From: Mark Rutland <mark.rutland@arm.com>
To: Phong Tran <tranmanphong@gmail.com>
Cc: steve.capper@arm.com, steven.price@arm.com, will@kernel.org,
keescook@chromium.org, greg@kroah.com, akpm@linux-foundation.org,
alexios.zavras@intel.com, broonie@kernel.org,
kernel-hardening@lists.openwall.com,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, tglx@linutronix.de
Subject: Re: [PATCH v2] arm64: add check_wx_pages debugfs for CHECK_WX
Date: Wed, 22 Apr 2020 15:35:27 +0100 [thread overview]
Message-ID: <20200422143526.GD54796@lakrids.cambridge.arm.com> (raw)
In-Reply-To: <20200421173557.10817-1-tranmanphong@gmail.com>
On Wed, Apr 22, 2020 at 12:35:58AM +0700, Phong Tran wrote:
> follow the suggestion from
> https://github.com/KSPP/linux/issues/35
>
> Signed-off-by: Phong Tran <tranmanphong@gmail.com>
> ---
> Change since v1:
> - Update the Kconfig help text
> - Don't check the return value of debugfs_create_file()
> - Tested on QEMU aarch64
As on v1, I think that this should be generic across all architectures
with CONFIG_DEBUG_WX. Adding this only on arm64 under
CONFIG_PTDUMP_DEBUGFS (which does not generally imply a WX check)
doesn't seem right.
Maybe we need a new ARCH_HAS_CHECK_WX config to make that simpler, but
that seems simple to me.
Thanks,
Marm.
> root@qemuarm64:~# zcat /proc/config.gz | grep PTDUMP
> CONFIG_GENERIC_PTDUMP=y
> CONFIG_PTDUMP_CORE=y
> CONFIG_PTDUMP_DEBUGFS=y
> root@qemuarm64:~# uname -a
> Linux qemuarm64 5.7.0-rc2-00001-g20ddb383c313 #3 SMP PREEMPT Tue Apr 21 23:18:56 +07 2020 aarch64 GNU/Linux
> root@qemuarm64:~# echo 1 > /sys/kernel/debug/check_wx_pages
> [ 63.261868] Checked W+X mappings: passed, no W+X pages found
> ---
> arch/arm64/Kconfig.debug | 5 ++++-
> arch/arm64/include/asm/ptdump.h | 2 ++
> arch/arm64/mm/dump.c | 1 +
> arch/arm64/mm/ptdump_debugfs.c | 18 ++++++++++++++++++
> 4 files changed, 25 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
> index a1efa246c9ed..cd82c9d3664a 100644
> --- a/arch/arm64/Kconfig.debug
> +++ b/arch/arm64/Kconfig.debug
> @@ -48,7 +48,10 @@ config DEBUG_WX
> of other unfixed kernel bugs easier.
>
> There is no runtime or memory usage effect of this option
> - once the kernel has booted up - it's a one time check.
> + once the kernel has booted up - it's a one time check at
> + boot, and can also be triggered at runtime by echo "1" to
> + "check_wx_pages". The "check_wx_pages" is available only with
> + CONFIG_PTDUMP_DEBUGFS is enabled.
>
> If in doubt, say "Y".
