On 2021-02-17 02:02, Miguel Ojeda wrote:
On Tue, Feb 16, 2021 at 11:22 AM Preeti Nagar <pnagar@xxxxxxxxxxxxxx>
wrote:
The changes introduce a new security feature, RunTime Integrity Check
(RTIC), designed to protect Linux Kernel at runtime. The motivation
behind these changes is:
1. The system protection offered by Security Enhancements(SE) for
Android relies on the assumption of kernel integrity. If the kernel
itself is compromised (by a perhaps as yet unknown future
vulnerability),
SE for Android security mechanisms could potentially be disabled and
rendered ineffective.
2. Qualcomm Snapdragon devices use Secure Boot, which adds
cryptographic
checks to each stage of the boot-up process, to assert the
authenticity
of all secure software images that the device executes. However, due
to
various vulnerabilities in SW modules, the integrity of the system can
be
compromised at any time after device boot-up, leading to un-authorized
SW executing.
The feature's idea is to move some sensitive kernel structures to a
separate page and monitor further any unauthorized changes to these,
from higher Exception Levels using stage 2 MMU. Moving these to a
different page will help avoid getting page faults from un-related
data.
The mechanism we have been working on removes the write permissions
for
HLOS in the stage 2 page tables for the regions to be monitored, such
that any modification attempts to these will lead to faults being
generated and handled by handlers. If the protected assets are moved
to
a separate page, faults will be generated corresponding to change
attempts
to these assets only. If not moved to a separate page, write attempts
to
un-related data present on the monitored pages will also be generated.
Using this feature, some sensitive variables of the kernel which are
initialized after init or are updated rarely can also be protected
from
simple overwrites and attacks trying to modify these.
Currently, the change moves selinux_state structure to a separate
page.
The page is 2MB aligned not 4K to avoid TLB related performance impact
as,
for some CPU core designs, the TLB does not cache 4K stage 2 (IPA to
PA)
mappings if the IPA comes from a stage 1 mapping. In future, we plan
to
move more security-related kernel assets to this page to enhance
protection.
Part of this commit message should likely be added as a new file under
Documentation/ somewhere.
Yes, that will be helpful, will put it in Documentation/security in the
next update. Thank you!
diff --git a/security/Kconfig b/security/Kconfig
index 7561f6f..1af913a 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -291,5 +291,16 @@ config LSM
source "security/Kconfig.hardening"
+config SECURITY_RTIC
+ bool "RunTime Integrity Check feature"
+ depends on ARM64
+ help
+ RTIC(RunTime Integrity Check) feature is to protect Linux
kernel
+ at runtime. This relocates some of the security sensitive
kernel
+ structures to a separate RTIC specific page.
+
+ This is to enable monitoring and protection of these kernel
assets
+ from a higher exception level(EL) against any unauthorized
changes.
Rewording suggestion:
The RTIC (RunTime Integrity Check) feature protects the kernel
at runtime by relocating some of its security-sensitive
structures
to a separate RTIC-specific page. This enables monitoring and
and protecting them from a higher exception level against
unauthorized changes.
Thanks :)
Cheers,
Miguel