Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKv+Gu8b-8jrr341gg9E9QzbEtRtMhZy9xE2rM8TvQTb+1aJdQ@mail.gmail.com>
Date: Fri, 10 Feb 2017 14:28:34 +0000
From: Ard Biesheuvel <ard.biesheuvel@...aro.org>
To: Mark Rutland <mark.rutland@....com>
Cc: "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>, 
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, 
	Leif Lindholm <leif.lindholm@...aro.org>, Catalin Marinas <catalin.marinas@....com>, 
	Russell King <linux@...linux.org.uk>, kernel-hardening@...ts.openwall.com, 
	Laura Abbott <labbott@...oraproject.org>
Subject: Re: [PATCH v2 08/14] arm64: efi: split Image code and data into
 separate PE/COFF sections

On 10 February 2017 at 10:49, Mark Rutland <mark.rutland@....com> wrote:
> On Wed, Feb 08, 2017 at 11:55:41AM +0000, Ard Biesheuvel wrote:
>> To prevent unintended modifications to the kernel text (malicious or
>> otherwise) while running the EFI stub, describe the kernel image as
>> two separate sections: a .text section with read-execute permissions,
>> covering .text, .rodata and .init.text, and a .data section with
>> read-write permissions, covering .init.data, .data and .bss.
>>
>> This relies on the firmware to actually take the section permission
>> flags into account, but this is something that is currently being
>> implemented in EDK2, which means we will likely start seeing it in
>> the wild between one and two years from now.
>>
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@...aro.org>
>
>> diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
>> index b8deffa9e1bf..a93cc2b6f50b 100644
>> --- a/arch/arm64/kernel/vmlinux.lds.S
>> +++ b/arch/arm64/kernel/vmlinux.lds.S
>> @@ -149,6 +149,9 @@ SECTIONS
>>               ARM_EXIT_KEEP(EXIT_TEXT)
>>       }
>>
>> +     . = ALIGN(SZ_4K);
>> +     __pecoff_data_start = .;
>> +
>
> I understand that the stub needs to split the init text/data since
> unlike the kernel it'll map those with separate permissions, but it
> feels odd to do this specifically for the EFI stub.
>

While the init code executes in a *much* more controlled environment
than the stub (which invokes various UEFI boot services to load
initrds/dtb from block storage, and may do god knows what during
ExitBootServices()), I think it is not unreasonable to split the init
mapping into rx/rw segments, given that it is the only place where we
have a good chunk of memory that is both writable and executable.

> Yould it perhaps make more sense to always use separate segments for
> init/exit text/data, and also apply the permission split in the kernel?
>
> With that, I don't think we'd need additional stub-specific linker
> script changes.
>

I will prototype this

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.