Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f88765d3-4c45-542e-892b-33a6c3c3c4d2@redhat.com>
Date: Mon, 6 Feb 2017 10:47:45 -0800
From: Laura Abbott <labbott@...hat.com>
To: Kees Cook <keescook@...omium.org>,
 Russell King - ARM Linux <linux@...linux.org.uk>
Cc: Jason Wessel <jason.wessel@...driver.com>,
 Jonathan Corbet <corbet@....net>, Catalin Marinas <catalin.marinas@....com>,
 Will Deacon <will.deacon@....com>,
 "James E.J. Bottomley" <jejb@...isc-linux.org>, Helge Deller
 <deller@....de>, Martin Schwidefsky <schwidefsky@...ibm.com>,
 Heiko Carstens <heiko.carstens@...ibm.com>,
 Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
 "H. Peter Anvin" <hpa@...or.com>, "x86@...nel.org" <x86@...nel.org>,
 Rob Herring <robh@...nel.org>, "Rafael J. Wysocki" <rjw@...ysocki.net>,
 Len Brown <len.brown@...el.com>, Pavel Machek <pavel@....cz>,
 Mark Rutland <mark.rutland@....com>, Jessica Yu <jeyu@...hat.com>,
 "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
 LKML <linux-kernel@...r.kernel.org>,
 "linux-arm-kernel@...ts.infradead.org"
 <linux-arm-kernel@...ts.infradead.org>,
 linux-parisc <linux-parisc@...r.kernel.org>,
 "linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>,
 Linux PM list <linux-pm@...r.kernel.org>,
 "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
 Robin Murphy <robin.murphy@....com>
Subject: Re: [PATCHv2 1/2] arch: Move CONFIG_DEBUG_RODATA and
 CONFIG_SET_MODULE_RONX to be common

On 02/03/2017 01:08 PM, Kees Cook wrote:
> On Fri, Feb 3, 2017 at 12:29 PM, Russell King - ARM Linux
> <linux@...linux.org.uk> wrote:
>> On Fri, Feb 03, 2017 at 11:45:56AM -0800, Kees Cook wrote:
>>> On Fri, Feb 3, 2017 at 9:52 AM, Laura Abbott <labbott@...hat.com> wrote:
>>>> diff --git a/arch/Kconfig b/arch/Kconfig
>>>> index 99839c2..22ee01e 100644
>>>> --- a/arch/Kconfig
>>>> +++ b/arch/Kconfig
>>>> @@ -781,4 +781,32 @@ config VMAP_STACK
>>>>           the stack to map directly to the KASAN shadow map using a formula
>>>>           that is incorrect if the stack is in vmalloc space.
>>>>
>>>> +config ARCH_NO_STRICT_RWX_DEFAULTS
>>>> +       def_bool n
>>>> +
>>>> +config ARCH_HAS_STRICT_KERNEL_RWX
>>>> +       def_bool n
>>>> +
>>>> +config DEBUG_RODATA
>>>> +       def_bool y if !ARCH_NO_STRICT_RWX_DEFAULTS
>>>> +       prompt "Make kernel text and rodata read-only" if ARCH_NO_STRICT_RWX_DEFAULTS
>>>
>>> Ah! Yes, perfect. I totally forgot about using conditional "prompt"
>>> lines. Nice!
>>
>> It's no different from the more usual:
>>
>>         bool "Make kernel text and rodata read-only" if ARCH_NO_STRICT_RWX_DEFAULTS
>>         default y if !ARCH_NO_STRICT_RWX_DEFAULTS
>>         depends on ARCH_HAS_STRICT_KERNEL_RWX
>>
>> But... I really don't like this - way too many negations and negatives
>> which make it difficult to figure out what's going on here.
>>
>> The situation we have today is:
>>
>> -config DEBUG_RODATA
>> -       bool "Make kernel text and rodata read-only"
>> -       depends on MMU && !XIP_KERNEL
>> -       default y if CPU_V7
>>
>> which is "allow the user to select DEBUG_RODATA if building a MMU non-XIP
>> kernel", suggesting that the user turns it on for ARMv7 CPUs.
>>
>> That changes with this and the above:
>>
>> +       select ARCH_HAS_STRICT_KERNEL_RWX if MMU && !XIP_KERNEL
>> +       select ARCH_HAS_STRICT_MODULE_RWX if MMU
>> +       select ARCH_NO_STRICT_RWX_DEFAULTS if !CPU_V7
>>
>> This means that ARCH_HAS_STRICT_KERNEL_RWX is set for a MMU non-XIP
>> kernel, which carries the same pre-condition for DEBUG_RODATA - no
>> problem there.
>>
>> However, ARCH_NO_STRICT_RWX_DEFAULTS is set for non-ARMv7 CPUs, which
>> means the "Make kernel text and rodata read-only" prompt _is_ provided
>> for those.  However, for all ARMv7 systems, we go from "suggesting that
>> the user enables the option" to "you don't have a choice, you get this
>> whether you want it or not."
>>
>> I'd prefer to keep it off for my development systems, where I don't
>> care about kernel security.  If we don't wish to do that as a general
>> rule, can we make it dependent on EMBEDDED?
>>
>> Given that on ARM it can add up to 4MB to the kernel image - there
>> _will_ be about 1MB before the .text section, the padding on between
>> __modver and __ex_table which for me is around 626k, the padding
>> between .notes and the init sections start with .vectors (the space
>> between __ex_table and end of .notes is only 4124, which gets padded
>> up to 1MB) and lastly the padding between the .init section and the
>> data section (for me around 593k).  This all adds up to an increase
>> in kernel image size of 3.2MB on 14.2MB - an increase of 22%.
>>
>> So no, I'm really not happy with that.
> 
> Ah yeah, good point. We have three cases: unsupported, mandatory,
> optional, but we have the case of setting the default for the optional
> case. Maybe something like this?
> 
> config STRICT_KERNEL_RWX
>   bool "Make kernel text and rodata read-only" if ARCH_OPTIONAL_KERNEL_RWX
>   depends on ARCH_HAS_STRICT_KERNEL_RWX
>   default ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
> 
> unsupported:
> !ARCH_HAS_STRICT_KERNEL_RWX
> 
> mandatory:
> ARCH_HAS_STRICT_KERNEL_RWX
> !ARCH_OPTIONAL_KERNEL_RWX
> 
> optional:
> ARCH_HAS_STRICT_KERNEL_RWX
> ARCH_OPTIONAL_KERNEL_RWX
> with default controlled by ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
> 
> Then arm is:
>   select ARCH_HAS_STRICT_KERNEL_RWX if MMU && !XIP_KERNEL
>   select ARCH_HAS_STRICT_MODULE_RWX if MMU
>   select ARCH_OPTIONAL_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX
>   select ARCH_OPTIONAL_KERNEL_RWX_DEFAULT if CPU_V7
> 
> x86 and arm64 are:
>   select ARCH_HAS_STRICT_KERNEL_RWX
>   select ARCH_HAS_STRICT_MODULE_RWX
> 
> ?
> 
> -Kees
> 

Yes, that looks good. I wanted it to be mandatory to avoid the
mindset of "optional means we don't need it" but I see there
are some cases where it's better to turn it off. I'll see if
I can emphasize this properly in the help text ("Say Y here
unless you love security exploits running in production")

Thanks,
Laura

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.