>
> diff --git a/arch/arm64/include/asm/ptdump.h b/arch/arm64/include/asm/ptdump.h
> index 38187f74e089..c90a6ec6f59b 100644
> --- a/arch/arm64/include/asm/ptdump.h
> +++ b/arch/arm64/include/asm/ptdump.h
> @@ -24,9 +24,11 @@ struct ptdump_info {
> void ptdump_walk(struct seq_file *s, struct ptdump_info *info);
> #ifdef CONFIG_PTDUMP_DEBUGFS
> void ptdump_debugfs_register(struct ptdump_info *info, const char *name);
> +void ptdump_check_wx_init(void);
> #else
> static inline void ptdump_debugfs_register(struct ptdump_info *info,
> const char *name) { }
> +static inline void ptdump_check_wx_init(void) { }
> #endif
> void ptdump_check_wx(void);
> #endif /* CONFIG_PTDUMP_CORE */
> diff --git a/arch/arm64/mm/dump.c b/arch/arm64/mm/dump.c
> index 860c00ec8bd3..60c99a047763 100644
> --- a/arch/arm64/mm/dump.c
> +++ b/arch/arm64/mm/dump.c
> @@ -378,6 +378,7 @@ static int ptdump_init(void)
> #endif
> ptdump_initialize();
> ptdump_debugfs_register(&kernel_ptdump_info, "kernel_page_tables");
> + ptdump_check_wx_init();
> return 0;
> }
> device_initcall(ptdump_init);
> diff --git a/arch/arm64/mm/ptdump_debugfs.c b/arch/arm64/mm/ptdump_debugfs.c
> index d29d722ec3ec..6b0aa16cb17b 100644
> --- a/arch/arm64/mm/ptdump_debugfs.c
> +++ b/arch/arm64/mm/ptdump_debugfs.c
> @@ -20,3 +20,21 @@ void ptdump_debugfs_register(struct ptdump_info *info, const char *name)
> {
> debugfs_create_file(name, 0400, NULL, info, &ptdump_fops);
> }
> +
> +static int check_wx_debugfs_set(void *data, u64 val)
> +{
> + if (val != 1ULL)
> + return -EINVAL;
> +
> + ptdump_check_wx();
> +
> + return 0;
> +}
> +
> +DEFINE_SIMPLE_ATTRIBUTE(check_wx_fops, NULL, check_wx_debugfs_set, "%llu\n");
> +
> +void ptdump_check_wx_init(void)
> +{
> + debugfs_create_file("check_wx_pages", 0200, NULL,
> + NULL, &check_wx_fops) ? 0 : -ENOMEM;
> +}
> --
> 2.20.1
>
WARNING: multiple messages have this Message-ID (diff)
From: Mark Rutland <mark.rutland@arm.com>
To: Phong Tran <tranmanphong@gmail.com>
Cc: keescook@chromium.org, steve.capper@arm.com, greg@kroah.com,
kernel-hardening@lists.openwall.com,
linux-kernel@vger.kernel.org, steven.price@arm.com,
alexios.zavras@intel.com, broonie@kernel.org,
akpm@linux-foundation.org, will@kernel.org, tglx@linutronix.de,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v2] arm64: add check_wx_pages debugfs for CHECK_WX
Date: Wed, 22 Apr 2020 15:35:27 +0100 [thread overview]
Message-ID: <20200422143526.GD54796@lakrids.cambridge.arm.com> (raw)
In-Reply-To: <20200421173557.10817-1-tranmanphong@gmail.com>
On Wed, Apr 22, 2020 at 12:35:58AM +0700, Phong Tran wrote:
> follow the suggestion from
> https://github.com/KSPP/linux/issues/35
>
> Signed-off-by: Phong Tran <tranmanphong@gmail.com>
> ---
> Change since v1:
> - Update the Kconfig help text
> - Don't check the return value of debugfs_create_file()
> - Tested on QEMU aarch64
As on v1, I think that this should be generic across all architectures
with CONFIG_DEBUG_WX. Adding this only on arm64 under
CONFIG_PTDUMP_DEBUGFS (which does not generally imply a WX check)
doesn't seem right.
Maybe we need a new ARCH_HAS_CHECK_WX config to make that simpler, but
that seems simple to me.
Thanks,
Marm.
> root@qemuarm64:~# zcat /proc/config.gz | grep PTDUMP
> CONFIG_GENERIC_PTDUMP=y
> CONFIG_PTDUMP_CORE=y
> CONFIG_PTDUMP_DEBUGFS=y
> root@qemuarm64:~# uname -a
> Linux qemuarm64 5.7.0-rc2-00001-g20ddb383c313 #3 SMP PREEMPT Tue Apr 21 23:18:56 +07 2020 aarch64 GNU/Linux
> root@qemuarm64:~# echo 1 > /sys/kernel/debug/check_wx_pages
> [ 63.261868] Checked W+X mappings: passed, no W+X pages found
> ---
> arch/arm64/Kconfig.debug | 5 ++++-
> arch/arm64/include/asm/ptdump.h | 2 ++
> arch/arm64/mm/dump.c | 1 +
> arch/arm64/mm/ptdump_debugfs.c | 18 ++++++++++++++++++
> 4 files changed, 25 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
> index a1efa246c9ed..cd82c9d3664a 100644
> --- a/arch/arm64/Kconfig.debug
> +++ b/arch/arm64/Kconfig.debug
> @@ -48,7 +48,10 @@ config DEBUG_WX
> of other unfixed kernel bugs easier.
>
> There is no runtime or memory usage effect of this option
> - once the kernel has booted up - it's a one time check.
> + once the kernel has booted up - it's a one time check at
> + boot, and can also be triggered at runtime by echo "1" to
> + "check_wx_pages". The "check_wx_pages" is available only with
> + CONFIG_PTDUMP_DEBUGFS is enabled.
>
> If in doubt, say "Y".
