Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5jJxDAZJZtVCHX+RmLUHz8s4ZxBPvYadpswmZwjvCmjFEw@mail.gmail.com>
Date: Thu, 19 Jan 2017 13:57:52 -0800
From: Kees Cook <keescook@...omium.org>
To: Laura Abbott <labbott@...hat.com>
Cc: Jason Wessel <jason.wessel@...driver.com>, Jonathan Corbet <corbet@....net>, 
	Russell King <linux@...linux.org.uk>, Catalin Marinas <catalin.marinas@....com>, 
	Will Deacon <will.deacon@....com>, "James E.J. Bottomley" <jejb@...isc-linux.org>, 
	Helge Deller <deller@....de>, Martin Schwidefsky <schwidefsky@...ibm.com>, 
	Heiko Carstens <heiko.carstens@...ibm.com>, Thomas Gleixner <tglx@...utronix.de>, 
	Ingo Molnar <mingo@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, "x86@...nel.org" <x86@...nel.org>, 
	Rob Herring <robh@...nel.org>, "Rafael J. Wysocki" <rjw@...ysocki.net>, Len Brown <len.brown@...el.com>, 
	Pavel Machek <pavel@....cz>, Mark Rutland <mark.rutland@....com>, Jessica Yu <jeyu@...hat.com>, 
	"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, 
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, 
	linux-parisc <linux-parisc@...r.kernel.org>, 
	"linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>, Linux PM list <linux-pm@...r.kernel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH 1/2] security: Change name of CONFIG_DEBUG_RODATA

On Wed, Jan 18, 2017 at 5:29 PM, Laura Abbott <labbott@...hat.com> wrote:
>
> Despite the word 'debug' in CONFIG_DEBUG_RODATA, this kernel option
> provides key security features that are to be expected on a modern
> system. Change the name to CONFIG_HARDENED_PAGE_MAPPINGS which more
> accurately describes what this option is intended to do.

Oh thank you. Yes, this is badly needed. I might prefer to see this as
two patches, though:

Move DEBUG_RODATA to top-level arch/Kconfig, (and add ARCH_HAS_[bikeshed]).
Rename DEBUG_RODATA to [bikeshed]

(We should do a similar renaming for DEBUG_SET_MODULE_RONX too.)

Another thing that might be even cleaner would be to entirely invert
the logic. Something like CONFIG_ARCH_MISSING_[bikeshed]?

> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index 186c4c2..09aff28 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -7,6 +7,7 @@ config ARM
>         select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
>         select ARCH_HAVE_CUSTOM_GPIO_H
>         select ARCH_HAS_GCOV_PROFILE_ALL
> +       select ARCH_HAS_HARDENED_MAPPINGS if MMU && !XIP_KERNEL
>         select ARCH_MIGHT_HAVE_PC_PARPORT
>         select ARCH_SUPPORTS_ATOMIC_RMW
>         select ARCH_USE_BUILTIN_BSWAP
> diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
> index f68e8ec..e770dc9 100644
> --- a/arch/arm/mm/Kconfig
> +++ b/arch/arm/mm/Kconfig
> @@ -1051,21 +1051,9 @@ config ARCH_SUPPORTS_BIG_ENDIAN
>           This option specifies the architecture can support big endian
>           operation.
>
> -config DEBUG_RODATA
> -       bool "Make kernel text and rodata read-only"
> -       depends on MMU && !XIP_KERNEL
> -       default y if CPU_V7

These changes aren't correctly representing the ARM state. I think the
ARCH_HAS is correct, but I'm not sure the best way to include the
"default y if CPU_V7".

> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -158,6 +158,22 @@ config HARDENED_USERCOPY_PAGESPAN
>           been removed. This config is intended to be used only while
>           trying to find such users.
>
> +config ARCH_HAS_HARDENED_MAPPINGS
> +       def_bool n
> +
> +config HARDENED_PAGE_MAPPINGS
> +       bool "Mark kernel mappings with stricter permissions (RO/W^X)"
> +       default y
> +       depends on ARCH_HAS_HARDENED_MAPPINGS
> +       help
> +          If this is set, kernel text and rodata memory will be made read-only,
> +         and non-text memory will be made non-executable. This provides
> +         protection against certain security attacks (e.g. executing the heap
> +         or modifying text).
> +
> +         Unless your system has known restrictions or performance issues, it
> +         is recommended to say Y here.
> +
>  source security/selinux/Kconfig
>  source security/smack/Kconfig
>  source security/tomoyo/Kconfig

Should this go in arch/Kconfig or security/Kconfig? I'm starting to
think we need a top-level kernel security Kconfig (the gcc plugins are
starting to pile up in arch/Kconfig, for example). I think since this
is arch specific, maybe arch/Kconfig? (Arguably, HARDENED_USERCOPY
shouldn't be in security/Kconfig either, since security/Kconfig is
mostly LSM or userspace-facing stuff? I dunno.)

As for the bikeshed on the naming, I like "KERNEL_RWX", and it likely
doesn't need "STRICT", IMO. CONFIG_KERNEL_RWX ? I don't have a strong
opinion beyond removing "DEBUG" from the name. :)

-Kees

-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.