lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <cover.1659369873.git.baskov@ispras.ru>
Date:   Mon,  1 Aug 2022 19:38:57 +0300
From:   Evgeniy Baskov <baskov@...ras.ru>
To:     Borislav Petkov <bp@...en8.de>
Cc:     Evgeniy Baskov <baskov@...ras.ru>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Ingo Molnar <mingo@...hat.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Andy Lutomirski <luto@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>, x86@...nel.org,
        linux-kernel@...r.kernel.org,
        Alexey Khoroshilov <khoroshilov@...ras.ru>
Subject: [RFC PATCH 0/8] x86_64: Harden compressed kernel, part 1

This is the first half of changes aimed to increase security of early
boot code of compressed kernel for x86_64 by enforcing memory protection
on page table level.

It applies memory protection to the compressed kernel code executing
outside EFI environment and makes all identity mappings explicit
to reduce probability of hiding erroneous memory accesses.

Second half makes kernel more compliant PE image and enforces memory
protection for EFISTUB code, thus completing W^X support for compressed
kernel.

I'll send second half for review later.

Evgeniy Baskov (8):
  x86/boot: Align vmlinuz sections on page size
  x86/build: Remove RWX sections and align on 4KB
  x86/boot: Set cr0 to known state in trampoline
  x86/boot: Increase boot page table size
  x86/boot: Support 4KB pages for identity mapping
  x86/boot: Setup memory protection for bzImage code
  x86/boot: Map memory explicitly
  x86/boot: Remove mapping from page fault handler

 arch/x86/boot/compressed/acpi.c         |  21 ++-
 arch/x86/boot/compressed/efi.c          |  19 ++-
 arch/x86/boot/compressed/head_64.S      |   7 +-
 arch/x86/boot/compressed/ident_map_64.c | 128 ++++++++++------
 arch/x86/boot/compressed/kaslr.c        |   4 +
 arch/x86/boot/compressed/misc.c         |  52 ++++++-
 arch/x86/boot/compressed/misc.h         |  16 +-
 arch/x86/boot/compressed/pgtable.h      |  20 ---
 arch/x86/boot/compressed/pgtable_64.c   |   2 +-
 arch/x86/boot/compressed/sev.c          |   6 +-
 arch/x86/boot/compressed/vmlinux.lds.S  |   6 +
 arch/x86/include/asm/boot.h             |  26 ++--
 arch/x86/include/asm/init.h             |   1 +
 arch/x86/include/asm/shared/pgtable.h   |  29 ++++
 arch/x86/kernel/vmlinux.lds.S           |  15 +-
 arch/x86/mm/ident_map.c                 | 186 ++++++++++++++++++++----
 16 files changed, 403 insertions(+), 135 deletions(-)
 delete mode 100644 arch/x86/boot/compressed/pgtable.h
 create mode 100644 arch/x86/include/asm/shared/pgtable.h

-- 
2.35.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