Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 22 Jan 2016 10:19:54 -0700
From: David Brown <david.brown@...aro.org>
To: kernel-hardening@...ts.openwall.com
Cc: Ingo Molnar <mingo@...hat.com>, Kees Cook <keescook@...omium.org>,
	Andy Lutomirski <luto@...capital.net>,
	"H. Peter Anvin" <hpa@...or.com>,
	Michael Ellerman <mpe@...erman.id.au>,
	Mathias Krause <minipli@...glemail.com>,
	Thomas Gleixner <tglx@...utronix.de>, x86@...nel.org,
	Arnd Bergmann <arnd@...db.de>, PaX Team <pageexec@...email.hu>,
	Emese Revfy <re.emese@...il.com>, linux-kernel@...r.kernel.org,
	linux-arch <linux-arch@...r.kernel.org>,
	Laura Abbott <lauraa@...eaurora.org>
Subject: Re: [PATCH v4 0/8] introduce post-init read-only
 memory

On Tue, Jan 19, 2016 at 10:08:34AM -0800, Kees Cook wrote:

>This introduces __ro_after_init as a way to mark such memory, and uses
>it on the x86 vDSO to kill an extant kernel exploitation method. Also
>adds a new kernel parameter to help debug future use and adds an lkdtm
>test to check the results.

I've tested these patches on 32-bit ARM using the provoke-crashes
test.  However, they do require CONFIG_ARM_KERNMEM_PERMS to be enabled
as well, which does incur additional memory usage.

Do we want to consider making CONFIG_ARM_KERNMEM_PERMS default y for
security reasons, and just document that memory-constrained systems
may want to turn it off?

I'll test the arm64 next.

David

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.