forked from luck/tmp_suning_uos_patched
84e1c6bb38
This patch is a logical extension of the protection provided by CONFIG_DEBUG_RODATA to LKMs. The protection is provided by splitting module_core and module_init into three logical parts each and setting appropriate page access permissions for each individual section: 1. Code: RO+X 2. RO data: RO+NX 3. RW data: RW+NX In order to achieve proper protection, layout_sections() have been modified to align each of the three parts mentioned above onto page boundary. Next, the corresponding page access permissions are set right before successful exit from load_module(). Further, free_module() and sys_init_module have been modified to set module_core and module_init as RW+NX right before calling module_free(). By default, the original section layout and access flags are preserved. When compiled with CONFIG_DEBUG_SET_MODULE_RONX=y, the patch will page-align each group of sections to ensure that each page contains only one type of content and will enforce RO/NX for each group of pages. -v1: Initial proof-of-concept patch. -v2: The patch have been re-written to reduce the number of #ifdefs and to make it architecture-agnostic. Code formatting has also been corrected. -v3: Opportunistic RO/NX protection is now unconditional. Section page-alignment is enabled when CONFIG_DEBUG_RODATA=y. -v4: Removed most macros and improved coding style. -v5: Changed page-alignment and RO/NX section size calculation -v6: Fixed comments. Restricted RO/NX enforcement to x86 only -v7: Introduced CONFIG_DEBUG_SET_MODULE_RONX, added calls to set_all_modules_text_rw() and set_all_modules_text_ro() in ftrace -v8: updated for compatibility with linux 2.6.33-rc5 -v9: coding style fixes -v10: more coding style fixes -v11: minor adjustments for -tip -v12: minor adjustments for v2.6.35-rc2-tip -v13: minor adjustments for v2.6.37-rc1-tip Signed-off-by: Siarhei Liakh <sliakh.lkml@gmail.com> Signed-off-by: Xuxian Jiang <jiang@cs.ncsu.edu> Acked-by: Arjan van de Ven <arjan@linux.intel.com> Reviewed-by: James Morris <jmorris@namei.org> Signed-off-by: H. Peter Anvin <hpa@zytor.com> Cc: Andi Kleen <ak@muc.de> Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: Stephen Rothwell <sfr@canb.auug.org.au> Cc: Dave Jones <davej@redhat.com> Cc: Kees Cook <kees.cook@canonical.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> LKML-Reference: <4CE2F914.9070106@free.fr> [ minor cleanliness edits, -v14: build failure fix ] Signed-off-by: Ingo Molnar <mingo@elte.hu>
308 lines
9.3 KiB
Plaintext
308 lines
9.3 KiB
Plaintext
menu "Kernel hacking"
|
|
|
|
config TRACE_IRQFLAGS_SUPPORT
|
|
def_bool y
|
|
|
|
source "lib/Kconfig.debug"
|
|
|
|
config STRICT_DEVMEM
|
|
bool "Filter access to /dev/mem"
|
|
---help---
|
|
If this option is disabled, you allow userspace (root) access to all
|
|
of memory, including kernel and userspace memory. Accidental
|
|
access to this is obviously disastrous, but specific access can
|
|
be used by people debugging the kernel. Note that with PAT support
|
|
enabled, even in this case there are restrictions on /dev/mem
|
|
use due to the cache aliasing requirements.
|
|
|
|
If this option is switched on, the /dev/mem file only allows
|
|
userspace access to PCI space and the BIOS code and data regions.
|
|
This is sufficient for dosemu and X and all common users of
|
|
/dev/mem.
|
|
|
|
If in doubt, say Y.
|
|
|
|
config X86_VERBOSE_BOOTUP
|
|
bool "Enable verbose x86 bootup info messages"
|
|
default y
|
|
---help---
|
|
Enables the informational output from the decompression stage
|
|
(e.g. bzImage) of the boot. If you disable this you will still
|
|
see errors. Disable this if you want silent bootup.
|
|
|
|
config EARLY_PRINTK
|
|
bool "Early printk" if EMBEDDED
|
|
default y
|
|
---help---
|
|
Write kernel log output directly into the VGA buffer or to a serial
|
|
port.
|
|
|
|
This is useful for kernel debugging when your machine crashes very
|
|
early before the console code is initialized. For normal operation
|
|
it is not recommended because it looks ugly and doesn't cooperate
|
|
with klogd/syslogd or the X server. You should normally N here,
|
|
unless you want to debug such a crash.
|
|
|
|
config EARLY_PRINTK_MRST
|
|
bool "Early printk for MRST platform support"
|
|
depends on EARLY_PRINTK && X86_MRST
|
|
|
|
config EARLY_PRINTK_DBGP
|
|
bool "Early printk via EHCI debug port"
|
|
depends on EARLY_PRINTK && PCI
|
|
---help---
|
|
Write kernel log output directly into the EHCI debug port.
