Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Feb 2017 17:08:20 -0800
From: Kees Cook <keescook@...omium.org>
To: Pavel Machek <pavel@....cz>
Cc: Laura Abbott <labbott@...hat.com>, Mark Rutland <mark.rutland@....com>, 
	"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>, Catalin Marinas <catalin.marinas@....com>, 
	Heiko Carstens <heiko.carstens@...ibm.com>, "James E.J. Bottomley" <jejb@...isc-linux.org>, 
	"H. Peter Anvin" <hpa@...or.com>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Rob Herring <robh@...nel.org>, 
	Jessica Yu <jeyu@...hat.com>, Jonathan Corbet <corbet@....net>, Helge Deller <deller@....de>, 
	"x86@...nel.org" <x86@...nel.org>, Russell King <linux@...linux.org.uk>, Ingo Molnar <mingo@...hat.com>, 
	Len Brown <len.brown@...el.com>, 
	"linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>, Will Deacon <will.deacon@....com>, 
	Thomas Gleixner <tglx@...utronix.de>, 
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, 
	linux-parisc <linux-parisc@...r.kernel.org>, Linux PM list <linux-pm@...r.kernel.org>, 
	"Rafael J. Wysocki" <rjw@...ysocki.net>, LKML <linux-kernel@...r.kernel.org>, 
	Jason Wessel <jason.wessel@...driver.com>, Martin Schwidefsky <schwidefsky@...ibm.com>, 
	Robin Murphy <robin.murphy@....com>
Subject: Re: [PATCHv3 2/2] arch: Rename CONFIG_DEBUG_RODATA and CONFIG_DEBUG_MODULE_RONX

On Thu, Feb 16, 2017 at 2:25 PM, Pavel Machek <pavel@....cz> wrote:
> Hi!
>
>>
>> -config DEBUG_RODATA
>> +config STRICT_KERNEL_RWX
>>       bool "Make kernel text and rodata read-only" if ARCH_OPTIONAL_KERNEL_RWX
>>       depends on ARCH_HAS_STRICT_KERNEL_RWX
>>       default !ARCH_OPTIONAL_KERNEL_RWX ||
>
> Debug features are expected to have runtime cost, so kconfig help is
> silent about those. But there are runtime costs, right? It would be
> nice to mention them in the help text...

It depends on the architecture. The prior help text for arm said:

         The tradeoff is that each region is padded to section-size (1MiB)
         boundaries (because their permissions are different and splitting
         the 1M pages into 4K ones causes TLB performance problems), which
         can waste memory.

parisc (somewhat inaccurately) said:

         This option may have a slight performance impact because a
         portion of the kernel code won't be covered by a TLB anymore.

IIUC, arm64 does what parisc is hinting at: mappings at the end are
broken down to PAGE_SIZE. On x86, IIUC, there's actually no change to
TLB performance due to how the mappings are already set up.

I'm not sure the best way to express this in the new help text. Do you
have some suggestions on wording? Personally, I don't really think
it's worth mentioning this in Kconfig help, which, in theory, is
supposed to limit how technical it gets. And I think the performance
impact is almost entirely negligible compared to the risks addressed.

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.