1 files changed, 21 insertions, 0 deletions
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
index ab906b801047..03823e784f63 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
@@ -1009,3 +1009,24 @@ config ARCH_SUPPORTS_BIG_ENDIAN
        help
          This option specifies the architecture can support big endian
          operation.
+config ARM_KERNMEM_PERMS
+        bool "Restrict kernel memory permissions"
+        help
+          If this is set, kernel memory other than kernel text (and rodata)
+          will be made non-executable. The tradeoff is that each region is
+          padded to section-size (1MiB) boundaries (because their permissions
+          are different and splitting the 1M pages into 4K ones causes TLB
+          performance problems), wasting memory.
+config DEBUG_RODATA
+        bool "Make kernel text and rodata read-only"
+        depends on ARM_KERNMEM_PERMS
+        default y
+        help
+          If this is set, kernel text and rodata will be made read-only. This
+          is to help catch accidental or malicious attempts to change the
+          kernel's executable code. Additionally splits rodata from kernel
+          text so it can be made explicitly non-executable. This creates
+          another section-size padded region, so it can waste more memory
+          space while gaining the read-only protections.

diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig index ab906b801047..03823e784f63 100644 --- a/arch/arm/mm/Kconfig +++ b/arch/arm/mm/Kconfig
@@ -1009,3 +1009,24 @@ config ARCH_SUPPORTS_BIG_ENDIAN
1009	help	1009	help
1010	This option specifies the architecture can support big endian	1010	This option specifies the architecture can support big endian
1011	operation.	1011	operation.
		1012
		1013	config ARM_KERNMEM_PERMS
		1014	bool "Restrict kernel memory permissions"
		1015	help
		1016	If this is set, kernel memory other than kernel text (and rodata)
		1017	will be made non-executable. The tradeoff is that each region is
		1018	padded to section-size (1MiB) boundaries (because their permissions
		1019	are different and splitting the 1M pages into 4K ones causes TLB
		1020	performance problems), wasting memory.
		1021
		1022	config DEBUG_RODATA
		1023	bool "Make kernel text and rodata read-only"
		1024	depends on ARM_KERNMEM_PERMS
		1025	default y
		1026	help
		1027	If this is set, kernel text and rodata will be made read-only. This
		1028	is to help catch accidental or malicious attempts to change the
		1029	kernel's executable code. Additionally splits rodata from kernel
		1030	text so it can be made explicitly non-executable. This creates
		1031	another section-size padded region, so it can waste more memory
		1032	space while gaining the read-only protections.