[v5,9/9] riscv: add STRICT_KERNEL_RWX support

Message ID	100e739c5fd722a96fcc640c8ee0c82fe34fcb6a.1586332296.git.zong.li@sifive.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=HX4e=5Y=lists.infradead.org=linux-riscv-bounces+patchwork-linux-riscv=patchwork.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6431F20747 From: Zong Li <zong.li@sifive.com> To: palmer@dabbelt.com, paul.walmsley@sifive.com, aou@eecs.berkeley.edu, mhiramat@kernel.org, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH v5 9/9] riscv: add STRICT_KERNEL_RWX support Date: Wed, 8 Apr 2020 15:57:04 +0800 Message-Id: <100e739c5fd722a96fcc640c8ee0c82fe34fcb6a.1586332296.git.zong.li@sifive.com> In-Reply-To: <cover.1586332296.git.zong.li@sifive.com> References: <cover.1586332296.git.zong.li@sifive.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:641 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Precedence: list Cc: Zong Li <zong.li@sifive.com> Sender: "linux-riscv" <linux-riscv-bounces@lists.infradead.org> Errors-To: linux-riscv-bounces+patchwork-linux-riscv=patchwork.kernel.org@lists.infradead.org
Series	Support strict kernel memory permissions for security \| expand [v5,0/9] Support strict kernel memory permissions for security [v5,1/9] riscv: add macro to get instruction length [v5,2/9] riscv: introduce interfaces to patch kernel code [v5,3/9] riscv: patch code by fixmap mapping [v5,4/9] riscv: add ARCH_HAS_SET_MEMORY support [v5,5/9] riscv: add ARCH_HAS_SET_DIRECT_MAP support [v5,6/9] riscv: add ARCH_SUPPORTS_DEBUG_PAGEALLOC support [v5,7/9] riscv: move exception table immediately after RO_DATA [v5,8/9] riscv: add alignment for text, rodata and data sections [v5,9/9] riscv: add STRICT_KERNEL_RWX support

Message ID

100e739c5fd722a96fcc640c8ee0c82fe34fcb6a.1586332296.git.zong.li@sifive.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6431F20747
From: Zong Li <zong.li@sifive.com>
To: palmer@dabbelt.com, paul.walmsley@sifive.com, aou@eecs.berkeley.edu,
 mhiramat@kernel.org, linux-riscv@lists.infradead.org,
 linux-kernel@vger.kernel.org
Subject: [PATCH v5 9/9] riscv: add STRICT_KERNEL_RWX support
Date: Wed,  8 Apr 2020 15:57:04 +0800
Message-Id: 
 <100e739c5fd722a96fcc640c8ee0c82fe34fcb6a.1586332296.git.zong.li@sifive.com>
In-Reply-To: <cover.1586332296.git.zong.li@sifive.com>
References: <cover.1586332296.git.zong.li@sifive.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Cc: Zong Li <zong.li@sifive.com>
Sender: "linux-riscv" <linux-riscv-bounces@lists.infradead.org>
Errors-To: 
 linux-riscv-bounces+patchwork-linux-riscv=patchwork.kernel.org@lists.infradead.org

Series

Support strict kernel memory permissions for security | expand

Commit Message

Zong Li April 8, 2020, 7:57 a.m. UTC

The commit contains that make text section as non-writable, rodata
section as read-only, and data section as non-executable.

The init section should be changed to non-executable.

Signed-off-by: Zong Li <zong.li@sifive.com>
---
 arch/riscv/Kconfig                  |  1 +
 arch/riscv/include/asm/set_memory.h |  8 ++++++
 arch/riscv/mm/init.c                | 44 +++++++++++++++++++++++++++++
 3 files changed, 53 insertions(+)

