From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752218AbdASLMY (ORCPT ); Thu, 19 Jan 2017 06:12:24 -0500 Received: from foss.arm.com ([217.140.101.70]:46844 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752119AbdASLMW (ORCPT ); Thu, 19 Jan 2017 06:12:22 -0500 Date: Thu, 19 Jan 2017 11:11:18 +0000 From: Mark Rutland To: Laura Abbott Cc: Kees Cook , Jason Wessel , Jonathan Corbet , Russell King , Catalin Marinas , Will Deacon , "James E.J. Bottomley" , Helge Deller , Martin Schwidefsky , Heiko Carstens , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, Rob Herring , "Rafael J. Wysocki" , Len Brown , Pavel Machek , Jessica Yu , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-parisc@vger.kernel.org, linux-s390@vger.kernel.org, linux-pm@vger.kernel.org, kernel-hardening@lists.openwall.com, "AKASHI, Takahiro" Subject: Re: [PATCH 2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX Message-ID: <20170119111117.GB11176@leverpostej> References: <1484789346-21012-1-git-send-email-labbott@redhat.com> <1484789346-21012-3-git-send-email-labbott@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1484789346-21012-3-git-send-email-labbott@redhat.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Wed, Jan 18, 2017 at 05:29:06PM -0800, Laura Abbott wrote: > > Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel > option provides key security features that are to be expected on a > modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which > more accurately describes what this option is intended to do. This looks good; my naming comments from the DEBUG_RODATA also apply here -- the proposed name is fine. > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index 06fed56..2fe0e98 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -12,6 +12,7 @@ config ARM64 > select ARCH_HAS_GCOV_PROFILE_ALL > select ARCH_HAS_GIGANTIC_PAGE > select ARCH_HAS_HARDENED_MAPPINGS > + select ARCH_HAS_HARDENED_MODULE_MAPPINGS > select ARCH_HAS_KCOV > select ARCH_HAS_SG_CHAIN > select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST > diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug > index a26d27f..1eebe1f 100644 > --- a/arch/arm64/Kconfig.debug > +++ b/arch/arm64/Kconfig.debug > @@ -71,17 +71,6 @@ config DEBUG_WX > > If in doubt, say "Y". > > -config DEBUG_SET_MODULE_RONX > - bool "Set loadable kernel module data as NX and text as RO" > - depends on MODULES > - default y > - help > - Is this is set, kernel module text and rodata will be made read-only. > - This is to help catch accidental or malicious attempts to change the > - kernel's executable code. > - > - If in doubt, say Y. > - > +config ARCH_HAS_HARDENED_MODULE_MAPPINGS > + def_bool n > + > +config HARDENED_MODULE_MAPPINGS > + bool "Mark module mappings with stricter permissions (RO/W^X)" > + default y > + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS > + help > + If this is set, module text and rodata memory will be made read-only, > + and non-text memory will be made non-executable. This provides > + protection against certain security vulnerabilities (e.g. modifying > + code) > + > + Unless your system has known restrictions or performance issues, it > + is recommended to say Y here. > + I was hoping that we'd make this mandatory, as we'd already done for DEBUG_RODATA. Takahiro-san did a bit of work towards that in commit 39290b389ea2654f ("module: extend 'rodata=off' boot cmdline parameter to module mappings"). It would be good to know if there's any reason we can't do that. Otherwise, this looks fine. Thanks, Mark.