[v12,6/8] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX

Message ID	20210506023449.3568630-7-jniethe5@gmail.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org> From: Jordan Niethe <jniethe5@gmail.com> To: linuxppc-dev@lists.ozlabs.org Subject: [PATCH v12 6/8] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX Date: Thu, 6 May 2021 12:34:47 +1000 Message-Id: <20210506023449.3568630-7-jniethe5@gmail.com> In-Reply-To: <20210506023449.3568630-1-jniethe5@gmail.com> References: <20210506023449.3568630-1-jniethe5@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Cc: ajd@linux.ibm.com, cmr@codefail.de, npiggin@gmail.com, aneesh.kumar@linux.ibm.com, naveen.n.rao@linux.ibm.com, Jordan Niethe <jniethe5@gmail.com>, dja@axtens.net Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" <linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org>
Series	powerpc: Further Strict RWX support \| expand [v12,0/8] powerpc: Further Strict RWX support [v12,1/8] powerpc/mm: Implement set_memory() routines [v12,2/8] powerpc/lib/code-patching: Set up Strict RWX patching earlier [v12,3/8] powerpc/kprobes: Mark newly allocated probes as ROX [v12,4/8] powerpc/bpf: Remove bpf_jit_free() [v12,5/8] powerpc/bpf: Write protect JIT code [v12,6/8] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX [v12,7/8] powerpc/mm: implement set_memory_attr() [v12,8/8] powerpc/32: use set_memory_attr()
Related	show [v9,5/8] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX [v10,07/10] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX [v11,7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX [v13,6/8] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX [v14,7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX [v15,7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX

Message ID

20210506023449.3568630-7-jniethe5@gmail.com (mailing list archive)

State

Superseded

Headers

From: Jordan Niethe <jniethe5@gmail.com>
To: linuxppc-dev@lists.ozlabs.org
Subject: [PATCH v12 6/8] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX
Date: Thu,  6 May 2021 12:34:47 +1000
Message-Id: <20210506023449.3568630-7-jniethe5@gmail.com>
In-Reply-To: <20210506023449.3568630-1-jniethe5@gmail.com>
References: <20210506023449.3568630-1-jniethe5@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Cc: ajd@linux.ibm.com, cmr@codefail.de, npiggin@gmail.com,
 aneesh.kumar@linux.ibm.com, naveen.n.rao@linux.ibm.com,
 Jordan Niethe <jniethe5@gmail.com>, dja@axtens.net
Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org
Sender: "Linuxppc-dev"
 <linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org>

Series

powerpc: Further Strict RWX support | expand

show

Checks

Context	Check	Description
snowpatch_ozlabs/apply_patch	warning	Failed to apply on branch powerpc/merge (7619d98e5041d5c25aba5428704dba6121237a9a)
snowpatch_ozlabs/apply_patch	warning	Failed to apply on branch powerpc/next (c6b05f4e233cc666f003e9fe68b2f765952875a9)
snowpatch_ozlabs/apply_patch	warning	Failed to apply on branch linus/master (8404c9fbc84b741f66cff7d4934a25dd2c344452)
snowpatch_ozlabs/apply_patch	warning	Failed to apply on branch powerpc/fixes (791f9e36599d94af5a76d3f74d04e16326761aae)
snowpatch_ozlabs/apply_patch	warning	Failed to apply on branch linux-next (5e321ded302da4d8c5d5dd953423d9b748ab3775)
snowpatch_ozlabs/apply_patch	fail	Failed to apply to any branch

Context

Check

Description

snowpatch_ozlabs/apply_patch

warning

Failed to apply on branch powerpc/merge (7619d98e5041d5c25aba5428704dba6121237a9a)

snowpatch_ozlabs/apply_patch

warning

Failed to apply on branch powerpc/next (c6b05f4e233cc666f003e9fe68b2f765952875a9)

snowpatch_ozlabs/apply_patch

warning

Failed to apply on branch linus/master (8404c9fbc84b741f66cff7d4934a25dd2c344452)

snowpatch_ozlabs/apply_patch

warning

Failed to apply on branch powerpc/fixes (791f9e36599d94af5a76d3f74d04e16326761aae)

snowpatch_ozlabs/apply_patch

warning

Failed to apply on branch linux-next (5e321ded302da4d8c5d5dd953423d9b748ab3775)

snowpatch_ozlabs/apply_patch

fail

Failed to apply to any branch

Commit Message

Jordan Niethe May 6, 2021, 2:34 a.m. UTC

From: Russell Currey <ruscur@russell.cc>

To enable strict module RWX on powerpc, set:

    CONFIG_STRICT_MODULE_RWX=y

You should also have CONFIG_STRICT_KERNEL_RWX=y set to have any real
security benefit.

