Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 635c0d57 authored by Laura Abbott's avatar Laura Abbott Committed by Gerrit - the friendly Code Review server
Browse files

arm64: Add CONFIG_DEBUG_SET_MODULE_RONX support 



In a similar fashion to other architecture, add the infrastructure
and Kconfig to enable DEBUG_SET_MODULE_RONX support. When
enabled, module ranges will be marked read-only/no-execute as
appropriate.

Change-Id: I0db8372bea6f0e6aba647dd2b471464d5d4bb29a
Signed-off-by: default avatarLaura Abbott <lauraa@codeaurora.org>
parent 38febb2c

arch/arm64/Kconfig.debug

+11 −0
Original line number Diff line number Diff line
@@ -23,4 +23,15 @@ config PID_IN_CONTEXTIDR 
	  instructions during context switch. Say Y here only if you are

	  planning to use hardware trace tools with this kernel.



config DEBUG_SET_MODULE_RONX

        bool "Set loadable kernel module data as NX and text as RO"

        depends on MODULES

        ---help---

          This option helps catch unintended modifications to loadable

          kernel module's text and read-only data. It also prevents execution

          of module data. Such protection may interfere with run-time code

          patching and dynamic kernel tracing - and they might also protect

          against certain classes of kernel exploits.

          If in doubt, say "N".



endmenu

arch/arm64/include/asm/cacheflush.h

+4 −0
Original line number Diff line number Diff line
@@ -164,4 +164,8 @@ static inline void flush_cache_vunmap(unsigned long start, unsigned long end) 
{

}



int set_memory_ro(unsigned long addr, int numpages);

int set_memory_rw(unsigned long addr, int numpages);

int set_memory_x(unsigned long addr, int numpages);

int set_memory_nx(unsigned long addr, int numpages);

#endif

arch/arm64/include/asm/pgtable.h

+2 −0
Original line number Diff line number Diff line
@@ -156,6 +156,8 @@ PTE_BIT_FUNC(mkdirty, |= PTE_DIRTY); 
PTE_BIT_FUNC(mkold,     &= ~PTE_AF);

PTE_BIT_FUNC(mkyoung,   |= PTE_AF);

PTE_BIT_FUNC(mkspecial, |= PTE_SPECIAL);

PTE_BIT_FUNC(mkexec,	&= ~PTE_PXN);

PTE_BIT_FUNC(mknexec,	|= PTE_PXN);



static inline void set_pte(pte_t *ptep, pte_t pte)

{

arch/arm64/mm/mmu.c

+42 −0
Original line number Diff line number Diff line
@@ -122,6 +122,48 @@ static int __init early_cachepolicy(char *p) 
}

early_param("cachepolicy", early_cachepolicy);



#define PTE_SET_FN(_name, pteop) \

static int pte_set_##_name(pte_t *ptep, pgtable_t token, unsigned long addr, \

			void *data) \

{ \

	pte_t pte = pteop(*ptep); \

\

	set_pte(ptep, pte); \

	return 0; \

} \



#define SET_MEMORY_FN(_name, callback) \

int set_memory_##_name(unsigned long addr, int numpages) \

{ \

	unsigned long start = addr; \

	unsigned long size = PAGE_SIZE*numpages; \

	unsigned long end = start + size; \

\

	if (start < MODULES_VADDR || start >= MODULES_END) \

		return -EINVAL;\

\

	if (end < MODULES_VADDR || end >= MODULES_END) \

		return -EINVAL; \

\

	apply_to_page_range(&init_mm, start, size, callback, NULL); \

	flush_tlb_kernel_range(start, end); \

	return 0;\

}



PTE_SET_FN(ro, pte_wrprotect)

PTE_SET_FN(rw, pte_mkwrite)

PTE_SET_FN(x, pte_mkexec)

PTE_SET_FN(nx, pte_mknexec)



SET_MEMORY_FN(ro, pte_set_ro)

EXPORT_SYMBOL(set_memory_ro);

SET_MEMORY_FN(rw, pte_set_rw)

EXPORT_SYMBOL(set_memory_rw);

SET_MEMORY_FN(x, pte_set_x)

EXPORT_SYMBOL(set_memory_x);

SET_MEMORY_FN(nx, pte_set_nx)

EXPORT_SYMBOL(set_memory_nx);



/*

 * Adjust the PMD section entries according to the CPU in use.

 */