On Tue, Feb 16, 2021 at 2:19 AM Preeti Nagar <pnagar@xxxxxxxxxxxxxx> wrote: > > The changes introduce a new security feature, RunTime Integrity Check > (RTIC), designed to protect Linux Kernel at runtime. The motivation > behind these changes is: > 1. The system protection offered by Security Enhancements(SE) for > Android relies on the assumption of kernel integrity. If the kernel > itself is compromised (by a perhaps as yet unknown future vulnerability), > SE for Android security mechanisms could potentially be disabled and > rendered ineffective. > 2. Qualcomm Snapdragon devices use Secure Boot, which adds cryptographic > checks to each stage of the boot-up process, to assert the authenticity > of all secure software images that the device executes. However, due to > various vulnerabilities in SW modules, the integrity of the system can be > compromised at any time after device boot-up, leading to un-authorized > SW executing. > > The feature's idea is to move some sensitive kernel structures to a > separate page and monitor further any unauthorized changes to these, > from higher Exception Levels using stage 2 MMU. Moving these to a > different page will help avoid getting page faults from un-related data. > The mechanism we have been working on removes the write permissions for > HLOS in the stage 2 page tables for the regions to be monitored, such > that any modification attempts to these will lead to faults being > generated and handled by handlers. If the protected assets are moved to > a separate page, faults will be generated corresponding to change attempts > to these assets only. If not moved to a separate page, write attempts to > un-related data present on the monitored pages will also be generated. > > Using this feature, some sensitive variables of the kernel which are > initialized after init or are updated rarely can also be protected from > simple overwrites and attacks trying to modify these. > > Currently, the change moves selinux_state structure to a separate page. > The page is 2MB aligned not 4K to avoid TLB related performance impact as, > for some CPU core designs, the TLB does not cache 4K stage 2 (IPA to PA) > mappings if the IPA comes from a stage 1 mapping. In future, we plan to > move more security-related kernel assets to this page to enhance > protection. > > Signed-off-by: Preeti Nagar <pnagar@xxxxxxxxxxxxxx> This addresses my feedback from the RFC regarding the section symbols. No comment on whether there is a better approach, or the 2MB vs page alignment, but perhaps other folks cc'ed can please take a look. Acked-by: Nick Desaulniers <ndesaulniers@xxxxxxxxxx> > --- > The RFC patch reviewed available at: > https://lore.kernel.org/linux-security-module/1610099389-28329-1-git-send-email-pnagar@xxxxxxxxxxxxxx/ > --- > include/asm-generic/vmlinux.lds.h | 10 ++++++++++ > include/linux/init.h | 6 ++++++ > security/Kconfig | 11 +++++++++++ > security/selinux/hooks.c | 2 +- > 4 files changed, 28 insertions(+), 1 deletion(-) > > diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h > index b97c628..d1a5434 100644 > --- a/include/asm-generic/vmlinux.lds.h > +++ b/include/asm-generic/vmlinux.lds.h > @@ -770,6 +770,15 @@ > *(.scommon) \ > } > > +#ifdef CONFIG_SECURITY_RTIC > +#define RTIC_BSS \ > + . = ALIGN(SZ_2M); \ > + KEEP(*(.bss.rtic)) \ > + . = ALIGN(SZ_2M); > +#else > +#define RTIC_BSS > +#endif > + > /* > * Allow archectures to redefine BSS_FIRST_SECTIONS to add extra > * sections to the front of bss. > @@ -782,6 +791,7 @@ > . = ALIGN(bss_align); \ > .bss : AT(ADDR(.bss) - LOAD_OFFSET) { \ > BSS_FIRST_SECTIONS \ > + RTIC_BSS \ > . = ALIGN(PAGE_SIZE); \ > *(.bss..page_aligned) \ > . = ALIGN(PAGE_SIZE); \ > diff --git a/include/linux/init.h b/include/linux/init.h > index e668832..e6d452a 100644 > --- a/include/linux/init.h > +++ b/include/linux/init.h > @@ -300,6 +300,12 @@ void __init parse_early_options(char *cmdline); > /* Data marked not to be saved by software suspend */ > #define __nosavedata __section(".data..nosave") > > +#ifdef CONFIG_SECURITY_RTIC > +#define __rticdata __section(".bss.rtic") > +#else > +#define __rticdata > +#endif > + > #ifdef MODULE > #define __exit_p(x) x > #else > diff --git a/security/Kconfig b/security/Kconfig > index 7561f6f..1af913a 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -291,5 +291,16 @@ config LSM > > source "security/Kconfig.hardening" > > +config SECURITY_RTIC > + bool "RunTime Integrity Check feature" > + depends on ARM64 > + help > + RTIC(RunTime Integrity Check) feature is to protect Linux kernel > + at runtime. This relocates some of the security sensitive kernel > + structures to a separate RTIC specific page. > + > + This is to enable monitoring and protection of these kernel assets > + from a higher exception level(EL) against any unauthorized changes. > + > endmenu > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 644b17e..59d7eee 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -104,7 +104,7 @@ > #include "audit.h" > #include "avc_ss.h" > > -struct selinux_state selinux_state; > +struct selinux_state selinux_state __rticdata; > > /* SECMARK reference count */ > static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); > -- > QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member > of Code Aurora Forum, hosted by The Linux Foundation > -- Thanks, ~Nick Desaulniers