diff mbox series

[v5,02/27] x86/build: Remove RWX sections and align on 4KB

Message ID	edf3afbdcd87cb6c61815068084ac6de35be15a2.1678785672.git.baskov@ispras.ru
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; From: Evgeniy Baskov <baskov@ispras.ru> To: Ard Biesheuvel <ardb@kernel.org> Cc: Evgeniy Baskov <baskov@ispras.ru>, Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>, Dave Hansen <dave.hansen@linux.intel.com>, Ingo Molnar <mingo@redhat.com>, Peter Zijlstra <peterz@infradead.org>, Thomas Gleixner <tglx@linutronix.de>, Alexey Khoroshilov <khoroshilov@ispras.ru>, Peter Jones <pjones@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>, "Limonciello, Mario" <mario.limonciello@amd.com>, joeyli <jlee@suse.com>, lvc-project@linuxtesting.org, x86@kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v5 02/27] x86/build: Remove RWX sections and align on 4KB Date: Tue, 14 Mar 2023 13:13:29 +0300 Message-Id: <edf3afbdcd87cb6c61815068084ac6de35be15a2.1678785672.git.baskov@ispras.ru> In-Reply-To: <cover.1678785672.git.baskov@ispras.ru> References: <cover.1678785672.git.baskov@ispras.ru> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	x86_64: Improvements at compressed kernel stage \| [v5,00/27] x86_64: Improvements at compressed kernel stage [v5,01/27] x86/boot: Align vmlinuz sections on page size [v5,02/27] x86/build: Remove RWX sections and align on 4KB [v5,03/27] x86/boot: Set cr0 to known state in trampoline [v5,04/27] x86/boot: Increase boot page table size [v5,05/27] x86/boot: Support 4KB pages for identity mapping [v5,06/27] x86/boot: Setup memory protection for bzImage code [v5,07/27] x86/build: Check W^X of vmlinux during build [v5,08/27] x86/boot: Map memory explicitly [v5,09/27] x86/boot: Remove mapping from page fault handler [v5,10/27] efi/libstub: Move helper function to related file [v5,11/27] x86/boot: Make console interface more abstract [v5,12/27] x86/boot: Make kernel_add_identity_map() a pointer [v5,13/27] x86/boot: Split trampoline and pt init code [v5,14/27] x86/boot: Add EFI kernel extraction interface [v5,15/27] efi/x86: Support extracting kernel from libstub [v5,16/27] x86/boot: Reduce lower limit of physical KASLR [v5,17/27] x86: decompressor: Remove the 'bugger off' message [v5,18/27] tools/include: Add simplified version of pe.h [v5,19/27] x86/build: Cleanup tools/build.c [v5,20/27] efi: x86: Use private copy of struct setup_header [v5,21/27] x86/build: Add SETUP_HEADER_OFFSET constant [v5,22/27] x86/build: set type_of_loader for EFISTUB [v5,23/27] efi/libstub: Don't set ramdisk_image/ramdisk_size [v5,24/27] x86/build: Make generated PE more spec compliant [v5,25/27] efi/libstub: Use memory attribute protocol [v5,26/27] efi/libstub: make memory protection warnings include newlines. [v5,27/27] efi/x86: don't try to set page attributes on 0-sized regions.

Commit Message

Evgeniy Baskov March 14, 2023, 10:13 a.m. UTC

  Avoid creating sections simultaneously writable and readable to prepare
for W^X implementation for the kernel itself (not the decompressor).
Align kernel sections on page size (4KB) to allow protecting them in the
page tables.

Split init code form ".init" segment into separate R_X ".inittext"
segment and make ".init" segment non-executable.

Also add these segments to x86_32 architecture for consistency.
Currently paging is disabled in x86_32 in compressed kernel, so
protection is not applied anyways, but .init code was incorrectly
placed in non-executable ".data" segment. This should not change
anything meaningful in memory layout now, but might be required in case
memory protection will also be implemented in compressed kernel for
x86_32.

Tested-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Evgeniy Baskov <baskov@ispras.ru>
---
 arch/x86/kernel/vmlinux.lds.S | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

Comments

Borislav Petkov April 5, 2023, 5:40 p.m. UTC | #1

On Tue, Mar 14, 2023 at 01:13:29PM +0300, Evgeniy Baskov wrote:
> Avoid creating sections simultaneously writable and readable to prepare
> for W^X implementation for the kernel itself (not the decompressor).
> Align kernel sections on page size (4KB) to allow protecting them in the
> page tables.
> 
> Split init code form ".init" segment into separate R_X ".inittext"

s/form/from/

> segment and make ".init" segment non-executable.

"... and make the .init segment RW_."

> Also add these segments to x86_32 architecture for consistency.

Same comment as before: please refrain from talking about the *what* in
a commit message but about the *why*.

And considering the matter, you have a *lot* of *why* to talk about. :-)

Pls check your whole set.

> Currently paging is disabled in x86_32 in compressed kernel, so
> protection is not applied anyways, but .init code was incorrectly
> placed in non-executable ".data" segment. This should not change
> anything meaningful in memory layout now, but might be required in case
> memory protection will also be implemented in compressed kernel for
> x86_32.

I highly doubt that - no one cares about 32-bit x86 anymore.

