diff options
| -rw-r--r-- | Documentation/security/self-protection.txt | 6 | ||||
| -rw-r--r-- | arch/Kconfig | 34 | ||||
| -rw-r--r-- | arch/arm/Kconfig | 4 | ||||
| -rw-r--r-- | arch/arm/Kconfig.debug | 11 | ||||
| -rw-r--r-- | arch/arm/mm/Kconfig | 12 | ||||
| -rw-r--r-- | arch/arm64/Kconfig | 5 | ||||
| -rw-r--r-- | arch/arm64/Kconfig.debug | 11 | ||||
| -rw-r--r-- | arch/parisc/Kconfig | 1 | ||||
| -rw-r--r-- | arch/parisc/Kconfig.debug | 11 | ||||
| -rw-r--r-- | arch/s390/Kconfig | 5 | ||||
| -rw-r--r-- | arch/s390/Kconfig.debug | 3 | ||||
| -rw-r--r-- | arch/x86/Kconfig | 5 | ||||
| -rw-r--r-- | arch/x86/Kconfig.debug | 11 |
13 files changed, 51 insertions, 68 deletions
diff --git a/Documentation/security/self-protection.txt b/Documentation/security/self-protection.txt index 3010576c9fca..f41dd00e8b98 100644 --- a/Documentation/security/self-protection.txt +++ b/Documentation/security/self-protection.txt | |||
| @@ -56,6 +56,12 @@ CONFIG_DEBUG_SET_MODULE_RONX, which seek to make sure that code is not | |||
| 56 | writable, data is not executable, and read-only data is neither writable | 56 | writable, data is not executable, and read-only data is neither writable |
| 57 | nor executable. | 57 | nor executable. |
| 58 | 58 | ||
| 59 | Most architectures have these options on by default and not user selectable. | ||
| 60 | For some architectures like arm that wish to have these be selectable, | ||
| 61 | the architecture Kconfig can select ARCH_OPTIONAL_KERNEL_RWX to enable | ||
| 62 | a Kconfig prompt. CONFIG_ARCH_OPTIONAL_KERNEL_RWX_DEFAULT determines | ||
| 63 | the default setting when ARCH_OPTIONAL_KERNEL_RWX is enabled. | ||
| 64 | |||
| 59 | #### Function pointers and sensitive variables must not be writable | 65 | #### Function pointers and sensitive variables must not be writable |
| 60 | 66 | ||
| 61 | Vast areas of kernel memory contain function pointers that are looked | 67 | Vast areas of kernel memory contain function pointers that are looked |
diff --git a/arch/Kconfig b/arch/Kconfig index 99839c23d453..3f8b8be3036f 100644 --- a/arch/Kconfig +++ b/arch/Kconfig | |||
| @@ -781,4 +781,38 @@ config VMAP_STACK | |||
| 781 | the stack to map directly to the KASAN shadow map using a formula | 781 | the stack to map directly to the KASAN shadow map using a formula |
| 782 | that is incorrect if the stack is in vmalloc space. | 782 | that is incorrect if the stack is in vmalloc space. |
| 783 | 783 | ||
| 784 | config ARCH_OPTIONAL_KERNEL_RWX | ||
| 785 | def_bool n | ||
| 786 | |||
| 787 | config ARCH_OPTIONAL_KERNEL_RWX_DEFAULT | ||
| 788 | def_bool n | ||
| 789 | |||
| 790 | config ARCH_HAS_STRICT_KERNEL_RWX | ||
| 791 | def_bool n | ||
| 792 | |||
| 793 | config DEBUG_RODATA | ||
| 794 | bool "Make kernel text and rodata read-only" if ARCH_OPTIONAL_KERNEL_RWX | ||
| 795 | depends on ARCH_HAS_STRICT_KERNEL_RWX | ||
| 796 | default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT | ||
| 797 | help | ||
| 798 | If this is set, kernel text and rodata memory will be made read-only, | ||
| 799 | and non-text memory will be made non-executable. This provides | ||