ARCH_HAS_STRICT_MODULE_RWX is set to require ARCH_HAS_STRICT_KERNEL_RWX.
This is due to a quirk in arch/Kconfig and arch/powerpc/Kconfig that
makes STRICT_MODULE_RWX *on by default* in configurations where
STRICT_KERNEL_RWX is *unavailable*.

Since this doesn't make much sense, and module RWX without kernel RWX
doesn't make much sense, having the same dependencies as kernel RWX
works around this problem.

With STRICT_MODULE_RWX, now make module_alloc() allocate pages with
KERNEL_PAGE protection rather than KERNEL_PAGE_EXEC.

Book32s/32 processors with a hash mmu (i.e. 604 core) can not set memory
protection on a page by page basis so do not enable.

Signed-off-by: Russell Currey <ruscur@russell.cc>
[jpn: - predicate on !PPC_BOOK3S_604
      - make module_alloc() use PAGE_KERNEL protection]
Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
---
v10: - Predicate on !PPC_BOOK3S_604
     - Make module_alloc() use PAGE_KERNEL protection
v11: - Neaten up
---
 arch/powerpc/Kconfig         | 1 +
 arch/powerpc/kernel/module.c | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

Comments

Christophe Leroy May 7, 2021, 5:35 a.m. UTC | #1

Le 06/05/2021 à 04:34, Jordan Niethe a écrit :
> From: Russell Currey <ruscur@russell.cc>
> 
> To enable strict module RWX on powerpc, set:
> 
>      CONFIG_STRICT_MODULE_RWX=y
> 
> You should also have CONFIG_STRICT_KERNEL_RWX=y set to have any real
> security benefit.
> 
> ARCH_HAS_STRICT_MODULE_RWX is set to require ARCH_HAS_STRICT_KERNEL_RWX.
> This is due to a quirk in arch/Kconfig and arch/powerpc/Kconfig that
> makes STRICT_MODULE_RWX *on by default* in configurations where
> STRICT_KERNEL_RWX is *unavailable*.
> 
> Since this doesn't make much sense, and module RWX without kernel RWX
> doesn't make much sense, having the same dependencies as kernel RWX
> works around this problem.
> 
> With STRICT_MODULE_RWX, now make module_alloc() allocate pages with
> KERNEL_PAGE protection rather than KERNEL_PAGE_EXEC.
> 
> Book32s/32 processors with a hash mmu (i.e. 604 core) can not set memory
> protection on a page by page basis so do not enable.
> 
> Signed-off-by: Russell Currey <ruscur@russell.cc>
> [jpn: - predicate on !PPC_BOOK3S_604
>        - make module_alloc() use PAGE_KERNEL protection]
> Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
> ---
> v10: - Predicate on !PPC_BOOK3S_604
>       - Make module_alloc() use PAGE_KERNEL protection
> v11: - Neaten up
> ---
>   arch/powerpc/Kconfig         | 1 +
>   arch/powerpc/kernel/module.c | 4 +++-
>   2 files changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index cce0a137b046..cb5d9d862c35 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -140,6 +140,7 @@ config PPC
>   	select ARCH_HAS_SCALED_CPUTIME		if VIRT_CPU_ACCOUNTING_NATIVE && PPC_BOOK3S_64
>   	select ARCH_HAS_SET_MEMORY
>   	select ARCH_HAS_STRICT_KERNEL_RWX	if ((PPC_BOOK3S_64 || PPC32) && !HIBERNATION)
> +	select ARCH_HAS_STRICT_MODULE_RWX	if ARCH_HAS_STRICT_KERNEL_RWX && !PPC_BOOK3S_604
>   	select ARCH_HAS_TICK_BROADCAST		if GENERIC_CLOCKEVENTS_BROADCAST
>   	select ARCH_HAS_UACCESS_FLUSHCACHE
>   	select ARCH_HAS_COPY_MC			if PPC64
> diff --git a/arch/powerpc/kernel/module.c b/arch/powerpc/kernel/module.c
> index 3f35c8d20be7..33e4011228b0 100644
> --- a/arch/powerpc/kernel/module.c
> +++ b/arch/powerpc/kernel/module.c
> @@ -92,12 +92,14 @@ int module_finalize(const Elf_Ehdr *hdr,
>   static __always_inline void *
>   __module_alloc(unsigned long size, unsigned long start, unsigned long end)
>   {
> +	pgprot_t prot = IS_ENABLED(CONFIG_STRICT_MODULE_RWX) ? PAGE_KERNEL :
> +							       PAGE_KERNEL_EXEC;

