From patchwork Mon Feb 26 08:19:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Shi X-Patchwork-Id: 129558 Delivered-To: patch@linaro.org Received: by 10.46.66.2 with SMTP id p2csp3355510lja; Mon, 26 Feb 2018 00:21:29 -0800 (PST) X-Google-Smtp-Source: AH8x224vh2WRxjvSkdDab0enxS4uQj8sX64jUWKbU9hMaqLZ4UBIjxs2Ujh2Ctc5TmrjsjKwFUpq X-Received: by 2002:a17:902:ab89:: with SMTP id f9-v6mr9667225plr.369.1519633289039; Mon, 26 Feb 2018 00:21:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519633289; cv=none; d=google.com; s=arc-20160816; b=N1PT4332nQwaOosslj7pJovcl8Nls4zD0Wh1icgNz/RAwnz0tF/o5s4WmDtKahylfK MDIxCYawOgvJ2S6prPniOzJCKQk6IsfiCAjjnIs2DLvme1LBKFq4JJuZ7FMIcsYab6Pl 8UUrxl/BLA+GbB4KjIq0nD1zVyv/LsveZXt6M/wsKnAc5uMNO/BpK+1Efp1scyUFuraS hIWceynm8tEYJZbSQu9FtHU+GCU0tp3nXA8sH7iNidtue+aIBwad4+3vQIEIFJSr65Ar 99AGgBOv3Rug3knMRDwiwPSR43sRhxylHbCO/EOq4UCjtsL2ReyJUKtqr34NHUhedI2n djLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:to:from:dkim-signature:arc-authentication-results; bh=S7mDzt0hDdeMXb+Y/dfIW9xk1gio9KtJLmPeqeLlojg=; b=xWnXkSMOHNUihiZSICosJtFZCULh0OtMPz7e6g/QLnqlwFu4YsbjHCbtVmNRqbpCZN 92G4t6FtsNGCR2NQfQ44L0/etseeEUmirsTMUY+0WUTv5mK32NsdYFnDkLQEkOODyt+r by5SjjxIKB+S0efqKTj3FpD2G81RbfzHB/2pBnDqintbMmBIizfNC5uoJYKBVH4gMJxz djYhrDF9jxRvVzuHNHJT7NQqr2u1pYfEvTt9Z+oPerMKLXjhYXniJ4QFoHIZpSJGh04d Yx+3U1+Qp3u2V9UqyiGelUQN99exeYYEeePF4ETcGVR6+djUvPq3PQ431Mu8UqY2qNC0 Ep9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GfQzyVoC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j12si5254567pgt.173.2018.02.26.00.21.28; Mon, 26 Feb 2018 00:21:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GfQzyVoC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752209AbeBZIV0 (ORCPT + 28 others); Mon, 26 Feb 2018 03:21:26 -0500 Received: from mail-pl0-f67.google.com ([209.85.160.67]:42661 "EHLO mail-pl0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751745AbeBZIVV (ORCPT ); Mon, 26 Feb 2018 03:21:21 -0500 Received: by mail-pl0-f67.google.com with SMTP id 31so8853616ple.9 for ; Mon, 26 Feb 2018 00:21:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=S7mDzt0hDdeMXb+Y/dfIW9xk1gio9KtJLmPeqeLlojg=; b=GfQzyVoCstUCriYp03bfIQ1fXM9GSLUPEcJkVcD4xI2yWixaTmK4psqO8k1UFYS6aK XVLXBzUCfvpNv3QYwojgW93iyrHPOhJba6AGE/5ImeKI0S3MlCNW94nY50p1ih6iAaZr eCh9zwMjCiM45BFcxjTqaHsQerXHOimRH8GCQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=S7mDzt0hDdeMXb+Y/dfIW9xk1gio9KtJLmPeqeLlojg=; b=XBF5YThdXOaqjg9ZsHiy5/1Gd8zyF8CYs5s7HcIzmO4qXC+ftK/AoAhYi21ST39GmW 4lvOAj0ImvqcQRPNpcPpTP4ROlMgGnv2CX1/afxiAxZzhuSBQFVFukATvucLLE07TMxg 0cIgS1dbCS0ZDm/mcGVntt3B65yM8488g4wmUqehhDk/TS6cjOq2sfgFTHHqX2jRFV8o u2zUKxrBgjDZMSnQnTBzOOLXMYug+hO/1Tu49adbR2JqjUlOvDpYCadKKJyRNBJ0k5OB wd6b2mevxB4tJADbb76P75OnwL0S3eiGTGvhc8+QX9/urxSLsjbhQciiq0lNDcqGiU67 +fQw== X-Gm-Message-State: APf1xPBTJhm9AbywnixC1h2V+6OzGtfdJAdEAEyt/OCVqlrqlqNC5Euj tDpLidTFFGr3Y1ouHb3xobqvBw== X-Received: by 2002:a17:902:183:: with SMTP id b3-v6mr9789750plb.80.1519633281279; Mon, 26 Feb 2018 00:21:21 -0800 (PST) Received: from localhost.localdomain (176.122.172.82.16clouds.com. [176.122.172.82]) by smtp.gmail.com with ESMTPSA id o86sm1422706pfi.87.2018.02.26.00.21.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 26 Feb 2018 00:21:20 -0800 (PST) From: Alex Shi To: Marc Zyngier , Will Deacon , Ard Biesheuvel , Catalin Marinas , stable@vger.kernel.org, linux-arm-kernel@lists.infradead.org (moderated list:ARM64 PORT (AARCH64 ARCHITECTURE)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH 02/52] arm64: alternatives: apply boot time fixups via the linear mapping Date: Mon, 26 Feb 2018 16:19:36 +0800 Message-Id: <1519633227-29832-3-git-send-email-alex.shi@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1519633227-29832-1-git-send-email-alex.shi@linaro.org> References: <1519633227-29832-1-git-send-email-alex.shi@linaro.