>
> diff --git a/arch/arm64/include/asm/ptdump.h b/arch/arm64/include/asm/ptdump.h
> index 38187f74e089..c90a6ec6f59b 100644
> --- a/arch/arm64/include/asm/ptdump.h
> +++ b/arch/arm64/include/asm/ptdump.h
> @@ -24,9 +24,11 @@ struct ptdump_info {
> void ptdump_walk(struct seq_file *s, struct ptdump_info *info);
> #ifdef CONFIG_PTDUMP_DEBUGFS
> void ptdump_debugfs_register(struct ptdump_info *info, const char *name);
> +void ptdump_check_wx_init(void);
> #else
> static inline void ptdump_debugfs_register(struct ptdump_info *info,
> const char *name) { }
> +static inline void ptdump_check_wx_init(void) { }
> #endif
> void ptdump_check_wx(void);
> #endif /* CONFIG_PTDUMP_CORE */
> diff --git a/arch/arm64/mm/dump.c b/arch/arm64/mm/dump.c
> index 860c00ec8bd3..60c99a047763 100644
> --- a/arch/arm64/mm/dump.c
> +++ b/arch/arm64/mm/dump.c
> @@ -378,6 +378,7 @@ static int ptdump_init(void)
> #endif
> ptdump_initialize();
> ptdump_debugfs_register(&kernel_ptdump_info, "kernel_page_tables");
> + ptdump_check_wx_init();
> return 0;
> }
> device_initcall(ptdump_init);
> diff --git a/arch/arm64/mm/ptdump_debugfs.c b/arch/arm64/mm/ptdump_debugfs.c
> index d29d722ec3ec..6b0aa16cb17b 100644
> --- a/arch/arm64/mm/ptdump_debugfs.c
> +++ b/arch/arm64/mm/ptdump_debugfs.c
> @@ -20,3 +20,21 @@ void ptdump_debugfs_register(struct ptdump_info *info, const char *name)
> {
> debugfs_create_file(name, 0400, NULL, info, &ptdump_fops);
> }
> +
> +static int check_wx_debugfs_set(void *data, u64 val)
> +{
> + if (val != 1ULL)
> + return -EINVAL;
> +
> + ptdump_check_wx();
> +
> + return 0;
> +}
> +
> +DEFINE_SIMPLE_ATTRIBUTE(check_wx_fops, NULL, check_wx_debugfs_set, "%llu\n");
> +
> +void ptdump_check_wx_init(void)
> +{
> + debugfs_create_file("check_wx_pages", 0200, NULL,
> + NULL, &check_wx_fops) ? 0 : -ENOMEM;
> +}
> --
> 2.20.1
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-04-22 14:35 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-07 9:39 [PATCH] arm64: add check_wx_pages debugfs for CHECK_WX Phong Tran
2020-03-07 9:39 ` Phong Tran
2020-03-09 10:32 ` Steven Price
2020-03-09 10:32 ` Steven Price
2020-03-09 10:32 ` Steven Price
2020-03-09 12:17 ` Mark Rutland
2020-03-09 12:17 ` Mark Rutland
2020-03-09 12:21 ` Greg KH
2020-03-09 12:21 ` Greg KH
2020-03-09 16:15 ` Kees Cook
2020-03-09 16:15 ` Kees Cook
2020-03-09 16:51 ` Mark Rutland
2020-03-09 16:51 ` Mark Rutland
2020-04-20 20:42 ` Will Deacon
2020-04-20 20:42 ` Will Deacon
2020-04-21 17:35 ` [PATCH v2] " Phong Tran
2020-04-21 17:35 ` Phong Tran
2020-04-22 13:32 ` Steven Price
2020-04-22 13:32 ` Steven Price
2020-04-22 14:35 ` Mark Rutland [this message]
2020-04-22 14:35 ` Mark Rutland
2020-04-22 15:26 ` Will Deacon
2020-04-22 15:26 ` Will Deacon
2020-04-22 17:11 ` Mark Rutland
2020-04-22 17:11 ` Mark Rutland
2020-04-24 10:52 ` Phong Tran
2020-04-24 10:52 ` Phong Tran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200422143526.GD54796@lakrids.cambridge.arm.com \
--to=mark.rutland@arm.com \
--cc=akpm@linux-foundation.org \
--cc=alexios.zavras@intel.com \
--cc=broonie@kernel.org \
--cc=greg@kroah.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=steve.capper@arm.com \
--cc=steven.price@arm.com \
--cc=tglx@linutronix.de \
--cc=tranmanphong@gmail.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.