From: Casey Schaufler <casey@schaufler-ca.com>
To: Preeti Nagar <pnagar@codeaurora.org>,
arnd@arndb.de, jmorris@namei.org, serge@hallyn.com,
paul@paul-moore.com, stephen.smalley.work@gmail.com,
eparis@parisplace.org, linux-security-module@vger.kernel.org,
selinux@vger.kernel.org, linux-arch@vger.kernel.org
Cc: psodagud@codeaurora.org, nmardana@codeaurora.org,
dsule@codeaurora.org, Joe Perches <joe@perches.com>,
Miguel Ojeda <ojeda@kernel.org>,
Nick Desaulniers <ndesaulniers@gooogle.com>,
linux-kernel@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [RFC PATCH v2] selinux: security: Move selinux_state to a separate page
Date: Fri, 8 Jan 2021 09:11:44 -0800 [thread overview]
Message-ID: <0f467390-e018-6051-0014-ab475ed76863@schaufler-ca.com> (raw)
In-Reply-To: <1610099389-28329-1-git-send-email-pnagar@codeaurora.org>
On 1/8/2021 1:49 AM, Preeti Nagar wrote:
> The changes introduce a new security feature, RunTime Integrity Check
> (RTIC), designed to protect Linux Kernel at runtime. The motivation
> behind these changes is:
> 1. The system protection offered by SE for Android relies on the
> assumption of kernel integrity. If the kernel itself is compromised (by
> a perhaps as yet unknown future vulnerability), SE for Android security
> mechanisms could potentially be disabled and rendered ineffective.
> 2. Qualcomm Snapdragon devices use Secure Boot, which adds cryptographic
> checks to each stage of the boot-up process, to assert the authenticity
> of all secure software images that the device executes. However, due to
> various vulnerabilities in SW modules, the integrity of the system can be
> compromised at any time after device boot-up, leading to un-authorized
> SW executing.
It would be helpful if you characterized the "various vulnerabilities"
rather than simply asserting their existence. This would allow the reviewer
to determine if the proposed patch addresses the issue.
>
> The feature's idea is to move some sensitive kernel structures to a
> separate page and monitor further any unauthorized changes to these,
> from higher Exception Levels using stage 2 MMU. Moving these to a
> different page will help avoid getting page faults from un-related data.
I've always been a little slow when it comes to understanding the
details of advanced memory management facilities. That's part of
why I work in access control. Could you expand this a bit, so that
someone who doesn't already know how your stage 2 MMU works might
be able to evaluate what you're doing here.
> Using this mechanism, some sensitive variables of the kernel which are
> initialized after init or are updated rarely can also be protected from
> simple overwrites and attacks trying to modify these.
How would this interact with or complement __read_mostly?
>
> Currently, the change moves selinux_state structure to a separate page. In
> future we plan to move more security-related kernel assets to this page to
> enhance protection.
What's special about selinux_state? What about the SELinux policy?
How would I, as maintainer of the Smack security module, know if
some Smack data should be treated the same way?
>
> We want to seek your suggestions and comments on the idea and the changes
> in the patch.
>
> Signed-off-by: Preeti Nagar <pnagar@codeaurora.org>
> ---
> include/asm-generic/vmlinux.lds.h | 10 ++++++++++
> include/linux/init.h | 4 ++++
> security/Kconfig | 10 ++++++++++
> security/selinux/hooks.c | 4 ++++
> 4 files changed, 28 insertions(+)
>
> diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
> index b2b3d81..158dbc2 100644
> --- a/include/asm-generic/vmlinux.lds.h
> +++ b/include/asm-generic/vmlinux.lds.h
> @@ -770,6 +770,15 @@
> *(.scommon) \
> }
>
> +#ifdef CONFIG_SECURITY_RTIC
> +#define RTIC_BSS \
> + . = ALIGN(PAGE_SIZE); \
> + KEEP(*(.bss.rtic)) \
> + . = ALIGN(PAGE_SIZE);
> +#else
> +#define RTIC_BSS
> +#endif
> +
> /*
> * Allow archectures to redefine BSS_FIRST_SECTIONS to add extra
> * sections to the front of bss.
> @@ -782,6 +791,7 @@
> . = ALIGN(bss_align); \
> .bss : AT(ADDR(.bss) - LOAD_OFFSET) { \
> BSS_FIRST_SECTIONS \
> + RTIC_BSS \
> . = ALIGN(PAGE_SIZE); \
> *(.bss..page_aligned) \
> . = ALIGN(PAGE_SIZE); \
> diff --git a/include/linux/init.h b/include/linux/init.h
> index 7b53cb3..617adcf 100644
> --- a/include/linux/init.h
> +++ b/include/linux/init.h
> @@ -300,6 +300,10 @@ void __init parse_early_options(char *cmdline);
> /* Data marked not to be saved by software suspend */
> #define __nosavedata __section(".data..nosave")
>
> +#ifdef CONFIG_SECURITY_RTIC
> +#define __rticdata __section(".bss.rtic")
> +#endif
> +
> #ifdef MODULE
> #define __exit_p(x) x
> #else
> diff --git a/security/Kconfig b/security/Kconfig
> index 7561f6f..66b61b9 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -291,5 +291,15 @@ config LSM
>
> source "security/Kconfig.hardening"
>
> +config SECURITY_RTIC
> + bool "RunTime Integrity Check feature"
Shouldn't this depend on the architecture(s) supporting the
feature?
> + help
> + RTIC(RunTime Integrity Check) feature is to protect Linux kernel
> + at runtime. This relocates some of the security sensitive kernel
> + structures to a separate page aligned special section.
> +
> + This is to enable monitoring and protection of these kernel assets
> + from a higher exception level(EL) against any unauthorized changes.
"if you are unsure ..."
> +
> endmenu
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6b1826f..7add17c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -104,7 +104,11 @@
> #include "audit.h"
> #include "avc_ss.h"
>
> +#ifdef CONFIG_SECURITY_RTIC
> +struct selinux_state selinux_state __rticdata;
> +#else
> struct selinux_state selinux_state;
> +#endif
Shouldn't the __rticdata tag be applied always, and its
definition take care of the cases where it doesn't do anything?
>
> /* SECMARK reference count */
> static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
next prev parent reply other threads:[~2021-01-08 17:12 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-08 9:49 [RFC PATCH v2] selinux: security: Move selinux_state to a separate page Preeti Nagar
2021-01-08 15:25 ` Miguel Ojeda
2021-01-11 6:25 ` pnagar
2021-01-08 15:28 ` Miguel Ojeda
2021-01-08 17:11 ` Casey Schaufler [this message]
2021-01-12 9:36 ` pnagar
2021-01-12 17:06 ` Casey Schaufler
2021-01-13 10:56 ` David Howells
2021-01-18 6:15 ` pnagar
2021-01-09 1:01 ` Nick Desaulniers
2021-01-11 9:51 ` pnagar
2021-01-18 5:56 pnagar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0f467390-e018-6051-0014-ab475ed76863@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=arnd@arndb.de \
--cc=dsule@codeaurora.org \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=joe@perches.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=ndesaulniers@gooogle.com \
--cc=nmardana@codeaurora.org \
--cc=ojeda@kernel.org \
--cc=paul@paul-moore.com \
--cc=pnagar@codeaurora.org \
--cc=psodagud@codeaurora.org \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.