lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1610096956-21347-1-git-send-email-pnagar@codeaurora.org>
Date:   Fri,  8 Jan 2021 14:39:14 +0530
From:   Preeti Nagar <pnagar@...eaurora.org>
To:     arnd@...db.de, jmorris@...ei.org, serge@...lyn.com,
        paul@...l-moore.com, stephen.smalley.work@...il.com,
        eparis@...isplace.org, linux-security-module@...r.kernel.org,
        selinux@...r.kernel.org, linux-arch@...r.kernel.org
Cc:     psodagud@...eaurora.org, nmardana@...eaurora.org,
        dsule@...eaurora.org, pnagar@...eaurora.org,
        Joe Perches <joe@...ches.com>,
        Nick Desaulniers <ndesaulniers@...ogle.com>,
        Miguel Ojeda <ojeda@...nel.org>, linux-kernel@...r.kernel.org
Subject: [RFC PATCH] selinux: ARM64: Move selinux_state to a separate page

The changes introduce a new security feature, RunTime Integrity Check
(RTIC), designed to protect Linux Kernel at runtime. The motivation
behind these changes is:
1. The system protection offered by SE for Android relies on the
assumption of kernel integrity. If the kernel itself is compromised (by
a perhaps as yet unknown future vulnerability), SE for Android security
mechanisms could potentially be disabled and rendered ineffective.
2. Qualcomm Snapdragon devices use Secure Boot, which adds cryptographic
checks to each stage of the boot-up process, to assert the authenticity
of all secure software images that the device executes.  However, due to
various vulnerabilities in SW modules, the integrity of the system can be
compromised at any time after device boot-up, leading to un-authorized
SW executing.

The feature's idea is to move some sensitive kernel structures to a
separate page and monitor further any unauthorized changes to these,
from higher Exception Levels using stage 2 MMU. Moving these to a
different page will help avoid getting page faults from un-related data.
Using this mechanism, some sensitive variables of the kernel which are
initialized after init or are updated rarely can also be protected from
simple overwrites and attacks trying to modify these.

Currently, the change moves selinux_state structure to a separate page. In
future we plan to move more security-related kernel assets to this page to
enhance protection.

We want to seek your suggestions and comments on the idea and the changes
in the patch.

Signed-off-by: Preeti Nagar <pnagar@...eaurora.org>
---
 include/asm-generic/vmlinux.lds.h | 10 ++++++++++
 include/linux/init.h              |  4 ++++
 security/Kconfig                  | 10 ++++++++++
 security/selinux/hooks.c          |  4 ++++
 4 files changed, 28 insertions(+)

diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index b2b3d81..158dbc2 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -770,6 +770,15 @@
 		*(.scommon)						\
 	}
 
+#ifdef CONFIG_SECURITY_RTIC
+#define RTIC_BSS							\
+	. = ALIGN(PAGE_SIZE);						\
+	KEEP(*(.bss.rtic))						\
+	. = ALIGN(PAGE_SIZE);
+#else
+#define RTIC_BSS
+#endif
+
 /*
  * Allow archectures to redefine BSS_FIRST_SECTIONS to add extra
  * sections to the front of bss.
@@ -782,6 +791,7 @@
 	. = ALIGN(bss_align);						\
 	.bss : AT(ADDR(.bss) - LOAD_OFFSET) {				\
 		BSS_FIRST_SECTIONS					\
+		RTIC_BSS						\
 		. = ALIGN(PAGE_SIZE);					\
 		*(.bss..page_aligned)					\
 		. = ALIGN(PAGE_SIZE);					\
diff --git a/include/linux/init.h b/include/linux/init.h
index 7b53cb3..617adcf 100644
--- a/include/linux/init.h
+++ b/include/linux/init.h
@@ -300,6 +300,10 @@ void __init parse_early_options(char *cmdline);
 /* Data marked not to be saved by software suspend */
 #define __nosavedata __section(".data..nosave")
 
+#ifdef CONFIG_SECURITY_RTIC
+#define __rticdata  __section(".bss.rtic")
+#endif
+
 #ifdef MODULE
 #define __exit_p(x) x
 #else
diff --git a/security/Kconfig b/security/Kconfig
index 7561f6f..66b61b9 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -291,5 +291,15 @@ config LSM
 
 source "security/Kconfig.hardening"
 
+config SECURITY_RTIC
+        bool "RunTime Integrity Check feature"
+        help
+	  RTIC(RunTime Integrity Check) feature is to protect Linux kernel
+	  at runtime. This relocates some of the security sensitive kernel
+	  structures to a separate page aligned special section.
+
+	  This is to enable monitoring and protection of these kernel assets
+	  from a higher exception level(EL) against any unauthorized changes.
+
 endmenu
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6b1826f..7add17c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -104,7 +104,11 @@
 #include "audit.h"
 #include "avc_ss.h"
 
+#ifdef CONFIG_SECURITY_RTIC
+struct selinux_state selinux_state __rticdata;
+#else
 struct selinux_state selinux_state;
+#endif
 
 /* SECMARK reference count */
 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