|
|
|
|
This is useful for kernel debugging when your machine crashes very
|
|
early before the console code is initialized. For normal operation
|
|
it is not recommended because it looks ugly and doesn't cooperate
|
|
with klogd/syslogd or the X server. You should normally N here,
|
|
unless you want to debug such a crash. You need usb debug device.
|
|
|
|
config DEBUG_STACKOVERFLOW
|
|
bool "Check for stack overflows"
|
|
depends on DEBUG_KERNEL
|
|
---help---
|
|
This option will cause messages to be printed if free stack space
|
|
drops below a certain limit.
|
|
|
|
config DEBUG_STACK_USAGE
|
|
bool "Stack utilization instrumentation"
|
|
depends on DEBUG_KERNEL
|
|
---help---
|
|
Enables the display of the minimum amount of free stack which each
|
|
task has ever had available in the sysrq-T and sysrq-P debug output.
|
|
|
|
This option will slow down process creation somewhat.
|
|
|
|
config DEBUG_PER_CPU_MAPS
|
|
bool "Debug access to per_cpu maps"
|
|
depends on DEBUG_KERNEL
|
|
depends on SMP
|
|
---help---
|
|
Say Y to verify that the per_cpu map being accessed has
|
|
been setup. Adds a fair amount of code to kernel memory
|
|
and decreases performance.
|
|
|
|
Say N if unsure.
|
|
|
|
config X86_PTDUMP
|
|
bool "Export kernel pagetable layout to userspace via debugfs"
|
|
depends on DEBUG_KERNEL
|
|
select DEBUG_FS
|
|
---help---
|
|
Say Y here if you want to show the kernel pagetable layout in a
|
|
debugfs file. This information is only useful for kernel developers
|
|
who are working in architecture specific areas of the kernel.
|
|
It is probably not a good idea to enable this feature in a production
|
|
kernel.
|
|
If in doubt, say "N"
|
|
|
|
config DEBUG_RODATA
|
|
bool "Write protect kernel read-only data structures"
|
|
default y
|
|
depends on DEBUG_KERNEL
|
|
---help---
|
|
Mark the kernel read-only data as write-protected in the pagetables,
|
|
in order to catch accidental (and incorrect) writes to such const
|
|
data. This is recommended so that we can catch kernel bugs sooner.
|
|
If in doubt, say "Y".
|
|
|
|
config DEBUG_RODATA_TEST
|
|
bool "Testcase for the DEBUG_RODATA feature"
|
|
depends on DEBUG_RODATA
|
|
default y
|
|
---help---
|
|
This option enables a testcase for the DEBUG_RODATA
|
|
feature as well as for the change_page_attr() infrastructure.
|
|
If in doubt, say "N"
|
|
|
|
config DEBUG_SET_MODULE_RONX
|
|
bool "Set loadable kernel module data as NX and text as RO"
|
|
depends on MODULES
|
|
---help---
|
|
This option helps catch unintended modifications to loadable
|
|
kernel module's text and read-only data. It also prevents execution
|
|
of module data. Such protection may interfere with run-time code
|
|
patching and dynamic kernel tracing - and they might also protect
|
|
against certain classes of kernel exploits.
|
|
If in doubt, say "N".
|
|
|
|
config DEBUG_NX_TEST
|
|
tristate "Testcase for the NX non-executable stack feature"
|
|
depends on DEBUG_KERNEL && m
|
|
---help---
|
|
This option enables a testcase for the CPU NX capability
|
|
and the software setup of this feature.
|
|
If in doubt, say "N"
|
|
|
|
config DOUBLEFAULT
|
|
default y
|
|
bool "Enable doublefault exception handler" if EMBEDDED
|
|
depends on X86_32
|
|
---help---
|
|
This option allows trapping of rare doublefault exceptions that
|
|
would otherwise cause a system to silently reboot. Disabling this
|
|
option saves about 4k and might cause you much additional grey
|
|
hair.
|
|
|
|
config IOMMU_DEBUG
|
|
bool "Enable IOMMU debugging"
|
|
depends on GART_IOMMU && DEBUG_KERNEL
|
|
depends on X86_64
|
|
---help---
|
|
Force the IOMMU to on even when you have less than 4GB of
|
|
memory and add debugging code. On overflow always panic. And
|
|
allow to enable IOMMU leak tracing. Can be disabled at boot
|
|
time with iommu=noforce. This will also enable scatter gather
|
|
list merging. Currently not recommended for production
|
|
code. When you use it make sure you have a big enough
|
|
IOMMU/AGP aperture. Most of the options enabled by this can
|
|
be set more finegrained using the iommu= command line
|
|
options. See Documentation/x86_64/boot-options.txt for more
|
|
details.
|
|
|
|
config IOMMU_STRESS
|
|
bool "Enable IOMMU stress-test mode"
|
|
---help---
|
|
This option disables various optimizations in IOMMU related
|
|
code to do real stress testing of the IOMMU code. This option
|
|
will cause a performance drop and should only be enabled for
|
|
testing.