> @@ -226,9 +225,10 @@ SECTIONS
>  #endif
>  
>  	INIT_TEXT_SECTION(PAGE_SIZE)
> -#ifdef CONFIG_X86_64
> -	:init
> -#endif
> +	:inittext
> +
> +	. = ALIGN(PAGE_SIZE);
> +
>  
>  	/*
>  	 * Section for code used exclusively before alternatives are run. All
> @@ -240,6 +240,7 @@ SECTIONS
>  	.altinstr_aux : AT(ADDR(.altinstr_aux) - LOAD_OFFSET) {
>  		*(.altinstr_aux)
>  	}
> +	:init

Why isn't this placed after inittext but here?

I'm thinking you wanna have:

	:inittext
	. = ALIGN..
	:init
	<rest>

Thx.

Gerd Hoffmann April 6, 2023, 11:42 a.m. UTC | #2

Hi,

> > Currently paging is disabled in x86_32 in compressed kernel, so
> > protection is not applied anyways, but .init code was incorrectly
> > placed in non-executable ".data" segment. This should not change
> > anything meaningful in memory layout now, but might be required in case
> > memory protection will also be implemented in compressed kernel for
> > x86_32.
> 
> I highly doubt that - no one cares about 32-bit x86 anymore.

Indeed.  ia32 edk2 runs without paging even in latest tianocore/edk2,
and I don't expect that to change until ia32 support gets removed.

take care,
  Gerd

Evgeniy Baskov April 8, 2023, 3:05 p.m. UTC | #3

On 2023-04-05 20:40, Borislav Petkov wrote:
> On Tue, Mar 14, 2023 at 01:13:29PM +0300, Evgeniy Baskov wrote:
>> Avoid creating sections simultaneously writable and readable to 
>> prepare
>> for W^X implementation for the kernel itself (not the decompressor).
>> Align kernel sections on page size (4KB) to allow protecting them in 
>> the
>> page tables.
>> 
>> Split init code form ".init" segment into separate R_X ".inittext"
> 
> s/form/from/

Thanks!

> 
>> segment and make ".init" segment non-executable.
> 
> "... and make the .init segment RW_."

Will fix.

> 
>> Also add these segments to x86_32 architecture for consistency.
> 
> Same comment as before: please refrain from talking about the *what* in
> a commit message but about the *why*.
> 
> And considering the matter, you have a *lot* of *why* to talk about. 
> :-)
> 
> Pls check your whole set.

I'll try do make descriptions of patches more elaborate and to better
reflect the reasoning behind the changes before resubmitting, thanks.

> 
>> Currently paging is disabled in x86_32 in compressed kernel, so
>> protection is not applied anyways, but .init code was incorrectly
>> placed in non-executable ".data" segment. This should not change
>> anything meaningful in memory layout now, but might be required in 
>> case
>> memory protection will also be implemented in compressed kernel for
>> x86_32.
> 
> I highly doubt that - no one cares about 32-bit x86 anymore.
> 

True, but in theory it's still possible and also the change
makes things more correct.

>> @@ -226,9 +225,10 @@ SECTIONS
>>  #endif
>> 
>>  	INIT_TEXT_SECTION(PAGE_SIZE)
>> -#ifdef CONFIG_X86_64
>> -	:init
>> -#endif
>> +	:inittext
>> +
>> +	. = ALIGN(PAGE_SIZE);
>> +
>> 
>>  	/*
>>  	 * Section for code used exclusively before alternatives are run. 
>> All
>> @@ -240,6 +240,7 @@ SECTIONS
>>  	.altinstr_aux : AT(ADDR(.altinstr_aux) - LOAD_OFFSET) {
>>  		*(.altinstr_aux)
>>  	}
>> +	:init
> 
> Why isn't this placed after inittext but here?

Because, AFAIK, :init is a part of a section syntax so it must
come after the brace, at least according to the documentation:

https://sourceware.org/binutils/docs/ld/PHDRS.html

> 
> I'm thinking you wanna have:
> 
> 	:inittext
> 	. = ALIGN..
> 	:init
> 	<rest>
> 
> Thx.

diff mbox series

Patch

diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 25f155205770..81ea1236d293 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -102,12 +102,11 @@  jiffies = jiffies_64;
 PHDRS {
 	text PT_LOAD FLAGS(5);          /* R_E */
 	data PT_LOAD FLAGS(6);          /* RW_ */
-#ifdef CONFIG_X86_64
-#ifdef CONFIG_SMP
+#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
 	percpu PT_LOAD FLAGS(6);        /* RW_ */
 #endif
-	init PT_LOAD FLAGS(7);          /* RWE */
-#endif
+	inittext PT_LOAD FLAGS(5);      /* R_E */
+	init PT_LOAD FLAGS(6);          /* RW_ */
 	note PT_NOTE FLAGS(0);          /* ___ */
 }
 
@@ -226,9 +225,10 @@  SECTIONS
 #endif
 
 	INIT_TEXT_SECTION(PAGE_SIZE)
-#ifdef CONFIG_X86_64
-	:init
-#endif
+	:inittext
+
+	. = ALIGN(PAGE_SIZE);
+
 
 	/*
 	 * Section for code used exclusively before alternatives are run. All
@@ -240,6 +240,7 @@  SECTIONS
 	.altinstr_aux : AT(ADDR(.altinstr_aux) - LOAD_OFFSET) {
 		*(.altinstr_aux)
 	}
+	:init
 
 	INIT_DATA_SECTION(16)