forked from Minki/linux
e1a58320a3
Warn on any residual W+X mappings after setting NX if DEBUG_WX is enabled. Introduce a separate X86_PTDUMP_CORE config that enables the code for dumping the page tables without enabling the debugfs interface, so that DEBUG_WX can be enabled without exposing the debugfs interface. Switch EFI_PGT_DUMP to using X86_PTDUMP_CORE so that it also does not require enabling the debugfs interface. On success it prints this to the kernel log: x86/mm: Checked W+X mappings: passed, no W+X pages found. On failure it prints a warning and a count of the failed pages: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1 at arch/x86/mm/dump_pagetables.c:226 note_page+0x610/0x7b0() x86/mm: Found insecure W+X mapping at address ffffffff81755000/__stop___ex_table+0xfa8/0xabfa8 [...] Call Trace: [<ffffffff81380a5f>] dump_stack+0x44/0x55 [<ffffffff8109d3f2>] warn_slowpath_common+0x82/0xc0 [<ffffffff8109d48c>] warn_slowpath_fmt+0x5c/0x80 [<ffffffff8106cfc9>] ? note_page+0x5c9/0x7b0 [<ffffffff8106d010>] note_page+0x610/0x7b0 [<ffffffff8106d409>] ptdump_walk_pgd_level_core+0x259/0x3c0 [<ffffffff8106d5a7>] ptdump_walk_pgd_level_checkwx+0x17/0x20 [<ffffffff81063905>] mark_rodata_ro+0xf5/0x100 [<ffffffff817415a0>] ? rest_init+0x80/0x80 [<ffffffff817415bd>] kernel_init+0x1d/0xe0 [<ffffffff8174cd1f>] ret_from_fork+0x3f/0x70 [<ffffffff817415a0>] ? rest_init+0x80/0x80 ---[ end trace a1f23a1e42a2ac76 ]--- x86/mm: Checked W+X mappings: FAILED, 171 W+X pages found. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Arjan van de Ven <arjan@linux.intel.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mike Galbraith <efault@gmx.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-kernel@vger.kernel.org Link: http://lkml.kernel.org/r/1444064120-11450-1-git-send-email-sds@tycho.nsa.gov [ Improved the Kconfig help text and made the new option default-y if CONFIG_DEBUG_RODATA=y, because it already found buggy mappings, so we really want people to have this on by default. ] Signed-off-by: Ingo Molnar <mingo@kernel.org>
405 lines
12 KiB
Plaintext
405 lines
12 KiB
Plaintext
menu "Kernel hacking"
|
|
|
|
config TRACE_IRQFLAGS_SUPPORT
|
|
def_bool y
|
|
|
|
source "lib/Kconfig.debug"
|
|
|
|
config STRICT_DEVMEM
|
|
bool "Filter access to /dev/mem"
|
|
---help---
|
|
If this option is disabled, you allow userspace (root) access to all
|
|
of memory, including kernel and userspace memory. Accidental
|
|
access to this is obviously disastrous, but specific access can
|
|
be used by people debugging the kernel. Note that with PAT support
|
|
enabled, even in this case there are restrictions on /dev/mem
|
|
use due to the cache aliasing requirements.
|
|
|
|
If this option is switched on, the /dev/mem file only allows
|
|
userspace access to PCI space and the BIOS code and data regions.
|
|
This is sufficient for dosemu and X and all common users of
|
|
/dev/mem.
|
|
|
|
If in doubt, say Y.
|
|
|
|
config X86_VERBOSE_BOOTUP
|
|
bool "Enable verbose x86 bootup info messages"
|
|
default y
|
|
---help---
|
|
Enables the informational output from the decompression stage
|
|
(e.g. bzImage) of the boot. If you disable this you will still
|
|
see errors. Disable this if you want silent bootup.
|
|
|
|
config EARLY_PRINTK
|
|
bool "Early printk" if EXPERT
|
|
default y
|
|
---help---
|
|
Write kernel log output directly into the VGA buffer or to a serial
|
|
port.
|
|
|
|
This is useful for kernel debugging when your machine crashes very
|
|
early before the console code is initialized. For normal operation
|
|
it is not recommended because it looks ugly and doesn't cooperate
|
|
with klogd/syslogd or the X server. You should normally N here,
|
|
unless you want to debug such a crash.
