Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0f5bf6d0 authored by Laura Abbott's avatar Laura Abbott Committed by Kees Cook
Browse files

arch: Rename CONFIG_DEBUG_RODATA and CONFIG_DEBUG_MODULE_RONX 



Both of these options are poorly named. The features they provide are
necessary for system security and should not be considered debug only.
Change the names to CONFIG_STRICT_KERNEL_RWX and
CONFIG_STRICT_MODULE_RWX to better describe what these options do.

Signed-off-by: default avatarLaura Abbott <labbott@redhat.com>
Acked-by: default avatarJessica Yu <jeyu@redhat.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent ad21fc4f

Documentation/DocBook/kgdb.tmpl

+4 −4
Original line number Diff line number Diff line
@@ -115,12 +115,12 @@ 
    </para>

    <para>

    If the architecture that you are using supports the kernel option

    CONFIG_DEBUG_RODATA, you should consider turning it off.  This

    CONFIG_STRICT_KERNEL_RWX, you should consider turning it off.  This

    option will prevent the use of software breakpoints because it

    marks certain regions of the kernel's memory space as read-only.

    If kgdb supports it for the architecture you are using, you can

    use hardware breakpoints if you desire to run with the

    CONFIG_DEBUG_RODATA option turned on, else you need to turn off

    CONFIG_STRICT_KERNEL_RWX option turned on, else you need to turn off

    this option.

    </para>

    <para>
@@ -135,7 +135,7 @@ 
    <para>Here is an example set of .config symbols to enable or

    disable for kgdb:

    <itemizedlist>

    <listitem><para># CONFIG_DEBUG_RODATA is not set</para></listitem>

    <listitem><para># CONFIG_STRICT_KERNEL_RWX is not set</para></listitem>

    <listitem><para>CONFIG_FRAME_POINTER=y</para></listitem>

    <listitem><para>CONFIG_KGDB=y</para></listitem>

    <listitem><para>CONFIG_KGDB_SERIAL_CONSOLE=y</para></listitem>
@@ -166,7 +166,7 @@ 
    </para>

    <para>Here is an example set of .config symbols to enable/disable kdb:

    <itemizedlist>

    <listitem><para># CONFIG_DEBUG_RODATA is not set</para></listitem>

    <listitem><para># CONFIG_STRICT_KERNEL_RWX is not set</para></listitem>

    <listitem><para>CONFIG_FRAME_POINTER=y</para></listitem>

    <listitem><para>CONFIG_KGDB=y</para></listitem>

    <listitem><para>CONFIG_KGDB_SERIAL_CONSOLE=y</para></listitem>

Documentation/security/self-protection.txt

+2 −2
Original line number Diff line number Diff line
@@ -51,8 +51,8 @@ kernel, they are implemented in a way where the memory is temporarily 
made writable during the update, and then returned to the original

permissions.)



In support of this are (the poorly named) CONFIG_DEBUG_RODATA and

CONFIG_DEBUG_SET_MODULE_RONX, which seek to make sure that code is not

In support of this are CONFIG_STRICT_KERNEL_RWX and

CONFIG_STRICT_MODULE_RWX, which seek to make sure that code is not

writable, data is not executable, and read-only data is neither writable

nor executable.

arch/Kconfig

+2 −2
Original line number Diff line number Diff line
@@ -790,7 +790,7 @@ config ARCH_OPTIONAL_KERNEL_RWX_DEFAULT 
config ARCH_HAS_STRICT_KERNEL_RWX

	def_bool n



config DEBUG_RODATA

config STRICT_KERNEL_RWX

	bool "Make kernel text and rodata read-only" if ARCH_OPTIONAL_KERNEL_RWX

	depends on ARCH_HAS_STRICT_KERNEL_RWX

	default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
@@ -806,7 +806,7 @@ config DEBUG_RODATA 
config ARCH_HAS_STRICT_MODULE_RWX

	def_bool n



config DEBUG_SET_MODULE_RONX

config STRICT_MODULE_RWX

	bool "Set loadable kernel module data as NX and text as RO" if ARCH_OPTIONAL_KERNEL_RWX

	depends on ARCH_HAS_STRICT_MODULE_RWX && MODULES

	default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT

arch/arm/configs/aspeed_g4_defconfig

+2 −2
Original line number Diff line number Diff line
@@ -25,7 +25,6 @@ CONFIG_MODULE_UNLOAD=y 
# CONFIG_ARCH_MULTI_V7 is not set

CONFIG_ARCH_ASPEED=y

CONFIG_MACH_ASPEED_G4=y

CONFIG_DEBUG_RODATA=y

CONFIG_AEABI=y

CONFIG_UACCESS_WITH_MEMCPY=y

CONFIG_SECCOMP=y
@@ -79,7 +78,8 @@ CONFIG_DEBUG_LL_UART_8250=y 
CONFIG_DEBUG_UART_PHYS=0x1e784000

CONFIG_DEBUG_UART_VIRT=0xe8784000

CONFIG_EARLY_PRINTK=y

CONFIG_DEBUG_SET_MODULE_RONX=y

CONFIG_STRICT_MODULE_RWX=y

CONFIG_STRICT_KERNEL_RWX=y

# CONFIG_XZ_DEC_X86 is not set

# CONFIG_XZ_DEC_POWERPC is not set

# CONFIG_XZ_DEC_IA64 is not set

arch/arm/configs/aspeed_g5_defconfig

+2 −2
Original line number Diff line number Diff line
@@ -26,7 +26,6 @@ CONFIG_ARCH_MULTI_V6=y 
# CONFIG_ARCH_MULTI_V7 is not set

CONFIG_ARCH_ASPEED=y

CONFIG_MACH_ASPEED_G5=y

CONFIG_DEBUG_RODATA=y

CONFIG_AEABI=y

CONFIG_UACCESS_WITH_MEMCPY=y

CONFIG_SECCOMP=y
@@ -81,7 +80,8 @@ CONFIG_DEBUG_LL_UART_8250=y 
CONFIG_DEBUG_UART_PHYS=0x1e784000

CONFIG_DEBUG_UART_VIRT=0xe8784000

CONFIG_EARLY_PRINTK=y

CONFIG_DEBUG_SET_MODULE_RONX=y

CONFIG_STRICT_MODULE_RWX=y

CONFIG_STRICT_KERNEL_RWX=y

# CONFIG_XZ_DEC_X86 is not set

# CONFIG_XZ_DEC_POWERPC is not set

# CONFIG_XZ_DEC_IA64 is not set