All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jordan Niethe <jniethe5@gmail.com>
To: linuxppc-dev@lists.ozlabs.org
Cc: ajd@linux.ibm.com, cmr@codefail.de, npiggin@gmail.com,
	aneesh.kumar@linux.ibm.com, naveen.n.rao@linux.ibm.com,
	Jordan Niethe <jniethe5@gmail.com>,
	dja@axtens.net
Subject: [PATCH v14 7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX
Date: Mon, 17 May 2021 13:28:08 +1000	[thread overview]
Message-ID: <20210517032810.129949-8-jniethe5@gmail.com> (raw)
In-Reply-To: <20210517032810.129949-1-jniethe5@gmail.com>

From: Russell Currey <ruscur@russell.cc>

To enable strict module RWX on powerpc, set:

    CONFIG_STRICT_MODULE_RWX=y

You should also have CONFIG_STRICT_KERNEL_RWX=y set to have any real
security benefit.

ARCH_HAS_STRICT_MODULE_RWX is set to require ARCH_HAS_STRICT_KERNEL_RWX.
This is due to a quirk in arch/Kconfig and arch/powerpc/Kconfig that
makes STRICT_MODULE_RWX *on by default* in configurations where
STRICT_KERNEL_RWX is *unavailable*.

Since this doesn't make much sense, and module RWX without kernel RWX
doesn't make much sense, having the same dependencies as kernel RWX
works around this problem.

Book32s/32 processors with a hash mmu (i.e. 604 core) can not set memory
protection on a page by page basis so do not enable.

Signed-off-by: Russell Currey <ruscur@russell.cc>
[jpn: - predicate on !PPC_BOOK3S_604
      - make module_alloc() use PAGE_KERNEL protection]
Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
---
v10: - Predicate on !PPC_BOOK3S_604
     - Make module_alloc() use PAGE_KERNEL protection
v11: - Neaten up
v13: Use strict_kernel_rwx_enabled()
v14: Make changes to module_alloc() its own commit
---
 arch/powerpc/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index cce0a137b046..cb5d9d862c35 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -140,6 +140,7 @@ config PPC
 	select ARCH_HAS_SCALED_CPUTIME		if VIRT_CPU_ACCOUNTING_NATIVE && PPC_BOOK3S_64
 	select ARCH_HAS_SET_MEMORY
 	select ARCH_HAS_STRICT_KERNEL_RWX	if ((PPC_BOOK3S_64 || PPC32) && !HIBERNATION)
+	select ARCH_HAS_STRICT_MODULE_RWX	if ARCH_HAS_STRICT_KERNEL_RWX && !PPC_BOOK3S_604
 	select ARCH_HAS_TICK_BROADCAST		if GENERIC_CLOCKEVENTS_BROADCAST
 	select ARCH_HAS_UACCESS_FLUSHCACHE
 	select ARCH_HAS_COPY_MC			if PPC64
-- 
2.25.1


  parent reply	other threads:[~2021-05-17  3:37 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-17  3:28 [PATCH v14 0/9] powerpc: Further Strict RWX support Jordan Niethe
2021-05-17  3:28 ` [PATCH v14 1/9] powerpc/mm: Implement set_memory() routines Jordan Niethe
2021-05-17  3:28 ` [PATCH v14 2/9] powerpc/lib/code-patching: Set up Strict RWX patching earlier Jordan Niethe
2021-05-17  3:28 ` [PATCH v14 3/9] powerpc/modules: Make module_alloc() Strict Module RWX aware Jordan Niethe
2021-05-17  6:36   ` Christophe Leroy
2021-05-17  6:48     ` Jordan Niethe
2021-05-17 11:01       ` Michael Ellerman
2021-05-17 11:05         ` Christophe Leroy
2021-05-18  1:43           ` Michael Ellerman
2021-05-17  3:28 ` [PATCH v14 4/9] powerpc/kprobes: Mark newly allocated probes as ROX Jordan Niethe
2021-05-17  3:28 ` [PATCH v14 5/9] powerpc/bpf: Remove bpf_jit_free() Jordan Niethe
2021-05-17  3:28 ` [PATCH v14 6/9] powerpc/bpf: Write protect JIT code Jordan Niethe
2021-05-17  6:39   ` Christophe Leroy
2021-05-20  4:02     ` Jordan Niethe
2021-05-17  3:28 ` Jordan Niethe [this message]
2021-05-17  6:48   ` [PATCH v14 7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX Christophe Leroy
2021-05-20  3:50     ` Jordan Niethe
2021-05-17  3:28 ` [PATCH v14 8/9] powerpc/mm: implement set_memory_attr() Jordan Niethe
2021-05-17  3:28 ` [PATCH v14 9/9] powerpc/32: use set_memory_attr() Jordan Niethe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210517032810.129949-8-jniethe5@gmail.com \
    --to=jniethe5@gmail.com \
    --cc=ajd@linux.ibm.com \
    --cc=aneesh.kumar@linux.ibm.com \
    --cc=cmr@codefail.de \
    --cc=dja@axtens.net \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=naveen.n.rao@linux.ibm.com \
    --cc=npiggin@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.