|
|
|
|
config EARLY_PRINTK_DBGP
|
|
bool "Early printk via EHCI debug port"
|
|
depends on EARLY_PRINTK && PCI
|
|
---help---
|
|
Write kernel log output directly into the EHCI debug port.
|
|
|
|
This is useful for kernel debugging when your machine crashes very
|
|
early before the console code is initialized. For normal operation
|
|
it is not recommended because it looks ugly and doesn't cooperate
|
|
with klogd/syslogd or the X server. You should normally N here,
|
|
unless you want to debug such a crash. You need usb debug device.
|
|
|
|
config EARLY_PRINTK_EFI
|
|
bool "Early printk via the EFI framebuffer"
|
|
depends on EFI && EARLY_PRINTK
|
|
select FONT_SUPPORT
|
|
---help---
|
|
Write kernel log output directly into the EFI framebuffer.
|
|
|
|
This is useful for kernel debugging when your machine crashes very
|
|
early before the console code is initialized.
|
|
|
|
config X86_PTDUMP_CORE
|
|
def_bool n
|
|
|
|
config X86_PTDUMP
|
|
bool "Export kernel pagetable layout to userspace via debugfs"
|
|
depends on DEBUG_KERNEL
|
|
select DEBUG_FS
|
|
select X86_PTDUMP_CORE
|
|
---help---
|
|
Say Y here if you want to show the kernel pagetable layout in a
|
|
debugfs file. This information is only useful for kernel developers
|
|
who are working in architecture specific areas of the kernel.
|
|
It is probably not a good idea to enable this feature in a production
|
|
kernel.
|
|
If in doubt, say "N"
|
|
|
|
config EFI_PGT_DUMP
|
|
bool "Dump the EFI pagetable"
|
|
depends on EFI
|
|
select X86_PTDUMP_CORE
|
|
---help---
|
|
Enable this if you want to dump the EFI page table before
|
|
enabling virtual mode. This can be used to debug miscellaneous
|
|
issues with the mapping of the EFI runtime regions into that
|
|
table.
|
|
|
|
config DEBUG_RODATA
|
|
bool "Write protect kernel read-only data structures"
|
|
default y
|
|
depends on DEBUG_KERNEL
|
|
---help---
|
|
Mark the kernel read-only data as write-protected in the pagetables,
|
|
in order to catch accidental (and incorrect) writes to such const
|
|
data. This is recommended so that we can catch kernel bugs sooner.
|
|
If in doubt, say "Y".
|
|
|
|
config DEBUG_RODATA_TEST
|
|
bool "Testcase for the DEBUG_RODATA feature"
|
|
depends on DEBUG_RODATA
|
|
default y
|
|
---help---
|
|
This option enables a testcase for the DEBUG_RODATA
|
|
feature as well as for the change_page_attr() infrastructure.
|
|
If in doubt, say "N"
|
|
|
|
config DEBUG_WX
|
|
bool "Warn on W+X mappings at boot"
|
|
depends on DEBUG_RODATA
|
|
default y
|
|
select X86_PTDUMP_CORE
|
|
---help---
|
|
Generate a warning if any W+X mappings are found at boot.
|
|
|
|
This is useful for discovering cases where the kernel is leaving
|
|
W+X mappings after applying NX, as such mappings are a security risk.
|
|
|
|
Look for a message in dmesg output like this:
|
|
|
|
x86/mm: Checked W+X mappings: passed, no W+X pages found.
|
|
|
|
or like this, if the check failed:
|
|
|
|
x86/mm: Checked W+X mappings: FAILED, <N> W+X pages found.
|
|
|
|
Note that even if the check fails, your kernel is possibly
|
|
still fine, as W+X mappings are not a security hole in
|
|
themselves, what they do is that they make the exploitation
|
|
of other unfixed kernel bugs easier.
|
|
|
|
There is no runtime or memory usage effect of this option
|
|
once the kernel has booted up - it's a one time check.
|
|
|
|
If in doubt, say "Y".
|
|
|
|
config DEBUG_SET_MODULE_RONX
|
|
bool "Set loadable kernel module data as NX and text as RO"
|
|
depends on MODULES
|
|
---help---
|
|
This option helps catch unintended modifications to loadable
|
|
kernel module's text and read-only data. It also prevents execution
|
|
of module data. Such protection may interfere with run-time code
|
|
patching and dynamic kernel tracing - and they might also protect
|
|
against certain classes of kernel exploits.
|
|
If in doubt, say "N".
|
|
|
|
config DEBUG_NX_TEST
|
|
tristate "Testcase for the NX non-executable stack feature"
|
|
depends on DEBUG_KERNEL && m
|
|
---help---
|
|
This option enables a testcase for the CPU NX capability
|
|
and the software setup of this feature.
|
|
If in doubt, say "N"
|
|
|
|
config DOUBLEFAULT
|
|
default y
|
|
bool "Enable doublefault exception handler" if EXPERT
|
|
---help---
|
|
This option allows trapping of rare doublefault exceptions that
|
|
would otherwise cause a system to silently reboot. Disabling this
|
|
option saves about 4k and might cause you much additional grey
|
|
hair.
|
|
|
|
config DEBUG_TLBFLUSH
|
|
bool "Set upper limit of TLB entries to flush one-by-one"
|
|
depends on DEBUG_KERNEL
|
|
---help---
|
|
|
|
X86-only for now.
|
|
|
|
This option allows the user to tune the amount of TLB entries the
|
|
kernel flushes one-by-one instead of doing a full TLB flush. In
|
|
certain situations, the former is cheaper. This is controlled by the
|
|
tlb_flushall_shift knob under /sys/kernel/debug/x86. If you set it
|
|
to -1, the code flushes the whole TLB unconditionally. Otherwise,
|
|
for positive values of it, the kernel will use single TLB entry
|
|
invalidating instructions according to the following formula:
|
|
|
|
flush_entries <= active_tlb_entries / 2^tlb_flushall_shift
|
|
|
|
If in doubt, say "N".
|
|
|
|
config IOMMU_DEBUG
|
|
bool "Enable IOMMU debugging"
|
|
depends on GART_IOMMU && DEBUG_KERNEL
|
|
depends on X86_64
|
|
---help---
|
|
Force the IOMMU to on even when you have less than 4GB of
|
|
memory and add debugging code. On overflow always panic. And
|
|
allow to enable IOMMU leak tracing. Can be disabled at boot
|
|
time with iommu=noforce. This will also enable scatter gather
|
|
list merging. Currently not recommended for production
|
|
code. When you use it make sure you have a big enough
|
|
IOMMU/AGP aperture. Most of the options enabled by this can
|
|
be set more finegrained using the iommu= command line
|
|
options. See Documentation/x86/x86_64/boot-options.txt for more
|
|
details.
|
|
|
|
config IOMMU_STRESS
|
|
bool "Enable IOMMU stress-test mode"
|
|
---help---
|
|
This option disables various optimizations in IOMMU related
|
|
code to do real stress testing of the IOMMU code. This option
|
|
will cause a performance drop and should only be enabled for
|
|
testing.
|
|
|
|
config IOMMU_LEAK
|
|
bool "IOMMU leak tracing"
|
|
depends on IOMMU_DEBUG && DMA_API_DEBUG
|
|
---help---
|
|
Add a simple leak tracer to the IOMMU code. This is useful when you
|
|
are debugging a buggy device driver that leaks IOMMU mappings.
|
|
|
|
config HAVE_MMIOTRACE_SUPPORT
|
|
def_bool y
|
|
|
|
config X86_DECODER_SELFTEST
|
|
bool "x86 instruction decoder selftest"
|
|
depends on DEBUG_KERNEL && KPROBES
|
|
depends on !COMPILE_TEST
|
|
---help---
|
|
Perform x86 instruction decoder selftests at build time.
|
|
This option is useful for checking the sanity of x86 instruction
|
|
decoder code.
|
|
If unsure, say "N".
|
|
|
|
#
|
|
# IO delay types:
|
|
#
|
|
|
|
config IO_DELAY_TYPE_0X80
|
|
int
|
|
default "0"
|
|
|
|
config IO_DELAY_TYPE_0XED
|
|
int
|
|
default "1"
|
|
|
|
config IO_DELAY_TYPE_UDELAY
|
|
int
|
|
default "2"
|
|
|
|
config IO_DELAY_TYPE_NONE
|
|
int
|
|
default "3"
|
|
|
|
choice
|
|
prompt "IO delay type"
|
|
default IO_DELAY_0X80
|
|
|
|
config IO_DELAY_0X80
|
|
bool "port 0x80 based port-IO delay [recommended]"
|
|
---help---
|
|
This is the traditional Linux IO delay used for in/out_p.
|
|
It is the most tested hence safest selection here.
