init_freeable(void);
 
-#if defined(CONFIG_HARDENED_PAGE_MAPPINGS) || defined(CONFIG_DEBUG_SET_MODULE_RONX)
+#if defined(CONFIG_HARDENED_PAGE_MAPPINGS) || defined(CONFIG_HARDENED_MODULE_MAPPINGS)
 bool rodata_enabled __ro_after_init = true;
 static int __init set_debug_rodata(char *str)
 {
diff --git a/kernel/module.c b/kernel/module.c
index 38d4270..eb2f865 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -74,9 +74,9 @@ 
 /*
  * Modules' sections will be aligned on page boundaries
  * to ensure complete separation of code and data, but
- * only when CONFIG_DEBUG_SET_MODULE_RONX=y
+ * only when CONFIG_HARDENED_MODULE_MAPPINGS=y
  */
-#ifdef CONFIG_DEBUG_SET_MODULE_RONX
+#ifdef CONFIG_HARDENED_MODULE_MAPPINGS
 # define debug_align(X) ALIGN(X, PAGE_SIZE)
 #else
 # define debug_align(X) (X)
@@ -1847,7 +1847,7 @@  static void mod_sysfs_teardown(struct module *mod)
 	mod_sysfs_fini(mod);
 }
 
-#ifdef CONFIG_DEBUG_SET_MODULE_RONX
+#ifdef CONFIG_HARDENED_MODULE_MAPPINGS
 /*
  * LKM RO/NX protection: protect module's text/ro-data
  * from modification and any data from execution.
diff --git a/security/Kconfig b/security/Kconfig
index ad6ce82..0f98d6b 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -174,6 +174,22 @@  config HARDENED_PAGE_MAPPINGS
 	  Unless your system has known restrictions or performance issues, it
 	  is recommended to say Y here.
 
+config ARCH_HAS_HARDENED_MODULE_MAPPINGS
+	def_bool n
+
+config HARDENED_MODULE_MAPPINGS
+	bool "Mark module mappings with stricter permissions (RO/W^X)"
+	default y
+	depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS
+	help
+	  If this is set, module text and rodata memory will be made read-only,
+	  and non-text memory will be made non-executable. This provides
+	  protection against certain security vulnerabilities (e.g. modifying
+	  code)
+
+	  Unless your system has known restrictions or performance issues, it
+	  is recommended to say Y here.
+
 source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig