Re: Booting a kernel to EL1 in Armv8.1

On Wed, Jan 25, 2017 at 8:22 AM, Christoffer Dall < christoffer.d...@linaro.org> wrote: > On Tue, Jan 24, 2017 at 09:50:04PM +, Raz wrote: > > Hello > > > > I am trying to boot EL1 kernel in a platform based on Armv8.1. > > I am using fvp as a hardware. > > What I am trying to achieve is to

[PATCH v3 2/5] arm64: mmu: move TLB maintenance from callers to create_mapping_late()

In preparation of refactoring the kernel mapping logic so that text regions are never mapped writable, which would require adding explicit TLB maintenance to new call sites of create_mapping_late() (which is currently invoked twice from the same function), move the TLB maintenance from the call

[PATCH v3 3/5] arm64: alternatives: apply boot time fixups via the linear mapping

One important rule of thumb when desiging a secure software system is that memory should never be writable and executable at the same time. We mostly adhere to this rule in the kernel, except at boot time, when regions may be mapped RWX until after we are done applying alternatives or making other

[PATCH v3 5/5] arm64: mmu: apply strict permissions to .init.text and .init.data

To avoid having mappings that are writable and executable at the same time, split the init region into a .init.text region that is mapped read-only, and a .init.data region that is mapped non-executable. This is possible now that the alternative patching occurs via the linear mapping, and the

[PATCH v3 0/5] arm64: mmu: avoid writeable-executable mappings

Having memory that is writable and executable at the same time is a security hazard, and so we tend to avoid those when we can. However, at boot time, we keep .text mapped writable during the entire init phase, and the init region itself is mapped rwx as well. Let's improve the situation by: -

[PATCH v3 1/5] arm: kvm: move kvm_vgic_global_state out of .text section

The kvm_vgic_global_state struct contains a static key which is written to by jump_label_init() at boot time. So in preparation of making .text regions truly (well, almost truly) read-only, mark kvm_vgic_global_state __ro_after_init so it moves to the .rodata section instead. Acked-by: Marc

Re: [PATCH v2 4/5] arm64: mmu: map .text as read-only from the outset

> On 14 Feb 2017, at 17:40, Mark Rutland wrote: > >> On Tue, Feb 14, 2017 at 04:15:11PM +, Ard Biesheuvel wrote: >> On 14 Feb 2017, at 15:57, Mark Rutland wrote: On Sat, Feb 11, 2017 at 08:23:05PM +, Ard Biesheuvel wrote:

Re: [PATCH v2 4/5] arm64: mmu: map .text as read-only from the outset

On Tue, Feb 14, 2017 at 05:49:19PM +, Ard Biesheuvel wrote: > > > On 14 Feb 2017, at 17:40, Mark Rutland wrote: > > > >> On Tue, Feb 14, 2017 at 04:15:11PM +, Ard Biesheuvel wrote: > >> Having trivial 'off' switches for security features makes me feel > >> uneasy

Re: [PATCH v2 4/5] arm64: mmu: map .text as read-only from the outset

> On 14 Feb 2017, at 15:57, Mark Rutland wrote: > >> On Sat, Feb 11, 2017 at 08:23:05PM +, Ard Biesheuvel wrote: >> Now that alternatives patching code no longer relies on the primary >> mapping of .text being writable, we can remove the code that removes >> the

Re: [PATCH v2 5/5] arm64: mmu: apply strict permissions to .init.text and .init.data

On Sat, Feb 11, 2017 at 08:23:06PM +, Ard Biesheuvel wrote: > To avoid having mappings that are writable and executable at the same > time, split the init region into a .init.text region that is mapped > read-only, and a .init.data region that is mapped non-executable. > > This is possible

Re: [PATCH v2 4/5] arm64: mmu: map .text as read-only from the outset

On Sat, Feb 11, 2017 at 08:23:05PM +, Ard Biesheuvel wrote: > Now that alternatives patching code no longer relies on the primary > mapping of .text being writable, we can remove the code that removes > the writable permissions post-init time, and map it read-only from > the outset. > >

Re: [PATCH v2 3/5] arm64: alternatives: apply boot time fixups via the linear mapping

On Sat, Feb 11, 2017 at 08:23:04PM +, Ard Biesheuvel wrote: > One important rule of thumb when desiging a secure software system is > that memory should never be writable and executable at the same time. > We mostly adhere to this rule in the kernel, except at boot time, when > regions may be

Re: [PATCH v2 2/5] arm64: mmu: move TLB maintenance from callers to create_mapping_late()

On Sat, Feb 11, 2017 at 08:23:03PM +, Ard Biesheuvel wrote: > In preparation of changing the way we invoke create_mapping_late() (which > is currently invoked twice from the same function), move the TLB flushing > it performs from the caller into create_mapping_late() itself, and change > it