| Message ID | 20250303050921.3033083-5-jeffxu@google.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | mseal system mappings | expand |
On Mon, Mar 03, 2025 at 05:09:18AM +0000, jeffxu@chromium.org wrote: > From: Jeff Xu <jeffxu@chromium.org> > > Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on arm64, covering > the vdso, vvar, and compat-mode vectors and sigpage mappings. > > Production release testing passes on Android and Chrome OS. > > Signed-off-by: Jeff Xu <jeffxu@chromium.org> LGTM so: Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> > --- > arch/arm64/Kconfig | 1 + > arch/arm64/kernel/vdso.c | 12 ++++++++---- > 2 files changed, 9 insertions(+), 4 deletions(-) > > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index 940343beb3d4..282d6cb13cfb 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -38,6 +38,7 @@ config ARM64 > select ARCH_HAS_KEEPINITRD > select ARCH_HAS_MEMBARRIER_SYNC_CORE > select ARCH_HAS_MEM_ENCRYPT > + select ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS > select ARCH_HAS_NMI_SAFE_THIS_CPU_OPS > select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE > select ARCH_HAS_NONLEAF_PMD_YOUNG if ARM64_HAFT > diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c > index e8ed8e5b713b..69d2b5ceb092 100644 > --- a/arch/arm64/kernel/vdso.c > +++ b/arch/arm64/kernel/vdso.c > @@ -198,7 +198,8 @@ static int __setup_additional_pages(enum vdso_abi abi, > } > > ret = _install_special_mapping(mm, vdso_base, VVAR_NR_PAGES * PAGE_SIZE, > - VM_READ|VM_MAYREAD|VM_PFNMAP, > + VM_READ|VM_MAYREAD|VM_PFNMAP| > + VM_SEALED_SYSMAP, > &vvar_map); > if (IS_ERR(ret)) > goto up_fail; > @@ -210,7 +211,8 @@ static int __setup_additional_pages(enum vdso_abi abi, > mm->context.vdso = (void *)vdso_base; > ret = _install_special_mapping(mm, vdso_base, vdso_text_len, > VM_READ|VM_EXEC|gp_flags| > - VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, > + VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC| > + VM_SEALED_SYSMAP, > vdso_info[abi].cm); > if (IS_ERR(ret)) > goto up_fail; > @@ -336,7 +338,8 @@ static int aarch32_kuser_helpers_setup(struct mm_struct *mm) > */ > ret = _install_special_mapping(mm, AARCH32_VECTORS_BASE, PAGE_SIZE, > VM_READ | VM_EXEC | > - VM_MAYREAD | VM_MAYEXEC, > + VM_MAYREAD | VM_MAYEXEC | > + VM_SEALED_SYSMAP, > &aarch32_vdso_maps[AA32_MAP_VECTORS]); > > return PTR_ERR_OR_ZERO(ret); > @@ -359,7 +362,8 @@ static int aarch32_sigreturn_setup(struct mm_struct *mm) > */ > ret = _install_special_mapping(mm, addr, PAGE_SIZE, > VM_READ | VM_EXEC | VM_MAYREAD | > - VM_MAYWRITE | VM_MAYEXEC, > + VM_MAYWRITE | VM_MAYEXEC | > + VM_SEALED_SYSMAP, > &aarch32_vdso_maps[AA32_MAP_SIGPAGE]); > if (IS_ERR(ret)) > goto out; > -- > 2.48.1.711.g2feabab25a-goog >
* jeffxu@chromium.org <jeffxu@chromium.org> [250303 00:09]: > From: Jeff Xu <jeffxu@chromium.org> > > Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on arm64, covering > the vdso, vvar, and compat-mode vectors and sigpage mappings. > > Production release testing passes on Android and Chrome OS. > > Signed-off-by: Jeff Xu <jeffxu@chromium.org> Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com> > --- > arch/arm64/Kconfig | 1 + > arch/arm64/kernel/vdso.c | 12 ++++++++---- > 2 files changed, 9 insertions(+), 4 deletions(-) > > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index 940343beb3d4..282d6cb13cfb 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -38,6 +38,7 @@ config ARM64 > select ARCH_HAS_KEEPINITRD > select ARCH_HAS_MEMBARRIER_SYNC_CORE > select ARCH_HAS_MEM_ENCRYPT > + select ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS > select ARCH_HAS_NMI_SAFE_THIS_CPU_OPS > select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE > select ARCH_HAS_NONLEAF_PMD_YOUNG if ARM64_HAFT > diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c > index