| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Oct 2022 14:13:04 +0300
From: Evgeniy Baskov <baskov@...ras.ru>
To: Ard Biesheuvel <ardb@...nel.org>
Cc: Borislav Petkov <bp@...en8.de>, Andy Lutomirski <luto@...nel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Ingo Molnar <mingo@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Thomas Gleixner <tglx@...utronix.de>,
Alexey Khoroshilov <khoroshilov@...ras.ru>,
lvc-project@...uxtesting.org, x86@...nel.org,
linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH 01/16] x86/boot: Align vmlinuz sections on page size
On 2022-10-19 10:01, Ard Biesheuvel wrote:
> On Tue, 6 Sept 2022 at 12:41, Evgeniy Baskov <baskov@...ras.ru> wrote:
>>
>> To protect sections on page table level each section
>> needs to be aligned on page size (4KB).
>>
>> Set sections alignment in linker script.
>>
>> Signed-off-by: Evgeniy Baskov <baskov@...ras.ru>
>> ---
>> arch/x86/boot/compressed/vmlinux.lds.S | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/arch/x86/boot/compressed/vmlinux.lds.S
>> b/arch/x86/boot/compressed/vmlinux.lds.S
>> index 112b2375d021..6be90f1a1198 100644
>> --- a/arch/x86/boot/compressed/vmlinux.lds.S
>> +++ b/arch/x86/boot/compressed/vmlinux.lds.S
>> @@ -27,21 +27,27 @@ SECTIONS
>> HEAD_TEXT
>> _ehead = . ;
>> }
>> + . = ALIGN(PAGE_SIZE);
>> .rodata..compressed : {
>> + _compressed = .;
>
> Why are you adding these?
It is used for address compressed kernel blob during memory protection
setup.
Although it can be addressed via different symbols, I though that
addressing
sections data in a common way (through linker generated symbols) would
be better.
I can remove or mention the change in commit message (for now I will do
the latter).
>
>> *(.rodata..compressed)
>> + _ecompressed = .;
>> }
>> + . = ALIGN(PAGE_SIZE);
>
> On other EFI architectures, we only distinguish between R-X and RW-
> regions, and alignment between .rodata and .text is unnecessary. Do we
> really need to deviate from that here?
I though that leaving a huge compressed kernel blob executable is
undesirable, so I decided to split it out. I can make it either RW- or
R-X
if it would be more acceptable.
>
>
>> .text : {
>> _text = .; /* Text */
>> *(.text)
>> *(.text.*)
>> _etext = . ;
>> }
>> + . = ALIGN(PAGE_SIZE);
>> .rodata : {
>> _rodata = . ;
>> *(.rodata) /* read-only data */
>> *(.rodata.*)
>> _erodata = . ;
>> }
>> + . = ALIGN(PAGE_SIZE);
>> .data : {
>> _data = . ;
>> *(.data)
>> --
>> 2.35.1
>>
Powered by blists - more mailing lists