From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
To: Kees Cook <keescook@chromium.org>,
Emese Revfy <re.emese@gmail.com>,
Paul Kocialkowski <paul.kocialkowski@bootlin.com>
Cc: kernel-hardening@lists.openwall.com,
Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Subject: [PATCH] security: do not enable CONFIG_GCC_PLUGINS by default
Date: Fri, 14 Jun 2019 16:57:54 +0200 [thread overview]
Message-ID: <20190614145755.10926-1-GNUtoo@cyberdimension.org> (raw)
On a Galaxy SIII (I9300), the patch mentioned below broke boot:
- The display still had the bootloader logo, while with this
patch, the 4 Tux logo appears.
- No print appeared on the serial port anymore after the kernel
was loaded, whereas with this patch, we have the serial
console working, and the device booting.
Booting was broken by the following commit:
9f671e58159a ("security: Create "kernel hardening" config area")
As the bootloader of this device enables the MMU, I had the following
patch applied during the tests:
Author: Arve Hjønnevåg <arve@android.com>
Date: Fri Nov 30 17:05:40 2012 -0800
ANDROID: arm: decompressor: Flush tlb before swiching domain 0 to client mode
If the bootloader used a page table that is incompatible with domain 0
in client mode, and boots with the mmu on, then swithing domain 0 to
client mode causes a fault if we don't flush the tlb after updating
the page table pointer.
v2: Add ISB before loading dacr.
diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S
index 7135820f76d4..6e87ceda3b29 100644
--- a/arch/arm/boot/compressed/head.S
+++ b/arch/arm/boot/compressed/head.S
@@ -837,6 +837,8 @@ __armv7_mmu_cache_on:
bic r6, r6, #1 << 31 @ 32-bit translation system
bic r6, r6, #(7 << 0) | (1 << 4) @ use only ttbr0
mcrne p15, 0, r3, c2, c0, 0 @ load page table pointer
+ mcrne p15, 0, r0, c8, c7, 0 @ flush I,D TLBs
+ mcr p15, 0, r0, c7, c5, 4 @ ISB
mcrne p15, 0, r1, c3, c0, 0 @ load domain access control
mcrne p15, 0, r6, c2, c0, 2 @ load ttb control
#endif
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
---
scripts/gcc-plugins/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig
index e9c677a53c74..afa1db3d3471 100644
--- a/scripts/gcc-plugins/Kconfig
+++ b/scripts/gcc-plugins/Kconfig
@@ -18,7 +18,6 @@ config GCC_PLUGINS
bool
depends on HAVE_GCC_PLUGINS
depends on PLUGIN_HOSTCC != ""
- default y
help
GCC plugins are loadable modules that provide extra features to the
compiler. They are useful for runtime instrumentation and static analysis.
--
2.21.0
next reply other threads:[~2019-06-14 14:57 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-14 14:57 Denis 'GNUtoo' Carikli [this message]
2019-06-14 16:05 ` [PATCH] security: do not enable CONFIG_GCC_PLUGINS by default Jann Horn
2019-06-14 16:05 ` Jann Horn
2019-06-14 16:12 ` Denis 'GNUtoo' Carikli
2019-06-14 16:12 ` Denis 'GNUtoo' Carikli
2019-06-14 16:28 ` Russell King - ARM Linux admin
2019-06-14 16:28 ` Russell King - ARM Linux admin
2019-06-14 18:14 ` Denis 'GNUtoo' Carikli
2019-06-14 18:14 ` Denis 'GNUtoo' Carikli
2019-06-14 18:54 ` Russell King - ARM Linux admin
2019-06-14 18:54 ` Russell King - ARM Linux admin
2019-06-15 10:13 ` Paul Kocialkowski
2019-06-15 10:13 ` Paul Kocialkowski
2019-06-21 23:42 ` Denis 'GNUtoo' Carikli
2019-06-21 23:42 ` Denis 'GNUtoo' Carikli
2019-06-24 13:31 ` Paul Kocialkowski
2019-06-24 13:31 ` Paul Kocialkowski
2019-06-15 3:08 ` Kees Cook
2019-06-15 3:08 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190614145755.10926-1-GNUtoo@cyberdimension.org \
--to=gnutoo@cyberdimension.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=paul.kocialkowski@bootlin.com \
--cc=re.emese@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.