e8ed8e5b713b..69d2b5ceb092 100644 > --- a/arch/arm64/kernel/vdso.c > +++ b/arch/arm64/kernel/vdso.c > @@ -198,7 +198,8 @@ static int __setup_additional_pages(enum vdso_abi abi, > } > > ret = _install_special_mapping(mm, vdso_base, VVAR_NR_PAGES * PAGE_SIZE, > - VM_READ|VM_MAYREAD|VM_PFNMAP, > + VM_READ|VM_MAYREAD|VM_PFNMAP| > + VM_SEALED_SYSMAP, > &vvar_map); > if (IS_ERR(ret)) > goto up_fail; > @@ -210,7 +211,8 @@ static int __setup_additional_pages(enum vdso_abi abi, > mm->context.vdso = (void *)vdso_base; > ret = _install_special_mapping(mm, vdso_base, vdso_text_len, > VM_READ|VM_EXEC|gp_flags| > - VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, > + VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC| > + VM_SEALED_SYSMAP, > vdso_info[abi].cm); > if (IS_ERR(ret)) > goto up_fail; > @@ -336,7 +338,8 @@ static int aarch32_kuser_helpers_setup(struct mm_struct *mm) > */ > ret = _install_special_mapping(mm, AARCH32_VECTORS_BASE, PAGE_SIZE, > VM_READ | VM_EXEC | > - VM_MAYREAD | VM_MAYEXEC, > + VM_MAYREAD | VM_MAYEXEC | > + VM_SEALED_SYSMAP, > &aarch32_vdso_maps[AA32_MAP_VECTORS]); > > return PTR_ERR_OR_ZERO(ret); > @@ -359,7 +362,8 @@ static int aarch32_sigreturn_setup(struct mm_struct *mm) > */ > ret = _install_special_mapping(mm, addr, PAGE_SIZE, > VM_READ | VM_EXEC | VM_MAYREAD | > - VM_MAYWRITE | VM_MAYEXEC, > + VM_MAYWRITE | VM_MAYEXEC | > + VM_SEALED_SYSMAP, > &aarch32_vdso_maps[AA32_MAP_SIGPAGE]); > if (IS_ERR(ret)) > goto out; > -- > 2.48.1.711.g2feabab25a-goog >
On Mon, Mar 03, 2025 at 05:09:18AM +0000, jeffxu@chromium.org wrote: > From: Jeff Xu <jeffxu@chromium.org> > > Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on arm64, covering > the vdso, vvar, and compat-mode vectors and sigpage mappings. > > Production release testing passes on Android and Chrome OS. > > Signed-off-by: Jeff Xu <jeffxu@chromium.org> Like x86, clean and simple. Reviewed-by: Kees Cook <kees@kernel.org>
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 940343beb3d4..282d6cb13cfb 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -38,6 +38,7 @@ config ARM64 select ARCH_HAS_KEEPINITRD select ARCH_HAS_MEMBARRIER_SYNC_CORE select ARCH_HAS_MEM_ENCRYPT + select ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS select ARCH_HAS_NMI_SAFE_THIS_CPU_OPS select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE select ARCH_HAS_NONLEAF_PMD_YOUNG if ARM64_HAFT diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c index e8ed8e5b713b..69d2b5ceb092 100644 --- a/arch/arm64/kernel/vdso.c +++ b/arch/arm64/kernel/vdso.c @@ -198,7 +198,8 @@ static int __setup_additional_pages(enum vdso_abi abi, } ret = _install_special_mapping(mm, vdso_base, VVAR_NR_PAGES * PAGE_SIZE, - VM_READ|VM_MAYREAD|VM_PFNMAP, + VM_READ|VM_MAYREAD|VM_PFNMAP| + VM_SEALED_SYSMAP, &vvar_map); if (IS_ERR(ret)) goto up_fail; @@ -210,7 +211,8 @@ static int __setup_additional_pages(enum vdso_abi abi, mm->context.vdso = (void *)vdso_base; ret = _install_special_mapping(mm, vdso_base, vdso_text_len, VM_READ|VM_EXEC|gp_flags| - VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, + VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC| + VM_SEALED_SYSMAP, vdso_info[abi].cm); if (IS_ERR(ret)) goto up_fail; @@ -336,7 +338,8 @@ static int aarch32_kuser_helpers_setup(struct mm_struct *mm) */ ret = _install_special_mapping(mm, AARCH32_VECTORS_BASE, PAGE_SIZE, VM_READ | VM_EXEC | - VM_MAYREAD | VM_MAYEXEC, + VM_MAYREAD | VM_MAYEXEC | + VM_SEALED_SYSMAP, &aarch32_vdso_maps[AA32_MAP_VECTORS]); return PTR_ERR_OR_ZERO(ret); @@ -359,7 +362,8 @@ static int aarch32_sigreturn_setup(struct mm_struct *mm) */ ret = _install_special_mapping(mm, addr, PAGE_SIZE, VM_READ | VM_EXEC | VM_MAYREAD | - VM_MAYWRITE | VM_MAYEXEC, + VM_MAYWRITE | VM_MAYEXEC | + VM_SEALED_SYSMAP, &aarch32_vdso_maps[AA32_MAP_SIGPAGE]); if (IS_ERR(ret)) goto out;