arm64: add better page protections to arm64
Add page protections for arm64 similar to those in arm. This is for security reasons to prevent certain classes of exploits. The current method: - Map all memory as either RWX or RW. We round to the nearest section to avoid creating page tables before everything is mapped - Once everything is mapped, if either end of the RWX section should not be X, we split the PMD and remap as necessary - When initmem is to be freed, we change the permissions back to RW (using stop machine if necessary to flush the TLB) - If CONFIG_DEBUG_RODATA is set, the read only sections are set read only. Acked-by:Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by:
Kees Cook <keescook@chromium.org> Tested-by:
Laura Abbott <lauraa@codeaurora.org> Signed-off-by:
Catalin Marinas <catalin.marinas@arm.com>
Showing
- arch/arm64/Kconfig.debug 23 additions, 0 deletionsarch/arm64/Kconfig.debug
- arch/arm64/include/asm/cacheflush.h 5 additions, 0 deletionsarch/arm64/include/asm/cacheflush.h
- arch/arm64/kernel/vmlinux.lds.S 15 additions, 2 deletionsarch/arm64/kernel/vmlinux.lds.S
- arch/arm64/mm/init.c 1 addition, 0 deletionsarch/arm64/mm/init.c
- arch/arm64/mm/mm.h 2 additions, 0 deletionsarch/arm64/mm/mm.h
- arch/arm64/mm/mmu.c 187 additions, 24 deletionsarch/arm64/mm/mmu.c
Loading
Please register or sign in to comment