On Wed, Jan 25, 2017 at 8:22 AM, Christoffer Dall <
christoffer.d...@linaro.org> wrote:
> On Tue, Jan 24, 2017 at 09:50:04PM +, Raz wrote:
> > Hello
> >
> > I am trying to boot EL1 kernel in a platform based on Armv8.1.
> > I am using fvp as a hardware.
> > What I am trying to achieve is to
In preparation of refactoring the kernel mapping logic so that text regions
are never mapped writable, which would require adding explicit TLB
maintenance to new call sites of create_mapping_late() (which is currently
invoked twice from the same function), move the TLB maintenance from the
call
One important rule of thumb when desiging a secure software system is
that memory should never be writable and executable at the same time.
We mostly adhere to this rule in the kernel, except at boot time, when
regions may be mapped RWX until after we are done applying alternatives
or making other
To avoid having mappings that are writable and executable at the same
time, split the init region into a .init.text region that is mapped
read-only, and a .init.data region that is mapped non-executable.
This is possible now that the alternative patching occurs via the linear
mapping, and the
Having memory that is writable and executable at the same time is a
security hazard, and so we tend to avoid those when we can. However,
at boot time, we keep .text mapped writable during the entire init
phase, and the init region itself is mapped rwx as well.
Let's improve the situation by:
-
The kvm_vgic_global_state struct contains a static key which is
written to by jump_label_init() at boot time. So in preparation of
making .text regions truly (well, almost truly) read-only, mark
kvm_vgic_global_state __ro_after_init so it moves to the .rodata
section instead.
Acked-by: Marc
> On 14 Feb 2017, at 17:40, Mark Rutland wrote:
>
>> On Tue, Feb 14, 2017 at 04:15:11PM +, Ard Biesheuvel wrote:
>>
On 14 Feb 2017, at 15:57, Mark Rutland wrote:
On Sat, Feb 11, 2017 at 08:23:05PM +, Ard Biesheuvel wrote:
On Tue, Feb 14, 2017 at 05:49:19PM +, Ard Biesheuvel wrote:
>
> > On 14 Feb 2017, at 17:40, Mark Rutland wrote:
> >
> >> On Tue, Feb 14, 2017 at 04:15:11PM +, Ard Biesheuvel wrote:
> >> Having trivial 'off' switches for security features makes me feel
> >> uneasy
> On 14 Feb 2017, at 15:57, Mark Rutland wrote:
>
>> On Sat, Feb 11, 2017 at 08:23:05PM +, Ard Biesheuvel wrote:
>> Now that alternatives patching code no longer relies on the primary
>> mapping of .text being writable, we can remove the code that removes
>> the
On Sat, Feb 11, 2017 at 08:23:06PM +, Ard Biesheuvel wrote:
> To avoid having mappings that are writable and executable at the same
> time, split the init region into a .init.text region that is mapped
> read-only, and a .init.data region that is mapped non-executable.
>
> This is possible
On Sat, Feb 11, 2017 at 08:23:05PM +, Ard Biesheuvel wrote:
> Now that alternatives patching code no longer relies on the primary
> mapping of .text being writable, we can remove the code that removes
> the writable permissions post-init time, and map it read-only from
> the outset.
>
>
On Sat, Feb 11, 2017 at 08:23:04PM +, Ard Biesheuvel wrote:
> One important rule of thumb when desiging a secure software system is
> that memory should never be writable and executable at the same time.
> We mostly adhere to this rule in the kernel, except at boot time, when
> regions may be
On Sat, Feb 11, 2017 at 08:23:03PM +, Ard Biesheuvel wrote:
> In preparation of changing the way we invoke create_mapping_late() (which
> is currently invoked twice from the same function), move the TLB flushing
> it performs from the caller into create_mapping_late() itself, and change
> it
13 matches
Mail list logo