All of lore.kernel.org
 help / color / mirror / Atom feed
From: Preeti Nagar <pnagar@codeaurora.org>
To: arnd@arndb.de, jmorris@namei.org, serge@hallyn.com,
	paul@paul-moore.com, stephen.smalley.work@gmail.com,
	eparis@parisplace.org, linux-security-module@vger.kernel.org,
	selinux@vger.kernel.org, linux-arch@vger.kernel.org
Cc: casey@schaufler-ca.com, ndesaulniers@google.com,
	dhowells@redhat.com, ojeda@kernel.org, psodagud@codeaurora.org,
	nmardana@codeaurora.org, rkavati@codeaurora.org,
	vsekhar@codeaurora.org, mreichar@codeaurora.org,
	johan@kernel.org, joe@perches.com, jeyu@kernel.org,
	pnagar@codeaurora.org, linux-kernel@vger.kernel.org
Subject: [PATCH] RTIC: selinux: ARM64: Move selinux_state to a separate page
Date: Tue, 16 Feb 2021 15:47:52 +0530	[thread overview]
Message-ID: <1613470672-3069-1-git-send-email-pnagar@codeaurora.org> (raw)

The changes introduce a new security feature, RunTime Integrity Check
(RTIC), designed to protect Linux Kernel at runtime. The motivation
behind these changes is:
1. The system protection offered by Security Enhancements(SE) for
Android relies on the assumption of kernel integrity. If the kernel
itself is compromised (by a perhaps as yet unknown future vulnerability),
SE for Android security mechanisms could potentially be disabled and
rendered ineffective.
2. Qualcomm Snapdragon devices use Secure Boot, which adds cryptographic
checks to each stage of the boot-up process, to assert the authenticity
of all secure software images that the device executes.  However, due to
various vulnerabilities in SW modules, the integrity of the system can be
compromised at any time after device boot-up, leading to un-authorized
SW executing.

The feature's idea is to move some sensitive kernel structures to a
separate page and monitor further any unauthorized changes to these,
from higher Exception Levels using stage 2 MMU. Moving these to a
different page will help avoid getting page faults from un-related data.
The mechanism we have been working on removes the write permissions for
HLOS in the stage 2 page tables for the regions to be monitored, such
that any modification attempts to these will lead to faults being
generated and handled by handlers. If the protected assets are moved to
a separate page, faults will be generated corresponding to change attempts
to these assets only. If not moved to a separate page, write attempts to
un-related data present on the monitored pages will also be generated.

Using this feature, some sensitive variables of the kernel which are
initialized after init or are updated rarely can also be protected from
simple overwrites and attacks trying to modify these.

Currently, the change moves selinux_state structure to a separate page.
The page is 2MB aligned not 4K to avoid TLB related performance impact as,
for some CPU core designs, the TLB does not cache 4K stage 2 (IPA to PA)
mappings if the IPA comes from a stage 1 mapping. In future, we plan to
move more security-related kernel assets to this page to enhance
protection.

Signed-off-by: Preeti Nagar <pnagar@codeaurora.org>
---
The RFC patch reviewed available at:
https://lore.kernel.org/linux-security-module/1610099389-28329-1-git-send-email-pnagar@codeaurora.org/
---
 include/asm-generic/vmlinux.lds.h | 10 ++++++++++
 include/linux/init.h              |  6 ++++++
 security/Kconfig                  | 11 +++++++++++
 security/selinux/hooks.c          |  2 +-
 4 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index b97c628..d1a5434 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -770,6 +770,15 @@
 		*(.scommon)						\
 	}
 
+#ifdef CONFIG_SECURITY_RTIC
+#define RTIC_BSS							\
+	. = ALIGN(SZ_2M);						\
+	KEEP(*(.bss.rtic))						\
+	. = ALIGN(SZ_2M);
+#else
+#define RTIC_BSS
+#endif
+
 /*
  * Allow archectures to redefine BSS_FIRST_SECTIONS to add extra
  * sections to the front of bss.
@@ -782,6 +791,7 @@
 	. = ALIGN(bss_align);						\
 	.bss : AT(ADDR(.bss) - LOAD_OFFSET) {				\
 		BSS_FIRST_SECTIONS					\
+		RTIC_BSS						\
 		. = ALIGN(PAGE_SIZE);					\
 		*(.bss..page_aligned)					\
 		. = ALIGN(PAGE_SIZE);					\
diff --git a/include/linux/init.h b/include/linux/init.h
index e668832..e6d452a 100644
--- a/include/linux/init.h
+++ b/include/linux/init.h
@@ -300,6 +300,12 @@ void __init parse_early_options(char *cmdline);
 /* Data marked not to be saved by software suspend */
 #define __nosavedata __section(".data..nosave")
 
+#ifdef CONFIG_SECURITY_RTIC
+#define __rticdata  __section(".bss.rtic")
+#else
+#define __rticdata
+#endif
+
 #ifdef MODULE
 #define __exit_p(x) x
 #else
diff --git a/security/Kconfig b/security/Kconfig
index 7561f6f..1af913a 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -291,5 +291,16 @@ config LSM
 
 source "security/Kconfig.hardening"
 
+config SECURITY_RTIC
+	bool "RunTime Integrity Check feature"
+	depends on ARM64
+	help
+	  RTIC(RunTime Integrity Check) feature is to protect Linux kernel
+	  at runtime. This relocates some of the security sensitive kernel
+	  structures to a separate RTIC specific page.
+
+	  This is to enable monitoring and protection of these kernel assets
+	  from a higher exception level(EL) against any unauthorized changes.
+
 endmenu
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 644b17e..59d7eee 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -104,7 +104,7 @@
 #include "audit.h"
 #include "avc_ss.h"
 
-struct selinux_state selinux_state;
+struct selinux_state selinux_state __rticdata;
 
 /* SECMARK reference count */
 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
-- 
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member
of Code Aurora Forum, hosted by The Linux Foundation


             reply	other threads:[~2021-02-16 10:19 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-16 10:17 Preeti Nagar [this message]
2021-02-16 18:09 ` [PATCH] RTIC: selinux: ARM64: Move selinux_state to a separate page Nick Desaulniers
2021-02-22  6:54   ` pnagar
2021-02-16 20:32 ` Miguel Ojeda
2021-02-22  5:06   ` pnagar
2021-02-17  9:42 ` Will Deacon
2021-02-17  9:53   ` Ard Biesheuvel
2021-02-22  7:14     ` pnagar
2021-02-17 10:15   ` Marc Zyngier
2021-02-22  4:58     ` pnagar
2021-02-22 10:56       ` Marc Zyngier
2021-02-22  9:50   ` peter enderborg
2021-03-05  2:21 ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1613470672-3069-1-git-send-email-pnagar@codeaurora.org \
    --to=pnagar@codeaurora.org \
    --cc=arnd@arndb.de \
    --cc=casey@schaufler-ca.com \
    --cc=dhowells@redhat.com \
    --cc=eparis@parisplace.org \
    --cc=jeyu@kernel.org \
    --cc=jmorris@namei.org \
    --cc=joe@perches.com \
    --cc=johan@kernel.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mreichar@codeaurora.org \
    --cc=ndesaulniers@google.com \
    --cc=nmardana@codeaurora.org \
    --cc=ojeda@kernel.org \
    --cc=paul@paul-moore.com \
    --cc=psodagud@codeaurora.org \
    --cc=rkavati@codeaurora.org \
    --cc=selinux@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=stephen.smalley.work@gmail.com \
    --cc=vsekhar@codeaurora.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.