Comments

Palmer Dabbelt April 18, 2020, 12:30 a.m. UTC | #1

On Wed, 08 Apr 2020 00:57:04 PDT (-0700), zong.li@sifive.com wrote:
> The commit contains that make text section as non-writable, rodata
> section as read-only, and data section as non-executable.
>
> The init section should be changed to non-executable.
>
> Signed-off-by: Zong Li <zong.li@sifive.com>
> ---
>  arch/riscv/Kconfig                  |  1 +
>  arch/riscv/include/asm/set_memory.h |  8 ++++++
>  arch/riscv/mm/init.c                | 44 +++++++++++++++++++++++++++++
>  3 files changed, 53 insertions(+)
>
> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
> index 1e1efc998baf..58b556167d59 100644
> --- a/arch/riscv/Kconfig
> +++ b/arch/riscv/Kconfig
> @@ -61,6 +61,7 @@ config RISCV
>  	select ARCH_HAS_GIGANTIC_PAGE
>  	select ARCH_HAS_SET_DIRECT_MAP
>  	select ARCH_HAS_SET_MEMORY
> +	select ARCH_HAS_STRICT_KERNEL_RWX
>  	select ARCH_WANT_HUGE_PMD_SHARE if 64BIT
>  	select SPARSEMEM_STATIC if 32BIT
>  	select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT if MMU
> diff --git a/arch/riscv/include/asm/set_memory.h b/arch/riscv/include/asm/set_memory.h
> index 4c5bae7ca01c..c38df4771c09 100644
> --- a/arch/riscv/include/asm/set_memory.h
> +++ b/arch/riscv/include/asm/set_memory.h
> @@ -22,6 +22,14 @@ static inline int set_memory_x(unsigned long addr, int numpages) { return 0; }
>  static inline int set_memory_nx(unsigned long addr, int numpages) { return 0; }
>  #endif
>
> +#ifdef CONFIG_STRICT_KERNEL_RWX
> +void set_kernel_text_ro(void);
> +void set_kernel_text_rw(void);
> +#else
> +static inline void set_kernel_text_ro(void) { }
> +static inline void set_kernel_text_rw(void) { }
> +#endif
> +
>  int set_direct_map_invalid_noflush(struct page *page);
>  int set_direct_map_default_noflush(struct page *page);
>
> diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
> index fab855963c73..b55be44ff9bd 100644
> --- a/arch/riscv/mm/init.c
> +++ b/arch/riscv/mm/init.c
> @@ -12,6 +12,7 @@
>  #include <linux/sizes.h>
>  #include <linux/of_fdt.h>
>  #include <linux/libfdt.h>
> +#include <linux/set_memory.h>
>
>  #include <asm/fixmap.h>
>  #include <asm/tlbflush.h>
> @@ -477,6 +478,17 @@ static void __init setup_vm_final(void)
>  	csr_write(CSR_SATP, PFN_DOWN(__pa_symbol(swapper_pg_dir)) | SATP_MODE);
>  	local_flush_tlb_all();
>  }
> +
> +void free_initmem(void)
> +{
> +	unsigned long init_begin = (unsigned long)__init_begin;
> +	unsigned long init_end = (unsigned long)__init_end;
> +
> +	/* Make the region as non-execuatble. */
> +	set_memory_nx(init_begin, (init_end - init_begin) >> PAGE_SHIFT);
> +	free_initmem_default(POISON_FREE_INITMEM);
> +}
> +
>  #else
>  asmlinkage void __init setup_vm(uintptr_t dtb_pa)
>  {
> @@ -488,6 +500,38 @@ static inline void setup_vm_final(void)
>  }
>  #endif /* CONFIG_MMU */
>
> +#ifdef CONFIG_STRICT_KERNEL_RWX
> +void set_kernel_text_rw(void)
> +{
> +	unsigned long text_start = (unsigned long)_text;
> +	unsigned long text_end = (unsigned long)_etext;
> +
> +	set_memory_rw(text_start, (text_end - text_start) >> PAGE_SHIFT);
> +}
> +
> +void set_kernel_text_ro(void)
> +{
> +	unsigned long text_start = (unsigned long)_text;
> +	unsigned long text_end = (unsigned long)_etext;
> +
> +	set_memory_ro(text_start, (text_end - text_start) >> PAGE_SHIFT);
> +}
> +
> +void mark_rodata_ro(void)
> +{
> +	unsigned long text_start = (unsigned long)_text;
> +	unsigned long text_end = (unsigned long)_etext;
> +	unsigned long rodata_start = (unsigned long)__start_rodata;
> +	unsigned long data_start = (unsigned long)_data;
> +	unsigned long max_low = (unsigned long)(__va(PFN_PHYS(max_low_pfn)));
> +
> +	set_memory_ro(text_start, (text_end - text_start) >> PAGE_SHIFT);
> +	set_memory_ro(rodata_start, (data_start - rodata_start) >> PAGE_SHIFT);
> +	set_memory_nx(rodata_start, (data_start - rodata_start) >> PAGE_SHIFT);
> +	set_memory_nx(data_start, (max_low - data_start) >> PAGE_SHIFT);
> +}
> +#endif
> +
>  void __init paging_init(void)
>  {
>  	setup_vm_final();