| 800 | protection against certain security exploits (e.g. executing the heap | ||
| 801 | or modifying text) | ||
| 802 | |||
| 803 | These features are considered standard security practice these days. | ||
| 804 | You should say Y here in almost all cases. | ||
| 805 | |||
| 806 | config ARCH_HAS_STRICT_MODULE_RWX | ||
| 807 | def_bool n | ||
| 808 | |||
| 809 | config DEBUG_SET_MODULE_RONX | ||
| 810 | bool "Set loadable kernel module data as NX and text as RO" if ARCH_OPTIONAL_KERNEL_RWX | ||
| 811 | depends on ARCH_HAS_STRICT_MODULE_RWX && MODULES | ||
| 812 | default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT | ||
| 813 | help | ||
| 814 | If this is set, module text and rodata memory will be made read-only, | ||
| 815 | and non-text memory will be made non-executable. This provides | ||
| 816 | protection against certain security exploits (e.g. writing to text) | ||
| 817 | |||
| 784 | source "kernel/gcov/Kconfig" | 818 | source "kernel/gcov/Kconfig" |
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 5fab553fd03a..8c88c8ad064b 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig | |||
| @@ -4,10 +4,14 @@ config ARM | |||
| 4 | select ARCH_CLOCKSOURCE_DATA | 4 | select ARCH_CLOCKSOURCE_DATA |
| 5 | select ARCH_HAS_DEVMEM_IS_ALLOWED | 5 | select ARCH_HAS_DEVMEM_IS_ALLOWED |
| 6 | select ARCH_HAS_ELF_RANDOMIZE | 6 | select ARCH_HAS_ELF_RANDOMIZE |
| 7 | select ARCH_HAS_STRICT_KERNEL_RWX if MMU && !XIP_KERNEL | ||
| 8 | select ARCH_HAS_STRICT_MODULE_RWX if MMU | ||
| 7 | select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST | 9 | select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST |
| 8 | select ARCH_HAVE_CUSTOM_GPIO_H | 10 | select ARCH_HAVE_CUSTOM_GPIO_H |
| 9 | select ARCH_HAS_GCOV_PROFILE_ALL | 11 | select ARCH_HAS_GCOV_PROFILE_ALL |
| 10 | select ARCH_MIGHT_HAVE_PC_PARPORT | 12 | select ARCH_MIGHT_HAVE_PC_PARPORT |
| 13 | select ARCH_OPTIONAL_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX | ||
| 14 | select ARCH_OPTIONAL_KERNEL_RWX_DEFAULT if CPU_V7 | ||
| 11 | select ARCH_SUPPORTS_ATOMIC_RMW | 15 | select ARCH_SUPPORTS_ATOMIC_RMW |
| 12 | select ARCH_USE_BUILTIN_BSWAP | 16 | select ARCH_USE_BUILTIN_BSWAP |
| 13 | select ARCH_USE_CMPXCHG_LOCKREF | 17 | select ARCH_USE_CMPXCHG_LOCKREF |
diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug index d83f7c369e51..426d2716f55d 100644 --- a/arch/arm/Kconfig.debug +++ b/arch/arm/Kconfig.debug | |||
| @@ -1738,17 +1738,6 @@ config PID_IN_CONTEXTIDR | |||
| 1738 | additional instructions during context switch. Say Y here only if you | 1738 | additional instructions during context switch. Say Y here only if you |
| 1739 | are planning to use hardware trace tools with this kernel. | 1739 | are planning to use hardware trace tools with this kernel. |
| 1740 | 1740 | ||
| 1741 | config DEBUG_SET_MODULE_RONX | ||
| 1742 | bool "Set loadable kernel module data as NX and text as RO" | ||
| 1743 | depends on MODULES && MMU | ||
| 1744 | ---help--- | ||
| 1745 | This option helps catch unintended modifications to loadable | ||
