mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-15 08:44:14 +08:00
mm: add DEBUG_WX support
Patch series "Extract DEBUG_WX to shared use". Some architectures support DEBUG_WX function, it's verbatim from each others, so extract to mm/Kconfig.debug for shared use. PPC and ARM ports don't support generic page dumper yet, so we only refine x86 and arm64 port in this patch series. For RISC-V port, the DEBUG_WX support depends on other patches which be merged already: - RISC-V page table dumper - Support strict kernel memory permissions for security This patch (of 4): Some architectures support DEBUG_WX function, it's verbatim from each others. Extract to mm/Kconfig.debug for shared use. [akpm@linux-foundation.org: reword text, per Will Deacon & Zong Li] Link: http://lkml.kernel.org/r/20200427194245.oxRJKj3fn%25akpm@linux-foundation.org [zong.li@sifive.com: remove the specific name of arm64] Link: http://lkml.kernel.org/r/3a6a92ecedc54e1d0fc941398e63d504c2cd5611.1589178399.git.zong.li@sifive.com [zong.li@sifive.com: add MMU dependency for DEBUG_WX] Link: http://lkml.kernel.org/r/4a674ac7863ff39ca91847b10e51209771f99416.1589178399.git.zong.li@sifive.com Suggested-by: Palmer Dabbelt <palmer@dabbelt.com> Signed-off-by: Zong Li <zong.li@sifive.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: Paul Walmsley <paul.walmsley@sifive.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will@kernel.org> Link: http://lkml.kernel.org/r/cover.1587455584.git.zong.li@sifive.com Link: http://lkml.kernel.org/r/23980cd0f0e5d79e24a92169116407c75bcc650d.1587455584.git.zong.li@sifive.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
4fb6eabf10
commit
375d315cbf
@ -118,6 +118,38 @@ config DEBUG_RODATA_TEST
|
|||||||
---help---
|
---help---
|
||||||
This option enables a testcase for the setting rodata read-only.
|
This option enables a testcase for the setting rodata read-only.
|
||||||
|
|
||||||
|
config ARCH_HAS_DEBUG_WX
|
||||||
|
bool
|
||||||
|
|
||||||
|
config DEBUG_WX
|
||||||
|
bool "Warn on W+X mappings at boot"
|
||||||
|
depends on ARCH_HAS_DEBUG_WX
|
||||||
|
depends on MMU
|
||||||
|
select PTDUMP_CORE
|
||||||
|
help
|
||||||
|
Generate a warning if any W+X mappings are found at boot.
|
||||||
|
|
||||||
|
This is useful for discovering cases where the kernel is leaving W+X
|
||||||
|
mappings after applying NX, as such mappings are a security risk.
|
||||||
|
|
||||||
|
Look for a message in dmesg output like this:
|
||||||
|
|
||||||
|
<arch>/mm: Checked W+X mappings: passed, no W+X pages found.
|
||||||
|
|
||||||
|
or like this, if the check failed:
|
||||||
|
|
||||||
|
<arch>/mm: Checked W+X mappings: failed, <N> W+X pages found.
|
||||||
|
|
||||||
|
Note that even if the check fails, your kernel is possibly
|
||||||
|
still fine, as W+X mappings are not a security hole in
|
||||||
|
themselves, what they do is that they make the exploitation
|
||||||
|
of other unfixed kernel bugs easier.
|
||||||
|
|
||||||
|
There is no runtime or memory usage effect of this option
|
||||||
|
once the kernel has booted up - it's a one time check.
|
||||||
|
|
||||||
|
If in doubt, say "Y".
|
||||||
|
|
||||||
config GENERIC_PTDUMP
|
config GENERIC_PTDUMP
|
||||||
bool
|
bool
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user