Reviewed-by: Palmer Dabbelt <palmerdabbelt@google.com>

Damien Le Moal April 19, 2020, 11:50 p.m. UTC | #2

On 2020/04/18 9:30, Palmer Dabbelt wrote:
> On Wed, 08 Apr 2020 00:57:04 PDT (-0700), zong.li@sifive.com wrote:
>> The commit contains that make text section as non-writable, rodata
>> section as read-only, and data section as non-executable.
>>
>> The init section should be changed to non-executable.
>>
>> Signed-off-by: Zong Li <zong.li@sifive.com>
>> ---
>>  arch/riscv/Kconfig                  |  1 +
>>  arch/riscv/include/asm/set_memory.h |  8 ++++++
>>  arch/riscv/mm/init.c                | 44 +++++++++++++++++++++++++++++
>>  3 files changed, 53 insertions(+)
>>
>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>> index 1e1efc998baf..58b556167d59 100644
>> --- a/arch/riscv/Kconfig
>> +++ b/arch/riscv/Kconfig
>> @@ -61,6 +61,7 @@ config RISCV
>>  	select ARCH_HAS_GIGANTIC_PAGE
>>  	select ARCH_HAS_SET_DIRECT_MAP
>>  	select ARCH_HAS_SET_MEMORY
>> +	select ARCH_HAS_STRICT_KERNEL_RWX

This should be:

	select ARCH_HAS_STRICT_KERNEL_RWX if !MMU

This option does not make sense for the no MMU case and more importantly, it
ends up generating gigantic binary images which breaks things like the K210 support.

Palmer,

I sent a patch to fix that. You did not reply/comment on it.


>>  	select ARCH_WANT_HUGE_PMD_SHARE if 64BIT
>>  	select SPARSEMEM_STATIC if 32BIT
>>  	select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT if MMU
>> diff --git a/arch/riscv/include/asm/set_memory.h b/arch/riscv/include/asm/set_memory.h
>> index 4c5bae7ca01c..c38df4771c09 100644
>> --- a/arch/riscv/include/asm/set_memory.h
>> +++ b/arch/riscv/include/asm/set_memory.h
>> @@ -22,6 +22,14 @@ static inline int set_memory_x(unsigned long addr, int numpages) { return 0; }
>>  static inline int set_memory_nx(unsigned long addr, int numpages) { return 0; }
>>  #endif
>>
>> +#ifdef CONFIG_STRICT_KERNEL_RWX
>> +void set_kernel_text_ro(void);
>> +void set_kernel_text_rw(void);
>> +#else
>> +static inline void set_kernel_text_ro(void) { }
>> +static inline void set_kernel_text_rw(void) { }
>> +#endif
>> +
>>  int set_direct_map_invalid_noflush(struct page *page);
>>  int set_direct_map_default_noflush(struct page *page);
>>
>> diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
>> index fab855963c73..b55be44ff9bd 100644
>> --- a/arch/riscv/mm/init.c
>> +++ b/arch/riscv/mm/init.c
>> @@ -12,6 +12,7 @@
>>  #include <linux/sizes.h>
>>  #include <linux/of_fdt.h>
>>  #include <linux/libfdt.h>
>> +#include <linux/set_memory.h>
>>
>>  #include <asm/fixmap.h>
>>  #include <asm/tlbflush.h>
>> @@ -477,6 +478,17 @@ static void __init setup_vm_final(void)
>>  	csr_write(CSR_SATP, PFN_DOWN(__pa_symbol(swapper_pg_dir)) | SATP_MODE);
>>  	local_flush_tlb_all();
>>  }
>> +
>> +void free_initmem(void)
>> +{
>> +	unsigned long init_begin = (unsigned long)__init_begin;
>> +	unsigned long init_end = (unsigned long)__init_end;
>> +
>> +	/* Make the region as non-execuatble. */
>> +	set_memory_nx(init_begin, (init_end - init_begin) >> PAGE_SHIFT);
>> +	free_initmem_default(POISON_FREE_INITMEM);
>> +}
>> +
>>  #else
>>  asmlinkage void __init setup_vm(uintptr_t dtb_pa)
>>  {
>> @@ -488,6 +500,38 @@ static inline void setup_vm_final(void)
>>  }
>>  #endif /* CONFIG_MMU */
>>
>> +#ifdef CONFIG_STRICT_KERNEL_RWX
>> +void set_kernel_text_rw(void)
>> +{
>> +	unsigned long text_start = (unsigned long)_text;
>> +	unsigned long text_end = (unsigned long)_etext;
>> +
>> +	set_memory_rw(text_start, (text_end - text_start) >> PAGE_SHIFT);
>> +}
>> +
>> +void set_kernel_text_ro(void)
>> +{
>> +	unsigned long text_start = (unsigned long)_text;
>> +	unsigned long text_end = (unsigned long)_etext;
>> +
>> +	set_memory_ro(text_start, (text_end - text_start) >> PAGE_SHIFT);
>> +}
>> +
>> +void mark_rodata_ro(void)
>> +{
>> +	unsigned long text_start = (unsigned long)_text;
>> +	unsigned long text_end = (unsigned long)_etext;
>> +	unsigned long rodata_start = (unsigned long)__start_rodata;
>> +	unsigned long data_start = (unsigned long)_data;
>> +	unsigned long max_low = (unsigned long)(__va(PFN_PHYS(max_low_pfn)));
>> +
>> +	set_memory_ro(text_start, (text_end - text_start) >> PAGE_SHIFT);
>> +	set_memory_ro(rodata_start, (data_start - rodata_start) >> PAGE_SHIFT);
>> +	set_memory_nx(rodata_start, (data_start - rodata_start) >> PAGE_SHIFT);
>> +	set_memory_nx(data_start, (max_low - data_start) >> PAGE_SHIFT);
>> +}
>> +#endif
>> +
>>  void __init paging_init(void)
>>  {
>>  	setup_vm_final();
> 
> Reviewed-by: Palmer Dabbelt <palmerdabbelt@google.com>
> 
>