| 1746 | kernel module's text and read-only data. It also prevents execution | ||
| 1747 | of module data. Such protection may interfere with run-time code | ||
| 1748 | patching and dynamic kernel tracing - and they might also protect | ||
| 1749 | against certain classes of kernel exploits. | ||
| 1750 | If in doubt, say "N". | ||
| 1751 | |||
| 1752 | source "drivers/hwtracing/coresight/Kconfig" | 1741 | source "drivers/hwtracing/coresight/Kconfig" |
| 1753 | 1742 | ||
| 1754 | endmenu | 1743 | endmenu |
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig index f68e8ec29447..419a0355d4e4 100644 --- a/arch/arm/mm/Kconfig +++ b/arch/arm/mm/Kconfig | |||
| @@ -1051,18 +1051,6 @@ config ARCH_SUPPORTS_BIG_ENDIAN | |||
| 1051 | This option specifies the architecture can support big endian | 1051 | This option specifies the architecture can support big endian |
| 1052 | operation. | 1052 | operation. |
| 1053 | 1053 | ||
| 1054 | config DEBUG_RODATA | ||
| 1055 | bool "Make kernel text and rodata read-only" | ||
| 1056 | depends on MMU && !XIP_KERNEL | ||
| 1057 | default y if CPU_V7 | ||
| 1058 | help | ||
| 1059 | If this is set, kernel text and rodata memory will be made | ||
| 1060 | read-only, and non-text kernel memory will be made non-executable. | ||
| 1061 | The tradeoff is that each region is padded to section-size (1MiB) | ||
| 1062 | boundaries (because their permissions are different and splitting | ||
| 1063 | the 1M pages into 4K ones causes TLB performance problems), which | ||
| 1064 | can waste memory. | ||
| 1065 | |||
| 1066 | config DEBUG_ALIGN_RODATA | 1054 | config DEBUG_ALIGN_RODATA |
| 1067 | bool "Make rodata strictly non-executable" | 1055 | bool "Make rodata strictly non-executable" |
| 1068 | depends on DEBUG_RODATA | 1056 | depends on DEBUG_RODATA |
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 111742126897..e1efbcc9de32 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig | |||
| @@ -13,6 +13,8 @@ config ARM64 | |||
| 13 | select ARCH_HAS_GIGANTIC_PAGE | 13 | select ARCH_HAS_GIGANTIC_PAGE |
| 14 | select ARCH_HAS_KCOV | 14 | select ARCH_HAS_KCOV |
| 15 | select ARCH_HAS_SG_CHAIN | 15 | select ARCH_HAS_SG_CHAIN |
| 16 | select ARCH_HAS_STRICT_KERNEL_RWX | ||
| 17 | select ARCH_HAS_STRICT_MODULE_RWX | ||
| 16 | select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST | 18 | select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST |
| 17 | select ARCH_USE_CMPXCHG_LOCKREF | 19 | select ARCH_USE_CMPXCHG_LOCKREF |
| 18 | select ARCH_SUPPORTS_ATOMIC_RMW | 20 | select ARCH_SUPPORTS_ATOMIC_RMW |
| @@ -123,9 +125,6 @@ config ARCH_PHYS_ADDR_T_64BIT | |||
| 123 | config MMU | 125 | config MMU |
| 124 | def_bool y | 126 | def_bool y |
| 125 | 127 | ||
| 126 | config DEBUG_RODATA | ||
| 127 | def_bool y | ||
| 128 | |||
| 129 | config ARM64_PAGE_SHIFT | 128 | config ARM64_PAGE_SHIFT |
| 130 | int | 129 | int |
| 131 | default 16 if ARM64_64K_PAGES | 130 | default 16 if ARM64_64K_PAGES |
diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug index d1ebd46872fd..939815e8d695 100644 --- a/arch/arm64/Kconfig.debug +++ b/arch/arm64/Kconfig.debug | |||
