Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue,  4 Dec 2018 14:17:59 +0200
From: Igor Stoppa <>
To: Andy Lutomirski <>,
	Kees Cook <>,
	Matthew Wilcox <>
	Nadav Amit <>,
	Peter Zijlstra <>,
	Dave Hansen <>,,,,
Subject: [RFC v1 PATCH 0/6] hardening: statically allocated protected memory

This patch-set is the first-cut implementation of write-rare memory
protection, as previously agreed [1]
Its purpose it to keep data write protected kernel data which is seldom
There is no read overhead, however writing requires special operations that
are probably unsitable for often-changing data.
The use is opt-in, by applying the modifier __wr_after_init to a variable

As the name implies, the write protection kicks in only after init() is
completed; before that moment, the data is modifiable in the usual way.

Current Limitations:
* supports only data which is allocated statically, at build time.
* supports only x86_64
* might not work for very large amount of data, since it relies on the
  assumption that said data can be entirely remapped, at init.

Some notes:
- even if the code is only for x86_64, it is placed in the generic
  locations, with the intention of extending it also to arm64
- the current section used for collecting wr-after-init data might need to
  be moved, to work with arm64 MMU
- the functionality is in its own c and h files, for now, to ease the
  introduction (and refactoring) of code dealing with dynamic allocation
- recently some updated patches were posted for live-patch on arm64 [2],
  they might help with adding arm64 support here
- to avoid the risk of weakening __ro_after_init, __wr_after_init data is
  in a separate set of pages, and any invocation will confirm that the
  memory affected falls within this range.
  I have modified rodata_test accordingly, to check als othis case.
- to avoid replicating the code which does the change of mapping, there is
  only one function performing multiple, selectable, operations, such as
  memcpy(), memset(). I have added also rcu_assign_pointer() as further
  example. But I'm not too fond of this implementation either. I just
  couldn't think of any that I would like significantly better.
- I have left out the patchset from Nadav that these patches depend on,
  but it can be found here [3] (Should have I resubmitted it?)
- I am not sure what is the correct form for giving proper credit wrt the
  authoring of the wr_after_init mechanism, guidance would be appreciated
- In an attempt to spam less people, I have curbed the list of recipients.
  If I have omitted someone who should have been kept/added, please
  add them to the thread.


Signed-off-by: Igor Stoppa <>

CC: Andy Lutomirski <>
CC: Nadav Amit <>
CC: Matthew Wilcox <>
CC: Peter Zijlstra <>
CC: Kees Cook <>
CC: Dave Hansen <>

Igor Stoppa (6):
	[PATCH 1/6] __wr_after_init: linker section and label
	[PATCH 2/6] __wr_after_init: write rare for static allocation
	[PATCH 3/6] rodata_test: refactor tests
	[PATCH 4/6] rodata_test: add verification for __wr_after_init
	[PATCH 5/6] __wr_after_init: test write rare functionality
	[PATCH 6/6] __wr_after_init: lkdtm test

drivers/misc/lkdtm/core.c         |   3 +
drivers/misc/lkdtm/lkdtm.h        |   3 +
drivers/misc/lkdtm/perms.c        |  29 ++++++++
include/asm-generic/ |  20 ++++++
include/linux/cache.h             |  17 +++++
include/linux/prmem.h             | 134 +++++++++++++++++++++++++++++++++++++
init/main.c                       |   2 +
mm/Kconfig                        |   4 ++
mm/Kconfig.debug                  |   9 +++
mm/Makefile                       |   2 +
mm/prmem.c                        | 124 ++++++++++++++++++++++++++++++++++
mm/rodata_test.c                  |  63 ++++++++++++------
mm/test_write_rare.c              | 135 ++++++++++++++++++++++++++++++++++++++
13 files changed, 525 insertions(+), 20 deletions(-)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.