arm64: Enable TEXT_OFFSET fuzzing

The arm64 Image header contains a text_offset field which bootloaders are supposed to read to determine the offset (from a 2MB aligned "start of memory" per booting.txt) at which to load the kernel. The offset is not well respected by bootloaders at present, and due to the lack of variation there is little incentive to support it. This is unfortunate for the sake of future kernels where we may wish to vary the text offset (even zeroing it). This patch adds options to arm64 to enable fuzz-testing of text_offset. CONFIG_ARM64_RANDOMIZE_TEXT_OFFSET forces the text offset to a random 16-byte aligned value value in the range [0..2MB) upon a build of the kernel. It is recommended that distribution kernels enable randomization to test bootloaders such that any compliance issues can be fixed early. Signed-off-by: Mark Rutland <mark.rutland@arm.com> Acked-by: Tom Rini <trini@ti.com> Acked-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
author: Mark Rutland <mark.rutland@arm.com> 2014-06-24 11:51:37 -0400
committer: Catalin Marinas <catalin.marinas@arm.com> 2014-07-10 07:36:58 -0400
commit: da57a369d3bc5cd61db90f7e9555840381db9b09 (patch)
tree: 6e2e032c24d4b36e792e91984191752f527baf09
parent: a2c1d73b94ed49f5fac12e95052d7b140783f800 (diff)
4 files changed, 30 insertions, 2 deletions
diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
index 1c1b75629842..4ee8e90b7a45 100644
--- a/arch/arm64/Kconfig.debug
+++ b/arch/arm64/Kconfig.debug
@@ -28,4 +28,19 @@ config PID_IN_CONTEXTIDR
          instructions during context switch. Say Y here only if you are
          planning to use hardware trace tools with this kernel.
+config ARM64_RANDOMIZE_TEXT_OFFSET
+        bool "Randomize TEXT_OFFSET at build time"
+        help
+          Say Y here if you want the image load offset (AKA TEXT_OFFSET)
+          of the kernel to be randomized at build-time. When selected,
+          this option will cause TEXT_OFFSET to be randomized upon any
+          build of the kernel, and the offset will be reflected in the
+          text_offset field of the resulting Image. This can be used to
+          fuzz-test bootloaders which respect text_offset.
+          This option is intended for bootloader and/or kernel testing
+          only. Bootloaders must make no assumptions regarding the value
+          of TEXT_OFFSET and platforms must not require a specific
+          value.
 endmenu
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index 8185a913c5ed..e8d025c1459e 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -38,7 +38,11 @@ CHECKFLAGS	+= -D__aarch64__
 head-y          := arch/arm64/kernel/head.o
 # The byte offset of the kernel image in RAM from the start of RAM.
+ifeq ($(CONFIG_ARM64_RANDOMIZE_TEXT_OFFSET), y)
+TEXT_OFFSET := $(shell awk 'BEGIN {srand(); printf "0x%04x0\n", int(65535 * rand())}')
+else
 TEXT_OFFSET := 0x00080000
+endif
 export  TEXT_OFFSET GZFLAGS
diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
index 3ba0fc02c0de..69dafe9621fd 100644
--- a/arch/arm64/kernel/head.S
+++ b/arch/arm64/kernel/head.S
@@ -37,8 +37,12 @@
 #define KERNEL_RAM_VADDR        (PAGE_OFFSET + TEXT_OFFSET)
-#if (KERNEL_RAM_VADDR & 0xfffff) != 0x80000
+#if (TEXT_OFFSET & 0xf) != 0
-#error KERNEL_RAM_VADDR must start at 0xXXX80000
+#error TEXT_OFFSET must be at least 16B aligned
+#elif (PAGE_OFFSET & 0xfffff) != 0
+#error PAGE_OFFSET must be at least 2MB aligned
+#elif TEXT_OFFSET > 0xfffff
+#error TEXT_OFFSET must be less than 2MB
 #endif
        .macro  pgtbl, ttb0, ttb1, virt_to_phys
diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
index a814768ae148..97f0c0429dfa 100644
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -125,3 +125,8 @@ SECTIONS
 */
 ASSERT(((__hyp_idmap_text_start + PAGE_SIZE) > __hyp_idmap_text_end),
       "HYP init code too big")
+/*
+ * If padding is applied before .head.text, virt<->phys conversions will fail.
+ */
+ASSERT(_text == (PAGE_OFFSET + TEXT_OFFSET), "HEAD is misaligned")
author	Mark Rutland <mark.rutland@arm.com>	2014-06-24 11:51:37 -0400
committer	Catalin Marinas <catalin.marinas@arm.com>	2014-07-10 07:36:58 -0400
commit	da57a369d3bc5cd61db90f7e9555840381db9b09 (patch)
tree	6e2e032c24d4b36e792e91984191752f527baf09
parent	a2c1d73b94ed49f5fac12e95052d7b140783f800 (diff)

diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug index 1c1b75629842..4ee8e90b7a45 100644 --- a/arch/arm64/Kconfig.debug +++ b/arch/arm64/Kconfig.debug
@@ -28,4 +28,19 @@ config PID_IN_CONTEXTIDR
28	instructions during context switch. Say Y here only if you are	28	instructions during context switch. Say Y here only if you are
29	planning to use hardware trace tools with this kernel.	29	planning to use hardware trace tools with this kernel.
30		30
		31	config ARM64_RANDOMIZE_TEXT_OFFSET
		32	bool "Randomize TEXT_OFFSET at build time"
		33	help
		34	Say Y here if you want the image load offset (AKA TEXT_OFFSET)
		35	of the kernel to be randomized at build-time. When selected,
		36	this option will cause TEXT_OFFSET to be randomized upon any
		37	build of the kernel, and the offset will be reflected in the
		38	text_offset field of the resulting Image. This can be used to
		39	fuzz-test bootloaders which respect text_offset.
		40
		41	This option is intended for bootloader and/or kernel testing
		42	only. Bootloaders must make no assumptions regarding the value
		43	of TEXT_OFFSET and platforms must not require a specific
		44	value.
		45
31	endmenu	46	endmenu


diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile index 8185a913c5ed..e8d025c1459e 100644 --- a/arch/arm64/Makefile +++ b/arch/arm64/Makefile
@@ -38,7 +38,11 @@ CHECKFLAGS += -D__aarch64__
38	head-y := arch/arm64/kernel/head.o	38	head-y := arch/arm64/kernel/head.o
39		39
40	# The byte offset of the kernel image in RAM from the start of RAM.	40	# The byte offset of the kernel image in RAM from the start of RAM.
		41	ifeq ($(CONFIG_ARM64_RANDOMIZE_TEXT_OFFSET), y)
		42	TEXT_OFFSET := $(shell awk 'BEGIN {srand(); printf "0x%04x0\n", int(65535 * rand())}')
		43	else
41	TEXT_OFFSET := 0x00080000	44	TEXT_OFFSET := 0x00080000
		45	endif
42		46
43	export TEXT_OFFSET GZFLAGS	47	export TEXT_OFFSET GZFLAGS
44		48


diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S index 3ba0fc02c0de..69dafe9621fd 100644 --- a/arch/arm64/kernel/head.S +++ b/arch/arm64/kernel/head.S
@@ -37,8 +37,12 @@
37		37
38	#define KERNEL_RAM_VADDR (PAGE_OFFSET + TEXT_OFFSET)	38	#define KERNEL_RAM_VADDR (PAGE_OFFSET + TEXT_OFFSET)
39		39
40	#if (KERNEL_RAM_VADDR & 0xfffff) != 0x80000	40	#if (TEXT_OFFSET & 0xf) != 0
41	#error KERNEL_RAM_VADDR must start at 0xXXX80000	41	#error TEXT_OFFSET must be at least 16B aligned
		42	#elif (PAGE_OFFSET & 0xfffff) != 0
		43	#error PAGE_OFFSET must be at least 2MB aligned
		44	#elif TEXT_OFFSET > 0xfffff
		45	#error TEXT_OFFSET must be less than 2MB
42	#endif	46	#endif
43		47
44	.macro pgtbl, ttb0, ttb1, virt_to_phys	48	.macro pgtbl, ttb0, ttb1, virt_to_phys


diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S index a814768ae148..97f0c0429dfa 100644 --- a/arch/arm64/kernel/vmlinux.lds.S +++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -125,3 +125,8 @@ SECTIONS
125	*/	125	*/
126	ASSERT(((__hyp_idmap_text_start + PAGE_SIZE) > __hyp_idmap_text_end),	126	ASSERT(((__hyp_idmap_text_start + PAGE_SIZE) > __hyp_idmap_text_end),
127	"HYP init code too big")	127	"HYP init code too big")
		128
		129	/*
		130	* If padding is applied before .head.text, virt<->phys conversions will fail.
		131	*/
		132	ASSERT(_text == (PAGE_OFFSET + TEXT_OFFSET), "HEAD is misaligned")