| @@ -71,17 +71,6 @@ config DEBUG_WX | |||
| 71 | 71 | ||
| 72 | If in doubt, say "Y". | 72 | If in doubt, say "Y". |
| 73 | 73 | ||
| 74 | config DEBUG_SET_MODULE_RONX | ||
| 75 | bool "Set loadable kernel module data as NX and text as RO" | ||
| 76 | depends on MODULES | ||
| 77 | default y | ||
| 78 | help | ||
| 79 | Is this is set, kernel module text and rodata will be made read-only. | ||
| 80 | This is to help catch accidental or malicious attempts to change the | ||
| 81 | kernel's executable code. | ||
| 82 | |||
| 83 | If in doubt, say Y. | ||
| 84 | |||
| 85 | config DEBUG_ALIGN_RODATA | 74 | config DEBUG_ALIGN_RODATA |
| 86 | depends on DEBUG_RODATA | 75 | depends on DEBUG_RODATA |
| 87 | bool "Align linker sections up to SECTION_SIZE" | 76 | bool "Align linker sections up to SECTION_SIZE" |
diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig index 3a71f38cdc05..ad294b3fb90b 100644 --- a/arch/parisc/Kconfig +++ b/arch/parisc/Kconfig | |||
| @@ -8,6 +8,7 @@ config PARISC | |||
| 8 | select HAVE_SYSCALL_TRACEPOINTS | 8 | select HAVE_SYSCALL_TRACEPOINTS |
| 9 | select ARCH_WANT_FRAME_POINTERS | 9 | select ARCH_WANT_FRAME_POINTERS |
| 10 | select ARCH_HAS_ELF_RANDOMIZE | 10 | select ARCH_HAS_ELF_RANDOMIZE |
| 11 | select ARCH_HAS_STRICT_KERNEL_RWX | ||
| 11 | select RTC_CLASS | 12 | select RTC_CLASS |
| 12 | select RTC_DRV_GENERIC | 13 | select RTC_DRV_GENERIC |
| 13 | select INIT_ALL_POSSIBLE | 14 | select INIT_ALL_POSSIBLE |
diff --git a/arch/parisc/Kconfig.debug b/arch/parisc/Kconfig.debug index 68b7cbd0810a..0d856b94c9b1 100644 --- a/arch/parisc/Kconfig.debug +++ b/arch/parisc/Kconfig.debug | |||
| @@ -5,15 +5,4 @@ source "lib/Kconfig.debug" | |||
| 5 | config TRACE_IRQFLAGS_SUPPORT | 5 | config TRACE_IRQFLAGS_SUPPORT |
| 6 | def_bool y | 6 | def_bool y |
| 7 | 7 | ||
| 8 | config DEBUG_RODATA | ||
| 9 | bool "Write protect kernel read-only data structures" | ||
| 10 | depends on DEBUG_KERNEL | ||
| 11 | default y | ||
| 12 | help | ||
| 13 | Mark the kernel read-only data as write-protected in the pagetables, | ||
| 14 | in order to catch accidental (and incorrect) writes to such const | ||
| 15 | data. This option may have a slight performance impact because a | ||
| 16 | portion of the kernel code won't be covered by a TLB anymore. | ||
| 17 | If in doubt, say "N". | ||
| 18 | |||
| 19 | endmenu | 8 | endmenu |
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index c6722112527d..53bb0e3e0db3 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig | |||
| @@ -62,9 +62,6 @@ config PCI_QUIRKS | |||
| 62 | config ARCH_SUPPORTS_UPROBES | 62 | config ARCH_SUPPORTS_UPROBES |
| 63 | def_bool y | 63 | def_bool y |
| 64 | 64 | ||
| 65 | config DEBUG_RODATA | ||
| 66 | def_bool y | ||
| 67 | |||
| 68 | config S390 | 65 | config S390 |
| 69 | def_bool y | 66 | def_bool y |
| 70 | select ARCH_HAS_DEVMEM_IS_ALLOWED | 67 | select ARCH_HAS_DEVMEM_IS_ALLOWED |
| @@ -73,6 +70,8 @@ config S390 | |||
| 73 | select ARCH_HAS_GIGANTIC_PAGE | 70 | select ARCH_HAS_GIGANTIC_PAGE |
| 74 | select ARCH_HAS_KCOV | 71 | select ARCH_HAS_KCOV |
| 75 | select ARCH_HAS_SG_CHAIN | 72 | select ARCH_HAS_SG_CHAIN |
