Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5jLD1qXmbdu9TpEsRxraHMtKvgf0VaiWe0+0koLbruxXgg@mail.gmail.com>
Date: Wed, 25 Nov 2015 15:32:56 -0800
From: Kees Cook <keescook@...omium.org>
To: Michael Ellerman <mpe@...erman.id.au>
Cc: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
	Andy Lutomirski <luto@...capital.net>, linux-arch <linux-arch@...r.kernel.org>, 
	Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, 
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Arnd Bergmann <arnd@...db.de>, X86 ML <x86@...nel.org>, 
	"H. Peter Anvin" <hpa@...or.com>
Subject: Re: Re: [PATCH 1/2] x86: introduce post-init
 read-only memory

On Wed, Nov 25, 2015 at 3:05 PM, Michael Ellerman <mpe@...erman.id.au> wrote:
> On Wed, 2015-11-25 at 07:03 -0800, Kees Cook wrote:
>> On Tue, Nov 24, 2015 at 4:54 PM, Michael Ellerman <mpe@...erman.id.au> wrote:
>> > On Tue, 2015-11-24 at 16:44 -0800, Kees Cook wrote:
>> > > On Tue, Nov 24, 2015 at 4:34 PM, Andy Lutomirski <luto@...capital.net> wrote:
>> > > > On Nov 24, 2015 1:38 PM, "Kees Cook" <keescook@...omium.org> wrote:
>> > > > >
>> > > > > One of the easiest ways to protect the kernel from attack is to reduce
>> > > > > the internal attack surface exposed when a "write" flaw is available. By
>> > > > > making as much of the kernel read-only as possible, we reduce the
>> > > > > attack surface.
>> > > > >
>> > > > > Many things are written to only during __init, and never changed
>> > > > > again. These cannot be made "const" since the compiler will do the wrong
>> > > > > thing (we do actually need to write to them). Instead, move these items
>> > > > > into a memory region that will be made read-only during mark_rodata_ro()
>> > > > > which happens after all kernel __init code has finished.
>> > > > >
>> > > > > This introduces __read_only as a way to mark such memory, and adds some
>> > > > > documentation about the existing __read_mostly marking.
>> > > >
>> > > > Obligatory bikeshed:  __ro_after_init, please.  It's barely longer,
>> > > > and it directly explains what's going on.  __read_only makes me think
>> > > > that it's really read-only and could, for example, actually be in ROM.
>> > >
>> > > I'm fine with that. Anyone else want to chime in before I send a v2?
>> >
>> > I'm not clear on why this is x86 only?
>>
>> I was initially looking at how __read_mostly got implemented, and it
>> seemed like section names were done on a per-arch basis. But it
>> doesn't seem like that needs to be true.
>
> Yeah I saw that too, but I couldn't see anything in the commit history that
> explained why it was per-arch.

Best I was able to see was that architectures weren't (aren't?) using
the common RODATA section macros in their linker scripts. From a quick
inspection, I think these are all okay now.

-Kees

>
>> > It looks like it would work on any arch, or is there some toolchain
>> > requirement?
>>
>> Given that the other sections are in the common linux.lds.h file, it
>> seems unlikely to me. I'll try it in an arch-agnostic way and see what
>> happens. :)
>
> That'd be great, I can test on powerpc, and build test other arches too.
>
> cheers
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/



-- 
Kees Cook
Chrome OS & Brillo Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.