From: Gaosheng Cui cuigaosheng1@huawei.com
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9K8D1
--------------------------------
Kaslr will randomizes the physical address at which the kernel image is loaded, we will check and skip the memmap reserved memory, add config CONFIG_UEFI_KASLR_SKIP_MEMMAP to isolation memmap detection code.
Signed-off-by: Gaosheng Cui cuigaosheng1@huawei.com --- arch/arm64/Kconfig | 7 +++++++ arch/arm64/configs/openeuler_defconfig | 1 + arch/arm64/kernel/image-vars.h | 2 ++ arch/arm64/lib/strchr.S | 8 ++++++++ drivers/firmware/efi/libstub/arm64-stub.c | 2 ++ drivers/firmware/efi/libstub/efi-stub-helper.c | 2 ++ drivers/firmware/efi/libstub/efi-stub.c | 4 ++++ drivers/firmware/efi/libstub/efistub.h | 6 +----- drivers/firmware/efi/libstub/string.c | 2 ++ 9 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index eb7334370cfe..c014e4bd182a 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -2111,6 +2111,13 @@ config RANDOMIZE_MODULE_REGION_FULL a limited range that contains the [_stext, _etext] interval of the core kernel, so branch relocations are always in range.
+config UEFI_KASLR_SKIP_MEMMAP + bool "Skip the memmap address when randomize the kernel image" + depends on RANDOMIZE_BASE + default n + help + Skip the memmap reserved memory when randomize the kernel image. + config CC_HAVE_STACKPROTECTOR_SYSREG def_bool $(cc-option,-mstack-protector-guard=sysreg -mstack-protector-guard-reg=sp_el0 -mstack-protector-guard-offset=0)
diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index 1233ce00c72c..1c45bb8694bc 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -548,6 +548,7 @@ CONFIG_ARM64_PSEUDO_NMI=y CONFIG_RELOCATABLE=y CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MODULE_REGION_FULL=y +CONFIG_UEFI_KASLR_SKIP_MEMMAP=y CONFIG_NOKASLR_MEM_RANGE=y CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y CONFIG_STACKPROTECTOR_PER_TASK=y diff --git a/arch/arm64/kernel/image-vars.h b/arch/arm64/kernel/image-vars.h index 3a68772a63fb..dd9d65840333 100644 --- a/arch/arm64/kernel/image-vars.h +++ b/arch/arm64/kernel/image-vars.h @@ -32,7 +32,9 @@ __efistub_strnlen = __pi_strnlen; __efistub_strcmp = __pi_strcmp; __efistub_strncmp = __pi_strncmp; __efistub_strrchr = __pi_strrchr; +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP __efistub_strchr = __pi_strchr; +#endif __efistub___clean_dcache_area_poc = __pi___clean_dcache_area_poc;
__efistub__text = _text; diff --git a/arch/arm64/lib/strchr.S b/arch/arm64/lib/strchr.S index 5893ad8d4484..8ef17a69dfe6 100644 --- a/arch/arm64/lib/strchr.S +++ b/arch/arm64/lib/strchr.S @@ -18,7 +18,11 @@ * Returns: * x0 - address of first occurrence of 'c' or 0 */ +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP SYM_FUNC_START_WEAK_PI(strchr) +#else +SYM_FUNC_START_WEAK(strchr) +#endif and w1, w1, #0xff 1: ldrb w2, [x0], #1 cmp w2, w1 @@ -28,5 +32,9 @@ SYM_FUNC_START_WEAK_PI(strchr) cmp w2, w1 csel x0, x0, xzr, eq ret +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP SYM_FUNC_END_PI(strchr) +#else +SYM_FUNC_END(strchr) +#endif EXPORT_SYMBOL_NOKASAN(strchr) diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c index d6b48ad59d94..5a8704176c4c 100644 --- a/drivers/firmware/efi/libstub/arm64-stub.c +++ b/drivers/firmware/efi/libstub/arm64-stub.c @@ -15,6 +15,7 @@
#include "efistub.h"
+#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP #define MAX_MEMMAP_REGIONS 32
struct mem_vector { @@ -103,6 +104,7 @@ void free_avoid_memmap(void) efi_free(mem_avoid[i].size, mem_avoid[i].start); } } +#endif
#ifdef CONFIG_NOKASLR_MEM_RANGE #define MAX_MEM_NOKASLR_REGIONS 4 diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index dc3fbd0914f5..cbeac12e6662 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -238,8 +238,10 @@ efi_status_t efi_parse_options(char const *cmdline) } else if (!strcmp(param, "video") && val && strstarts(val, "efifb:")) { efi_parse_option_graphics(val + strlen("efifb:")); +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP } else if (!strcmp(param, "memmap") && val) { efi_parse_option_memmap(val); +#endif } else if (!strcmp(param, "pbha")) { efi_pbha = true; } diff --git a/drivers/firmware/efi/libstub/efi-stub.c b/drivers/firmware/efi/libstub/efi-stub.c index 96129f0fc60e..66f1f9b93b0d 100644 --- a/drivers/firmware/efi/libstub/efi-stub.c +++ b/drivers/firmware/efi/libstub/efi-stub.c @@ -204,7 +204,9 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle,
si = setup_graphics();
+#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP mem_avoid_memmap(); +#endif
status = handle_kernel_image(&image_addr, &image_size, &reserve_addr, @@ -323,7 +325,9 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle, efi_free(image_size, image_addr); efi_free(reserve_size, reserve_addr); fail_free_screeninfo: +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP free_avoid_memmap(); +#endif free_screen_info(si); fail_free_cmdline: efi_bs_call(free_pool, cmdline_ptr); diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h index ee4c57a285e7..8dfd83427d2f 100644 --- a/drivers/firmware/efi/libstub/efistub.h +++ b/drivers/firmware/efi/libstub/efistub.h @@ -828,14 +828,10 @@ efi_status_t efi_parse_options(char const *cmdline);
void efi_parse_option_graphics(char *option);
-#ifdef CONFIG_ARM64 +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP void efi_parse_option_memmap(const char *str); void mem_avoid_memmap(void); void free_avoid_memmap(void); -#else -static inline void efi_parse_option_memmap(const char *str) { } -static inline void mem_avoid_memmap(void) { } -static inline void free_avoid_memmap(void) { } #endif
#if defined(CONFIG_NOKASLR_MEM_RANGE) && defined(CONFIG_ARM64) diff --git a/drivers/firmware/efi/libstub/string.c b/drivers/firmware/efi/libstub/string.c index 006c9f0a8e0c..43cb8ed9f300 100644 --- a/drivers/firmware/efi/libstub/string.c +++ b/drivers/firmware/efi/libstub/string.c @@ -114,6 +114,7 @@ long simple_strtol(const char *cp, char **endp, unsigned int base) return simple_strtoull(cp, endp, base); }
+#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP #ifndef __HAVE_ARCH_STRCHR /** * strchr - Find the first occurrence of a character in a string @@ -131,3 +132,4 @@ char *strchr(const char *s, int c) return (char *)s; } #endif +#endif