From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751474AbdJERa2 (ORCPT ); Thu, 5 Oct 2017 13:30:28 -0400 Received: from mail-it0-f52.google.com ([209.85.214.52]:49463 "EHLO mail-it0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751330AbdJERa1 (ORCPT ); Thu, 5 Oct 2017 13:30:27 -0400 X-Google-Smtp-Source: AOwi7QB9MMQb6dsv+GQZrjfh3U9LllsQpnWBhPObuxIm+bSWdpsqlPOdVuH/AgBAZLNI1fMU+wuSwc2Z0NF1T4Vm+fY= MIME-Version: 1.0 In-Reply-To: <6e6bf9ba-d66c-0bcc-358e-fed97b2ca5cd@c-s.fr> References: <20171005034505.GA32157@beast> <6e6bf9ba-d66c-0bcc-358e-fed97b2ca5cd@c-s.fr> From: Kees Cook Date: Thu, 5 Oct 2017 10:30:25 -0700 X-Google-Sender-Auth: SL3zf6bevWFYRwh6eW9uilTu90k Message-ID: Subject: Re: [PATCH] powerpc: Default to enabling STRICT_KERNEL_RWX To: Christophe LEROY Cc: LKML , Paul Mackerras , "linuxppc-dev@lists.ozlabs.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by nfs id v95HUYYC011080 On Thu, Oct 5, 2017 at 12:49 AM, Christophe LEROY wrote: > > > Le 05/10/2017 à 05:45, Kees Cook a écrit : >> >> When available, CONFIG_KERNEL_RWX should be default-enabled. > > > On PPC32, this option implies deactivating BATs and/or LTLB mapping of the > linear kernel address space, hence a significant performance degradation. > > So at least on PPC32, it should remain unselected by default. Alright, sounds fine to me. Would this be okay? + select ARCH_OPTIONAL_KERNEL_RWX_DEFAULT if !PPC64 -Kees > > Christophe > > >> >> Cc: Benjamin Herrenschmidt >> Cc: Paul Mackerras >> Cc: Michael Ellerman >> Cc: linuxppc-dev@lists.ozlabs.org >> Signed-off-by: Kees Cook >> --- >> arch/powerpc/Kconfig | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig >> index 809c468edab1..9a549bbfc278 100644 >> --- a/arch/powerpc/Kconfig >> +++ b/arch/powerpc/Kconfig >> @@ -178,6 +178,7 @@ config PPC >> select HAVE_ARCH_TRACEHOOK >> select ARCH_HAS_STRICT_KERNEL_RWX if ((PPC_BOOK3S_64 || >> PPC32) && !RELOCATABLE && !HIBERNATION) >> select ARCH_OPTIONAL_KERNEL_RWX if >> ARCH_HAS_STRICT_KERNEL_RWX >> + select ARCH_OPTIONAL_KERNEL_RWX_DEFAULT >> select HAVE_CBPF_JIT if !PPC64 >> select HAVE_CONTEXT_TRACKING if PPC64 >> select HAVE_DEBUG_KMEMLEAK >> > -- Kees Cook Pixel Security From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3y7KY30Qk5zDr57 for ; Fri, 6 Oct 2017 04:30:29 +1100 (AEDT) Received: by mail-it0-x232.google.com with SMTP id y138so2297516itc.5 for ; Thu, 05 Oct 2017 10:30:29 -0700 (PDT) MIME-Version: 1.0 Sender: keescook@google.com In-Reply-To: <6e6bf9ba-d66c-0bcc-358e-fed97b2ca5cd@c-s.fr> References: <20171005034505.GA32157@beast> <6e6bf9ba-d66c-0bcc-358e-fed97b2ca5cd@c-s.fr> From: Kees Cook Date: Thu, 5 Oct 2017 10:30:25 -0700 Message-ID: Subject: Re: [PATCH] powerpc: Default to enabling STRICT_KERNEL_RWX To: Christophe LEROY Cc: LKML , Paul Mackerras , "linuxppc-dev@lists.ozlabs.org" Content-Type: text/plain; charset="UTF-8" List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Thu, Oct 5, 2017 at 12:49 AM, Christophe LEROY wrote: > > > Le 05/10/2017 =C3=A0 05:45, Kees Cook a =C3=A9crit : >> >> When available, CONFIG_KERNEL_RWX should be default-enabled. > > > On PPC32, this option implies deactivating BATs and/or LTLB mapping of th= e > linear kernel address space, hence a significant performance degradation. > > So at least on PPC32, it should remain unselected by default. Alright, sounds fine to me. Would this be okay? + select ARCH_OPTIONAL_KERNEL_RWX_DEFAULT if !PPC64 -Kees > > Christophe > > >> >> Cc: Benjamin Herrenschmidt >> Cc: Paul Mackerras >> Cc: Michael Ellerman >> Cc: linuxppc-dev@lists.ozlabs.org >> Signed-off-by: Kees Cook >> --- >> arch/powerpc/Kconfig | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig >> index 809c468edab1..9a549bbfc278 100644 >> --- a/arch/powerpc/Kconfig >> +++ b/arch/powerpc/Kconfig >> @@ -178,6 +178,7 @@ config PPC >> select HAVE_ARCH_TRACEHOOK >> select ARCH_HAS_STRICT_KERNEL_RWX if ((PPC_BOOK3S_64 || >> PPC32) && !RELOCATABLE && !HIBERNATION) >> select ARCH_OPTIONAL_KERNEL_RWX if >> ARCH_HAS_STRICT_KERNEL_RWX >> + select ARCH_OPTIONAL_KERNEL_RWX_DEFAULT >> select HAVE_CBPF_JIT if !PPC64 >> select HAVE_CONTEXT_TRACKING if PPC64 >> select HAVE_DEBUG_KMEMLEAK >> > --=20 Kees Cook Pixel Security