I'm not sure this test is OK, because strict kernel/module rwx can be disabled at boottime.
There is a global variable 'rodata_enabled' to reflect that.

We have a helper in powerpc asm/mmu.h called strict_kernel_rwx_enabled() to check it.


>   	/*
>   	 * Don't do huge page allocations for modules yet until more testing
>   	 * is done. STRICT_MODULE_RWX may require extra work to support this
>   	 * too.
>   	 */
> -	return __vmalloc_node_range(size, 1, start, end, GFP_KERNEL, PAGE_KERNEL_EXEC,
> +	return __vmalloc_node_range(size, 1, start, end, GFP_KERNEL, prot,
>   				    VM_FLUSH_RESET_PERMS | VM_NO_HUGE_VMAP,
>   				    NUMA_NO_NODE, __builtin_return_address(0));
>   }
>

Jordan Niethe May 10, 2021, 12:52 a.m. UTC | #2

On Fri, May 7, 2021 at 3:35 PM Christophe Leroy
<christophe.leroy@csgroup.eu> wrote:
>
>
>
> Le 06/05/2021 à 04:34, Jordan Niethe a écrit :
> > From: Russell Currey <ruscur@russell.cc>
> >
> > To enable strict module RWX on powerpc, set:
> >
> >      CONFIG_STRICT_MODULE_RWX=y
> >
> > You should also have CONFIG_STRICT_KERNEL_RWX=y set to have any real
> > security benefit.
> >
> > ARCH_HAS_STRICT_MODULE_RWX is set to require ARCH_HAS_STRICT_KERNEL_RWX.
> > This is due to a quirk in arch/Kconfig and arch/powerpc/Kconfig that
> > makes STRICT_MODULE_RWX *on by default* in configurations where
> > STRICT_KERNEL_RWX is *unavailable*.
> >
> > Since this doesn't make much sense, and module RWX without kernel RWX
> > doesn't make much sense, having the same dependencies as kernel RWX
> > works around this problem.
> >
> > With STRICT_MODULE_RWX, now make module_alloc() allocate pages with
> > KERNEL_PAGE protection rather than KERNEL_PAGE_EXEC.
> >
> > Book32s/32 processors with a hash mmu (i.e. 604 core) can not set memory
> > protection on a page by page basis so do not enable.
> >
> > Signed-off-by: Russell Currey <ruscur@russell.cc>
> > [jpn: - predicate on !PPC_BOOK3S_604
> >        - make module_alloc() use PAGE_KERNEL protection]
> > Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
> > ---
> > v10: - Predicate on !PPC_BOOK3S_604
> >       - Make module_alloc() use PAGE_KERNEL protection
> > v11: - Neaten up
> > ---
> >   arch/powerpc/Kconfig         | 1 +
> >   arch/powerpc/kernel/module.c | 4 +++-
> >   2 files changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> > index cce0a137b046..cb5d9d862c35 100644
> > --- a/arch/powerpc/Kconfig
> > +++ b/arch/powerpc/Kconfig
> > @@ -140,6 +140,7 @@ config PPC
> >       select ARCH_HAS_SCALED_CPUTIME          if VIRT_CPU_ACCOUNTING_NATIVE && PPC_BOOK3S_64
> >       select ARCH_HAS_SET_MEMORY
> >       select ARCH_HAS_STRICT_KERNEL_RWX       if ((PPC_BOOK3S_64 || PPC32) && !HIBERNATION)
> > +     select ARCH_HAS_STRICT_MODULE_RWX       if ARCH_HAS_STRICT_KERNEL_RWX && !PPC_BOOK3S_604
> >       select ARCH_HAS_TICK_BROADCAST          if GENERIC_CLOCKEVENTS_BROADCAST
> >       select ARCH_HAS_UACCESS_FLUSHCACHE
> >       select ARCH_HAS_COPY_MC                 if PPC64
> > diff --git a/arch/powerpc/kernel/module.c b/arch/powerpc/kernel/module.c
> > index 3f35c8d20be7..33e4011228b0 100644
> > --- a/arch/powerpc/kernel/module.c
> > +++ b/arch/powerpc/kernel/module.c
> > @@ -92,12 +92,14 @@ int module_finalize(const Elf_Ehdr *hdr,
> >   static __always_inline void *
> >   __module_alloc(unsigned long size, unsigned long start, unsigned long end)
> >   {
> > +     pgprot_t prot = IS_ENABLED(CONFIG_STRICT_MODULE_RWX) ? PAGE_KERNEL :
> > +                                                            PAGE_KERNEL_EXEC;
>
> I'm not sure this test is OK, because strict kernel/module rwx can be disabled at boottime.
> There is a global variable 'rodata_enabled' to reflect that.
>
> We have a helper in powerpc asm/mmu.h called strict_kernel_rwx_enabled() to check it.
Thanks, I will change to that.
>
>
> >       /*
> >        * Don't do huge page allocations for modules yet until more testing
> >        * is done. STRICT_MODULE_RWX may require extra work to support this
> >        * too.
> >        */
> > -     return __vmalloc_node_range(size, 1, start, end, GFP_KERNEL, PAGE_KERNEL_EXEC,
> > +     return __vmalloc_node_range(size, 1, start, end, GFP_KERNEL, prot,
> >                                   VM_FLUSH_RESET_PERMS | VM_NO_HUGE_VMAP,
> >                                   NUMA_NO_NODE, __builtin_return_address(0));
> >   }
> >

diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index cce0a137b046..cb5d9d862c35 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -140,6 +140,7 @@  config PPC
 	select ARCH_HAS_SCALED_CPUTIME		if VIRT_CPU_ACCOUNTING_NATIVE && PPC_BOOK3S_64
 	select ARCH_HAS_SET_MEMORY
 	select ARCH_HAS_STRICT_KERNEL_RWX	if ((PPC_BOOK3S_64 || PPC32) && !HIBERNATION)
+	select ARCH_HAS_STRICT_MODULE_RWX	if ARCH_HAS_STRICT_KERNEL_RWX && !PPC_BOOK3S_604
 	select ARCH_HAS_TICK_BROADCAST		if GENERIC_CLOCKEVENTS_BROADCAST
 	select ARCH_HAS_UACCESS_FLUSHCACHE
 	select ARCH_HAS_COPY_MC			if PPC64
diff --git a/arch/powerpc/kernel/module.c b/arch/powerpc/kernel/module.c
index 3f35c8d20be7..33e4011228b0 100644
--- a/arch/powerpc/kernel/module.c
+++ b/arch/powerpc/kernel/module.c
@@ -92,12 +92,14 @@  int module_finalize(const Elf_Ehdr *hdr,
 static __always_inline void *
 __module_alloc(unsigned long size, unsigned long start, unsigned long end)
 {
+	pgprot_t prot = IS_ENABLED(CONFIG_STRICT_MODULE_RWX) ? PAGE_KERNEL :
+							       PAGE_KERNEL_EXEC;
 	/*
 	 * Don't do huge page allocations for modules yet until more testing
 	 * is done. STRICT_MODULE_RWX may require extra work to support this
 	 * too.
 	 */
-	return __vmalloc_node_range(size, 1, start, end, GFP_KERNEL, PAGE_KERNEL_EXEC,
+	return __vmalloc_node_range(size, 1, start, end, GFP_KERNEL, prot,
 				    VM_FLUSH_RESET_PERMS | VM_NO_HUGE_VMAP,
 				    NUMA_NO_NODE, __builtin_return_address(0));
 }

[v12,6/8] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX

Checks

Commit Message

Comments

Patch