|
|
|
|
config IOMMU_LEAK
|
|
bool "IOMMU leak tracing"
|
|
depends on IOMMU_DEBUG && DMA_API_DEBUG
|
|
---help---
|
|
Add a simple leak tracer to the IOMMU code. This is useful when you
|
|
are debugging a buggy device driver that leaks IOMMU mappings.
|
|
|
|
config HAVE_MMIOTRACE_SUPPORT
|
|
def_bool y
|
|
|
|
config X86_DECODER_SELFTEST
|
|
bool "x86 instruction decoder selftest"
|
|
depends on DEBUG_KERNEL && KPROBES
|
|
---help---
|
|
Perform x86 instruction decoder selftests at build time.
|
|
This option is useful for checking the sanity of x86 instruction
|
|
decoder code.
|
|
If unsure, say "N".
|
|
|
|
#
|
|
# IO delay types:
|
|
#
|
|
|
|
config IO_DELAY_TYPE_0X80
|
|
int
|
|
default "0"
|
|
|
|
config IO_DELAY_TYPE_0XED
|
|
int
|
|
default "1"
|
|
|
|
config IO_DELAY_TYPE_UDELAY
|
|
int
|
|
default "2"
|
|
|
|
config IO_DELAY_TYPE_NONE
|
|
int
|
|
default "3"
|
|
|
|
choice
|
|
prompt "IO delay type"
|
|
default IO_DELAY_0X80
|
|
|
|
config IO_DELAY_0X80
|
|
bool "port 0x80 based port-IO delay [recommended]"
|
|
---help---
|
|
This is the traditional Linux IO delay used for in/out_p.
|
|
It is the most tested hence safest selection here.
|
|
|
|
config IO_DELAY_0XED
|
|
bool "port 0xed based port-IO delay"
|
|
---help---
|
|
Use port 0xed as the IO delay. This frees up port 0x80 which is
|
|
often used as a hardware-debug port.
|
|
|
|
config IO_DELAY_UDELAY
|
|
bool "udelay based port-IO delay"
|
|
---help---
|
|
Use udelay(2) as the IO delay method. This provides the delay
|
|
while not having any side-effect on the IO port space.
|
|
|
|
config IO_DELAY_NONE
|
|
bool "no port-IO delay"
|
|
---help---
|
|
No port-IO delay. Will break on old boxes that require port-IO
|
|
delay for certain operations. Should work on most new machines.
|
|
|
|
endchoice
|
|
|
|
if IO_DELAY_0X80
|
|
config DEFAULT_IO_DELAY_TYPE
|
|
int
|
|
default IO_DELAY_TYPE_0X80
|
|
endif
|
|
|
|
if IO_DELAY_0XED
|
|
config DEFAULT_IO_DELAY_TYPE
|
|
int
|
|
default IO_DELAY_TYPE_0XED
|
|
endif
|
|
|
|
if IO_DELAY_UDELAY
|
|
config DEFAULT_IO_DELAY_TYPE
|
|
int
|
|
default IO_DELAY_TYPE_UDELAY
|
|
endif
|
|
|
|
if IO_DELAY_NONE
|
|
config DEFAULT_IO_DELAY_TYPE
|
|
int
|
|
default IO_DELAY_TYPE_NONE
|
|
endif
|
|
|
|
config DEBUG_BOOT_PARAMS
|
|
bool "Debug boot parameters"
|
|
depends on DEBUG_KERNEL
|
|
depends on DEBUG_FS
|
|
---help---
|
|
This option will cause struct boot_params to be exported via debugfs.
|
|
|
|
config CPA_DEBUG
|
|
bool "CPA self-test code"
|
|
depends on DEBUG_KERNEL
|
|
---help---
|
|
Do change_page_attr() self-tests every 30 seconds.
|
|
|
|
config OPTIMIZE_INLINING
|
|
bool "Allow gcc to uninline functions marked 'inline'"
|
|
---help---
|
|
This option determines if the kernel forces gcc to inline the functions
|
|
developers have marked 'inline'. Doing so takes away freedom from gcc to
|
|
do what it thinks is best, which is desirable for the gcc 3.x series of
|
|
compilers. The gcc 4.x series have a rewritten inlining algorithm and
|
|
enabling this option will generate a smaller kernel there. Hopefully
|
|
this algorithm is so good that allowing gcc 4.x and above to make the
|
|
decision will become the default in the future. Until then this option
|
|
is there to test gcc for this.
|
|
|
|
If unsure, say N.
|
|
|
|
config DEBUG_STRICT_USER_COPY_CHECKS
|
|
bool "Strict copy size checks"
|
|
depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING
|
|
---help---
|
|
Enabling this option turns a certain set of sanity checks for user
|
|
copy operations into compile time failures.
|
|
|
|
The copy_from_user() etc checks are there to help test if there
|
|
are sufficient security checks on the length argument of
|
|
the copy operation, by having gcc prove that the argument is
|
|
within bounds.
|
|
|
|
If unsure, or if you run an older (pre 4.4) gcc, say N.
|
|
|
|
endmenu
|