40982fd6b9
Follow the example set by x86 in commit 9ccaf77cf0
("x86/mm:
Always enable CONFIG_DEBUG_RODATA and remove the Kconfig option"), and
make these protections a fundamental security feature rather than an
opt-in. This also results in a minor code simplification.
For those rare cases when users wish to disable this protection (e.g.
for debugging), this can be done by passing 'rodata=off' on the command
line.
As DEBUG_RODATA_ALIGN is only intended to address a performance/memory
tradeoff, and does not affect correctness, this is left user-selectable.
DEBUG_MODULE_RONX is also left user-selectable until the core code
provides a boot-time option to disable the protection for debugging
use-cases.
Cc: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
67 lines
2.4 KiB
Text
67 lines
2.4 KiB
Text
menu "Kernel hacking"
|
|
|
|
source "lib/Kconfig.debug"
|
|
|
|
config ARM64_PTDUMP
|
|
bool "Export kernel pagetable layout to userspace via debugfs"
|
|
depends on DEBUG_KERNEL
|
|
select DEBUG_FS
|
|
help
|
|
Say Y here if you want to show the kernel pagetable layout in a
|
|
debugfs file. This information is only useful for kernel developers
|
|
who are working in architecture specific areas of the kernel.
|
|
It is probably not a good idea to enable this feature in a production
|
|
kernel.
|
|
|
|
If in doubt, say N.
|
|
|
|
config PID_IN_CONTEXTIDR
|
|
bool "Write the current PID to the CONTEXTIDR register"
|
|
help
|
|
Enabling this option causes the kernel to write the current PID to
|
|
the CONTEXTIDR register, at the expense of some additional
|
|
instructions during context switch. Say Y here only if you are
|
|
planning to use hardware trace tools with this kernel.
|
|
|
|
config ARM64_RANDOMIZE_TEXT_OFFSET
|
|
bool "Randomize TEXT_OFFSET at build time"
|
|
help
|
|
Say Y here if you want the image load offset (AKA TEXT_OFFSET)
|
|
of the kernel to be randomized at build-time. When selected,
|
|
this option will cause TEXT_OFFSET to be randomized upon any
|
|
build of the kernel, and the offset will be reflected in the
|
|
text_offset field of the resulting Image. This can be used to
|
|
fuzz-test bootloaders which respect text_offset.
|
|
|
|
This option is intended for bootloader and/or kernel testing
|
|
only. Bootloaders must make no assumptions regarding the value
|
|
of TEXT_OFFSET and platforms must not require a specific
|
|
value.
|
|
|
|
config DEBUG_SET_MODULE_RONX
|
|
bool "Set loadable kernel module data as NX and text as RO"
|
|
depends on MODULES
|
|
default y
|
|
help
|
|
Is this is set, kernel module text and rodata will be made read-only.
|
|
This is to help catch accidental or malicious attempts to change the
|
|
kernel's executable code.
|
|
|
|
If in doubt, say Y.
|
|
|
|
config DEBUG_ALIGN_RODATA
|
|
depends on DEBUG_RODATA
|
|
bool "Align linker sections up to SECTION_SIZE"
|
|
help
|
|
If this option is enabled, sections that may potentially be marked as
|
|
read only or non-executable will be aligned up to the section size of
|
|
the kernel. This prevents sections from being split into pages and
|
|
avoids a potential TLB penalty. The downside is an increase in
|
|
alignment and potentially wasted space. Turn on this option if
|
|
performance is more important than memory pressure.
|
|
|
|
If in doubt, say N.
|
|
|
|
source "drivers/hwtracing/coresight/Kconfig"
|
|
|
|
endmenu
|