| From: |
| Evgeniy Baskov <baskov-AT-ispras.ru> |
| To: |
| Borislav Petkov <bp-AT-alien8.de> |
| Subject: |
| [RFC PATCH 0/8] x86_64: Harden compressed kernel, part 1 |
| Date: |
| Mon, 01 Aug 2022 19:38:57 +0300 |
| Message-ID: |
| <cover.1659369873.git.baskov@ispras.ru> |
| Cc: |
| Evgeniy Baskov <baskov-AT-ispras.ru>, Dave Hansen <dave.hansen-AT-linux.intel.com>, Ingo Molnar <mingo-AT-redhat.com>, Thomas Gleixner <tglx-AT-linutronix.de>, Andy Lutomirski <luto-AT-kernel.org>, Peter Zijlstra <peterz-AT-infradead.org>, x86-AT-kernel.org, linux-kernel-AT-vger.kernel.org, Alexey Khoroshilov <khoroshilov-AT-ispras.ru> |
| Archive-link: |
| Article |
This is the first half of changes aimed to increase security of early
boot code of compressed kernel for x86_64 by enforcing memory protection
on page table level.
It applies memory protection to the compressed kernel code executing
outside EFI environment and makes all identity mappings explicit
to reduce probability of hiding erroneous memory accesses.
Second half makes kernel more compliant PE image and enforces memory
protection for EFISTUB code, thus completing W^X support for compressed
kernel.
I'll send second half for review later.
Evgeniy Baskov (8):
x86/boot: Align vmlinuz sections on page size
x86/build: Remove RWX sections and align on 4KB
x86/boot: Set cr0 to known state in trampoline
x86/boot: Increase boot page table size
x86/boot: Support 4KB pages for identity mapping
x86/boot: Setup memory protection for bzImage code
x86/boot: Map memory explicitly
x86/boot: Remove mapping from page fault handler
arch/x86/boot/compressed/acpi.c | 21 ++-
arch/x86/boot/compressed/efi.c | 19 ++-
arch/x86/boot/compressed/head_64.S | 7 +-
arch/x86/boot/compressed/ident_map_64.c | 128 ++++++++++------
arch/x86/boot/compressed/kaslr.c | 4 +
arch/x86/boot/compressed/misc.c | 52 ++++++-
arch/x86/boot/compressed/misc.h | 16 +-
arch/x86/boot/compressed/pgtable.h | 20 ---
arch/x86/boot/compressed/pgtable_64.c | 2 +-
arch/x86/boot/compressed/sev.c | 6 +-
arch/x86/boot/compressed/vmlinux.lds.S | 6 +
arch/x86/include/asm/boot.h | 26 ++--
arch/x86/include/asm/init.h | 1 +
arch/x86/include/asm/shared/pgtable.h | 29 ++++
arch/x86/kernel/vmlinux.lds.S | 15 +-
arch/x86/mm/ident_map.c | 186 ++++++++++++++++++++----
16 files changed, 403 insertions(+), 135 deletions(-)
delete mode 100644 arch/x86/boot/compressed/pgtable.h
create mode 100644 arch/x86/include/asm/shared/pgtable.h
--
2.35.1
