| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251116220508.1513445-1-daniel@thingy.jp>
Date: Mon, 17 Nov 2025 07:05:08 +0900
From: Daniel Palmer <daniel@...ngy.jp>
To: geert@...ux-m68k.org,
linux-m68k@...ts.linux-m68k.org
Cc: linux-kernel@...r.kernel.org,
Daniel Palmer <daniel@...ngy.jp>
Subject: [PATCH] m68k: Implement kernel memory protection
Every time I boot linux on my various m68k machines I see
"This architecture does not have kernel memory protection."
I wondered why this was as some of my machines even have one of
those fancy MMU doodads. I worked out it was because we don't have
CONFIG_ARCH_HAS_STRICT_KERNEL_RWX, found kernel_set_cachemode()
seemed like it had the code for setting some extra flags for
kernel pages and turned that into something that sets write
protect for kernel pages.
So now we can make CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y and
provide mark_rodata_ro() to mark the kernel text and rodata
as write protected.
The test enabled by CONFIG_DEBUG_RODATA_TEST=y says this is
working, but I've only tested on the virt machine.
Signed-off-by: Daniel Palmer <daniel@...ngy.jp>
---
arch/m68k/Kconfig | 1 +
arch/m68k/mm/init.c | 69 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 70 insertions(+)
diff --git a/arch/m68k/Kconfig b/arch/m68k/Kconfig
index 11835eb59d94..2137fd19ffbd 100644
--- a/arch/m68k/Kconfig
+++ b/arch/m68k/Kconfig
@@ -8,6 +8,7 @@ config M68K
select ARCH_HAS_CPU_FINALIZE_INIT if MMU
select ARCH_HAS_CURRENT_STACK_POINTER
select ARCH_HAS_DMA_PREP_COHERENT if M68K_NONCOHERENT_DMA && !COLDFIRE
+ select ARCH_HAS_STRICT_KERNEL_RWX if MMU
select ARCH_HAS_SYNC_DMA_FOR_DEVICE if M68K_NONCOHERENT_DMA
select ARCH_HAVE_NMI_SAFE_CMPXCHG if RMW_INSNS
select ARCH_MIGHT_HAVE_PC_PARPORT if ISA
diff --git a/arch/m68k/mm/init.c b/arch/m68k/mm/init.c
index 488411af1b3f..bc1147f25624 100644
--- a/arch/m68k/mm/init.c
+++ b/arch/m68k/mm/init.c
@@ -123,3 +123,72 @@ void __init mem_init(void)
{
init_pointer_tables();
}
+
+#ifdef CONFIG_MMU
+/*
+ * Based on (basically copy/pasted) kernel_set_cachemode() because
+ * presumably that is correct and covers the required differences.
+ */
+static void __mark_ro_data(unsigned long virtaddr, ssize_t size)
+{
+ pgd_t *pgd_dir;
+ p4d_t *p4d_dir;
+ pud_t *pud_dir;
+ pmd_t *pmd_dir;
+ pte_t *pte_dir;
+
+ while (size > 0) {
+ pgd_dir = pgd_offset_k(virtaddr);
+ p4d_dir = p4d_offset(pgd_dir, virtaddr);
+ pud_dir = pud_offset(p4d_dir, virtaddr);
+ if (pud_bad(*pud_dir)) {
+ pud_clear(pud_dir);
+ return;
+ }
+ pmd_dir = pmd_offset(pud_dir, virtaddr);
+
+#if CONFIG_PGTABLE_LEVELS == 3
+ if (CPU_IS_020_OR_030) {
+ unsigned long pmd = pmd_val(*pmd_dir);
+
+ if ((pmd & _DESCTYPE_MASK) == _PAGE_PRESENT) {
+ *pmd_dir = __pmd(pmd | _PAGE_RONLY);
+ virtaddr += PMD_SIZE;
+ size -= PMD_SIZE;
+ continue;
+ }
+ }
+#endif
+
+ if (pmd_bad(*pmd_dir)) {
+ pmd_clear(pmd_dir);
+ return;
+ }
+ pte_dir = pte_offset_kernel(pmd_dir, virtaddr);
+
+ set_pte(pte_dir, pte_wrprotect(*pte_dir));
+ virtaddr += PAGE_SIZE;
+ size -= PAGE_SIZE;
+ }
+}
+
+void mark_rodata_ro(void)
+{
+ unsigned long start;
+ unsigned long end;
+
+ /* kernel text - kernel_pg_dir lives in the first page, so skip that */
+ start = (unsigned long) _stext + PAGE_SIZE;
+ end = (unsigned long) _etext;
+ pr_info("Write protecting kernel text: 0x%lx - 0x%lx\n", start, end);
+ __mark_ro_data(start, end - start);
+
+ /* ro data */
+ start = (unsigned long) __start_rodata;
+ end = (unsigned long) __end_rodata;
+ pr_info("Write protecting kernel read-only data: 0x%lx - 0x%lx\n", start, end);
+ __mark_ro_data(start, end - start);
+
+ flush_tlb_all();
+}
+#endif
--
2.51.0
Powered by blists - more mailing lists