| 73 | select ARCH_HAS_STRICT_KERNEL_RWX | ||
| 74 | select ARCH_HAS_STRICT_MODULE_RWX | ||
| 76 | select ARCH_HAS_UBSAN_SANITIZE_ALL | 75 | select ARCH_HAS_UBSAN_SANITIZE_ALL |
| 77 | select ARCH_HAVE_NMI_SAFE_CMPXCHG | 76 | select ARCH_HAVE_NMI_SAFE_CMPXCHG |
| 78 | select ARCH_INLINE_READ_LOCK | 77 | select ARCH_INLINE_READ_LOCK |
diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug index 26c5d5beb4be..57f8ea9c49e3 100644 --- a/arch/s390/Kconfig.debug +++ b/arch/s390/Kconfig.debug | |||
| @@ -17,7 +17,4 @@ config S390_PTDUMP | |||
| 17 | kernel. | 17 | kernel. |
| 18 | If in doubt, say "N" | 18 | If in doubt, say "N" |
| 19 | 19 | ||
| 20 | config DEBUG_SET_MODULE_RONX | ||
| 21 | def_bool y | ||
| 22 | depends on MODULES | ||
| 23 | endmenu | 20 | endmenu |
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index e487493bbd47..13e1bf4b0fe5 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig | |||
| @@ -54,6 +54,8 @@ config X86 | |||
| 54 | select ARCH_HAS_MMIO_FLUSH | 54 | select ARCH_HAS_MMIO_FLUSH |
| 55 | select ARCH_HAS_PMEM_API if X86_64 | 55 | select ARCH_HAS_PMEM_API if X86_64 |
| 56 | select ARCH_HAS_SG_CHAIN | 56 | select ARCH_HAS_SG_CHAIN |
| 57 | select ARCH_HAS_STRICT_KERNEL_RWX | ||
| 58 | select ARCH_HAS_STRICT_MODULE_RWX | ||
| 57 | select ARCH_HAS_UBSAN_SANITIZE_ALL | 59 | select ARCH_HAS_UBSAN_SANITIZE_ALL |
| 58 | select ARCH_HAVE_NMI_SAFE_CMPXCHG | 60 | select ARCH_HAVE_NMI_SAFE_CMPXCHG |
| 59 | select ARCH_MIGHT_HAVE_ACPI_PDC if ACPI | 61 | select ARCH_MIGHT_HAVE_ACPI_PDC if ACPI |
| @@ -309,9 +311,6 @@ config ARCH_SUPPORTS_UPROBES | |||
| 309 | config FIX_EARLYCON_MEM | 311 | config FIX_EARLYCON_MEM |
| 310 | def_bool y | 312 | def_bool y |
| 311 | 313 | ||
| 312 | config DEBUG_RODATA | ||
| 313 | def_bool y | ||
| 314 | |||
| 315 | config PGTABLE_LEVELS | 314 | config PGTABLE_LEVELS |
| 316 | int | 315 | int |
| 317 | default 4 if X86_64 | 316 | default 4 if X86_64 |
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug index 67eec55093a5..69cdd0b2176b 100644 --- a/arch/x86/Kconfig.debug +++ b/arch/x86/Kconfig.debug | |||
| @@ -109,17 +109,6 @@ config DEBUG_WX | |||
| 109 | 109 | ||
| 110 | If in doubt, say "Y". | 110 | If in doubt, say "Y". |
| 111 | 111 | ||
| 112 | config DEBUG_SET_MODULE_RONX | ||
| 113 | bool "Set loadable kernel module data as NX and text as RO" | ||
| 114 | depends on MODULES | ||
| 115 | ---help--- | ||
| 116 | This option helps catch unintended modifications to loadable | ||
| 117 | kernel module's text and read-only data. It also prevents execution | ||
| 118 | of module data. Such protection may interfere with run-time code | ||
| 119 | patching and dynamic kernel tracing - and they might also protect | ||
| 120 | against certain classes of kernel exploits. | ||
| 121 | If in doubt, say "N". | ||
| 122 | |||
| 123 | config DEBUG_NX_TEST | 112 | config DEBUG_NX_TEST |
| 124 | tristate "Testcase for the NX non-executable stack feature" | 113 | tristate "Testcase for the NX non-executable stack feature" |
| 125 | depends on DEBUG_KERNEL && m | 114 | depends on DEBUG_KERNEL && m |