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ard Biesheuvel commit 5ea5306c323 upstream. One important rule of thumb when desiging a secure software system is that memory should never be writable and executable at the same time. We mostly adhere to this rule in the kernel, except at boot time, when regions may be mapped RWX until after we are done applying alternatives or making other one-off changes. For the alternative patching, we can improve the situation by applying the fixups via the linear mapping, which is never mapped with executable permissions. So map the linear alias of .text with RW- permissions initially, and remove the write permissions as soon as alternative patching has completed. Reviewed-by: Laura Abbott Reviewed-by: Mark Rutland Tested-by: Mark Rutland Signed-off-by: Ard Biesheuvel Signed-off-by: Catalin Marinas Signed-off-by: Alex Shi Conflicts: replace update_mapping_prot with old create_mapping_late arch/arm64/mm/mmu.c --- arch/arm64/include/asm/mmu.h | 1 + arch/arm64/kernel/alternative.c | 11 ++++++----- arch/arm64/kernel/smp.c | 1 + arch/arm64/mm/mmu.c | 22 +++++++++++++++++----- 4 files changed, 25 insertions(+), 10 deletions(-) -- 2.7.4 diff --git a/arch/arm64/include/asm/mmu.h b/arch/arm64/include/asm/mmu.h index 8d9fce0..b075140 100644 --- a/arch/arm64/include/asm/mmu.h +++ b/arch/arm64/include/asm/mmu.h @@ -36,5 +36,6 @@ extern void create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys, unsigned long virt, phys_addr_t size, pgprot_t prot, bool allow_block_mappings); extern void *fixmap_remap_fdt(phys_addr_t dt_phys); +extern void mark_linear_text_alias_ro(void); #endif diff --git a/arch/arm64/kernel/alternative.c b/arch/arm64/kernel/alternative.c index 06d650f..8840c10 100644 --- a/arch/arm64/kernel/alternative.c +++ b/arch/arm64/kernel/alternative.c @@ -105,11 +105,11 @@ static u32 get_alt_insn(struct alt_instr *alt, u32 *insnptr, u32 *altinsnptr) return insn; } -static void __apply_alternatives(void *alt_region) +static void __apply_alternatives(void *alt_region, bool use_linear_alias) { struct alt_instr *alt; struct alt_region *region = alt_region; - u32 *origptr, *replptr; + u32 *origptr, *replptr, *updptr; for (alt = region->begin; alt < region->end; alt++) { u32 insn; @@ -124,11 +124,12 @@ static void __apply_alternatives(void *alt_region) origptr = ALT_ORIG_PTR(alt); replptr = ALT_REPL_PTR(alt); + updptr = use_linear_alias ? (u32 *)lm_alias(origptr) : origptr; nr_inst = alt->alt_len / sizeof(insn); for (i = 0; i < nr_inst; i++) { insn = get_alt_insn(alt, origptr + i, replptr + i); - *(origptr + i) = cpu_to_le32(insn); + updptr[i] = cpu_to_le32(insn); } flush_icache_range((uintptr_t)origptr, @@ -155,7 +156,7 @@ static int __apply_alternatives_multi_stop(void *unused) isb(); } else { BUG_ON(patched); - __apply_alternatives(®ion); + __apply_alternatives(®ion, true); /* Barriers provided by the cache flushing */ WRITE_ONCE(patched, 1); } @@ -176,5 +177,5 @@ void apply_alternatives(void *start, size_t length) .end = start + length, }; - __apply_alternatives(®ion); + __apply_alternatives(®ion, false); } diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c index a70f7d3..66db515 100644 --- a/arch/arm64/kernel/smp.c +++ b/arch/arm64/kernel/smp.c @@ -426,6 +426,7 @@ void __init smp_cpus_done(unsigned int max_cpus) setup_cpu_features(); hyp_mode_check(); apply_alternatives_all(); + mark_linear_text_alias_ro(); } void __init smp_prepare_boot_cpu(void) diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index d5cc6d7..5dc72c0 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -354,16 +354,28 @@ static void __init __map_memblock(pgd_t *pgd, phys_addr_t start, phys_addr_t end !debug_pagealloc_enabled()); /* - * Map the linear alias of the [_text, __init_begin) interval as - * read-only/non-executable. This makes the contents of the - * region accessible to subsystems such as hibernate, but - * protects it from inadvertent modification or execution. + * Map the linear alias of the [_text, __init_begin) interval + * as non-executable now, and remove the write permission in + * mark_linear_text_alias_ro() below (which will be called after + * alternative patching has completed). This makes the contents + * of the region accessible to subsystems such as hibernate, + * but protects it from inadvertent modification or execution. */ __create_pgd_mapping(pgd, kernel_start, __phys_to_virt(kernel_start), - kernel_end - kernel_start, PAGE_KERNEL_RO, + kernel_end - kernel_start, PAGE_KERNEL, early_pgtable_alloc, !debug_pagealloc_enabled()); } +void __init mark_linear_text_alias_ro(void) +{ + /* + * Remove the write permissions from the linear alias of .text/.rodata + */ + create_mapping_late(__pa_symbol(_text), (unsigned long)lm_alias(_text), + (unsigned long)__init_begin - (unsigned long)_text, + PAGE_KERNEL_RO); +} + static void __init map_mem(pgd_t *pgd) { struct memblock_region *reg;