From: keescook@chromium.org (Kees Cook)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 2/2] arm64: drop kernel segment resources from /proc/iomem
Date: Thu, 16 Jun 2016 10:48:49 -0700 [thread overview]
Message-ID: <CAGXu5jL=5csS1J1P_1D2LQLWGV__BW99fE3Z9CMwTRO17Ed6Zw@mail.gmail.com> (raw)
In-Reply-To: <CAKv+Gu84hr4d--cRUZzpGnA7NXr3pxE-VdRsaTGjUYX9aiet4A@mail.gmail.com>
On Thu, Jun 16, 2016 at 10:28 AM, Ard Biesheuvel
<ard.biesheuvel@linaro.org> wrote:
> On 16 June 2016 at 19:21, Kees Cook <keescook@chromium.org> wrote:
>> On Thu, Jun 16, 2016 at 5:32 AM, Ard Biesheuvel
>> <ard.biesheuvel@linaro.org> wrote:
>>> (+ James)
>>>
>>> On 16 June 2016 at 14:28, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>>>> By the same reasoning as commit c4004b02f8e5 ("x86: remove the kernel
>>>> code/data/bss resources from /proc/iomem"), the kernel code and kernel
>>>> data entries in /proc/iomem probably do more harm than good on arm64 as
>>>> well. So remove them.
>>>>
>>>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>>>
>>>
>>> Actually, Linus's patch above has been reverted again, so we have to
>>> consider whether the kexec case exists for us as well before we
>>> consider this
>>>
>>> Apologies for failing to spot that before sending
>>
>> Please leave this as it was originally. The security exposure has been
>> minimized and it would make arm64 differ from all other architectures.
>> If we remove this, it needs to be coordinated across all
>> architectures.
>>
>
> OK, fair enough
Thanks!
One thing I _would_ like to see fixed on arm64 is the misplaced
_etext, which is incorrectly covering rodata. I just sent a patch to
fix this on arm, but on arm64, the _etext use is much more embedded.
I'd like to clean this up so that I can sanely use things like
core_kernel_text() for checking addresses in the up-coming
HARDENED_USERCOPY patch series.
-Kees
--
Kees Cook
Chrome OS & Brillo Security
next prev parent reply other threads:[~2016-06-16 17:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-16 12:28 [PATCH 1/2] ARM: drop kernel segment resources from /proc/iomem Ard Biesheuvel
2016-06-16 12:28 ` [PATCH 2/2] arm64: " Ard Biesheuvel
2016-06-16 12:32 ` Ard Biesheuvel
2016-06-16 17:21 ` Kees Cook
2016-06-16 17:28 ` Ard Biesheuvel
2016-06-16 17:48 ` Kees Cook [this message]
2016-06-16 19:48 ` Ard Biesheuvel
2016-06-16 17:20 ` [PATCH 1/2] ARM: " Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jL=5csS1J1P_1D2LQLWGV__BW99fE3Z9CMwTRO17Ed6Zw@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.