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index 1e1efc998baf..58b556167d59 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -61,6 +61,7 @@  config RISCV
 	select ARCH_HAS_GIGANTIC_PAGE
 	select ARCH_HAS_SET_DIRECT_MAP
 	select ARCH_HAS_SET_MEMORY
+	select ARCH_HAS_STRICT_KERNEL_RWX
 	select ARCH_WANT_HUGE_PMD_SHARE if 64BIT
 	select SPARSEMEM_STATIC if 32BIT
 	select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT if MMU
diff --git a/arch/riscv/include/asm/set_memory.h b/arch/riscv/include/asm/set_memory.h
index 4c5bae7ca01c..c38df4771c09 100644
--- a/arch/riscv/include/asm/set_memory.h
+++ b/arch/riscv/include/asm/set_memory.h
@@ -22,6 +22,14 @@  static inline int set_memory_x(unsigned long addr, int numpages) { return 0; }
 static inline int set_memory_nx(unsigned long addr, int numpages) { return 0; }
 #endif
 
+#ifdef CONFIG_STRICT_KERNEL_RWX
+void set_kernel_text_ro(void);
+void set_kernel_text_rw(void);
+#else
+static inline void set_kernel_text_ro(void) { }
+static inline void set_kernel_text_rw(void) { }
+#endif
+
 int set_direct_map_invalid_noflush(struct page *page);
 int set_direct_map_default_noflush(struct page *page);
 
diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index fab855963c73..b55be44ff9bd 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -12,6 +12,7 @@ 
 #include <linux/sizes.h>
 #include <linux/of_fdt.h>
 #include <linux/libfdt.h>
+#include <linux/set_memory.h>
 
 #include <asm/fixmap.h>
 #include <asm/tlbflush.h>
@@ -477,6 +478,17 @@  static void __init setup_vm_final(void)
 	csr_write(CSR_SATP, PFN_DOWN(__pa_symbol(swapper_pg_dir)) | SATP_MODE);
 	local_flush_tlb_all();
 }
+
+void free_initmem(void)
+{
+	unsigned long init_begin = (unsigned long)__init_begin;
+	unsigned long init_end = (unsigned long)__init_end;
+
+	/* Make the region as non-execuatble. */
+	set_memory_nx(init_begin, (init_end - init_begin) >> PAGE_SHIFT);
+	free_initmem_default(POISON_FREE_INITMEM);
+}
+
 #else
 asmlinkage void __init setup_vm(uintptr_t dtb_pa)
 {
@@ -488,6 +500,38 @@  static inline void setup_vm_final(void)
 }
 #endif /* CONFIG_MMU */
 
+#ifdef CONFIG_STRICT_KERNEL_RWX
+void set_kernel_text_rw(void)
+{
+	unsigned long text_start = (unsigned long)_text;
+	unsigned long text_end = (unsigned long)_etext;
+
+	set_memory_rw(text_start, (text_end - text_start) >> PAGE_SHIFT);
+}
+
+void set_kernel_text_ro(void)
+{
+	unsigned long text_start = (unsigned long)_text;
+	unsigned long text_end = (unsigned long)_etext;
+
+	set_memory_ro(text_start, (text_end - text_start) >> PAGE_SHIFT);
+}
+
+void mark_rodata_ro(void)
+{
+	unsigned long text_start = (unsigned long)_text;
+	unsigned long text_end = (unsigned long)_etext;
+	unsigned long rodata_start = (unsigned long)__start_rodata;
+	unsigned long data_start = (unsigned long)_data;
+	unsigned long max_low = (unsigned long)(__va(PFN_PHYS(max_low_pfn)));
+
+	set_memory_ro(text_start, (text_end - text_start) >> PAGE_SHIFT);
+	set_memory_ro(rodata_start, (data_start - rodata_start) >> PAGE_SHIFT);
+	set_memory_nx(rodata_start, (data_start - rodata_start) >> PAGE_SHIFT);
+	set_memory_nx(data_start, (max_low - data_start) >> PAGE_SHIFT);
+}
+#endif
+
 void __init paging_init(void)
 {
 	setup_vm_final();

[v5,9/9] riscv: add STRICT_KERNEL_RWX support

Commit Message

Comments

Patch