|
|
|
|
config IO_DELAY_0XED
|
|
bool "port 0xed based port-IO delay"
|
|
---help---
|
|
Use port 0xed as the IO delay. This frees up port 0x80 which is
|
|
often used as a hardware-debug port.
|
|
|
|
config IO_DELAY_UDELAY
|
|
bool "udelay based port-IO delay"
|
|
---help---
|
|
Use udelay(2) as the IO delay method. This provides the delay
|
|
while not having any side-effect on the IO port space.
|
|
|
|
config IO_DELAY_NONE
|
|
bool "no port-IO delay"
|
|
---help---
|
|
No port-IO delay. Will break on old boxes that require port-IO
|
|
delay for certain operations. Should work on most new machines.
|
|
|
|
endchoice
|
|
|
|
if IO_DELAY_0X80
|
|
config DEFAULT_IO_DELAY_TYPE
|
|
int
|
|
default IO_DELAY_TYPE_0X80
|
|
endif
|
|
|
|
if IO_DELAY_0XED
|
|
config DEFAULT_IO_DELAY_TYPE
|
|
int
|
|
default IO_DELAY_TYPE_0XED
|
|
endif
|
|
|
|
if IO_DELAY_UDELAY
|
|
config DEFAULT_IO_DELAY_TYPE
|
|
int
|
|
default IO_DELAY_TYPE_UDELAY
|
|
endif
|
|
|
|
if IO_DELAY_NONE
|
|
config DEFAULT_IO_DELAY_TYPE
|
|
int
|
|
default IO_DELAY_TYPE_NONE
|
|
endif
|
|
|
|
config DEBUG_BOOT_PARAMS
|
|
bool "Debug boot parameters"
|
|
depends on DEBUG_KERNEL
|
|
depends on DEBUG_FS
|
|
---help---
|
|
This option will cause struct boot_params to be exported via debugfs.
|
|
|
|
config CPA_DEBUG
|
|
bool "CPA self-test code"
|
|
depends on DEBUG_KERNEL
|
|
---help---
|
|
Do change_page_attr() self-tests every 30 seconds.
|
|
|
|
config OPTIMIZE_INLINING
|
|
bool "Allow gcc to uninline functions marked 'inline'"
|
|
---help---
|
|
This option determines if the kernel forces gcc to inline the functions
|
|
developers have marked 'inline'. Doing so takes away freedom from gcc to
|
|
do what it thinks is best, which is desirable for the gcc 3.x series of
|
|
compilers. The gcc 4.x series have a rewritten inlining algorithm and
|
|
enabling this option will generate a smaller kernel there. Hopefully
|
|
this algorithm is so good that allowing gcc 4.x and above to make the
|
|
decision will become the default in the future. Until then this option
|
|
is there to test gcc for this.
|
|
|
|
If unsure, say N.
|
|
|
|
config DEBUG_ENTRY
|
|
bool "Debug low-level entry code"
|
|
depends on DEBUG_KERNEL
|
|
---help---
|
|
This option enables sanity checks in x86's low-level entry code.
|
|
Some of these sanity checks may slow down kernel entries and
|
|
exits or otherwise impact performance.
|
|
|
|
This is currently used to help test NMI code.
|
|
|
|
If unsure, say N.
|
|
|
|
config DEBUG_NMI_SELFTEST
|
|
bool "NMI Selftest"
|
|
depends on DEBUG_KERNEL && X86_LOCAL_APIC
|
|
---help---
|
|
Enabling this option turns on a quick NMI selftest to verify
|
|
that the NMI behaves correctly.
|
|
|
|
This might help diagnose strange hangs that rely on NMI to
|
|
function properly.
|
|
|
|
If unsure, say N.
|
|
|
|
config DEBUG_IMR_SELFTEST
|
|
bool "Isolated Memory Region self test"
|
|
default n
|
|
depends on INTEL_IMR
|
|
---help---
|
|
This option enables automated sanity testing of the IMR code.
|
|
Some simple tests are run to verify IMR bounds checking, alignment
|
|
and overlapping. This option is really only useful if you are
|
|
debugging an IMR memory map or are modifying the IMR code and want to
|
|
test your changes.
|
|
|
|
If unsure say N here.
|
|
|
|
config X86_DEBUG_STATIC_CPU_HAS
|
|
bool "Debug alternatives"
|
|
depends on DEBUG_KERNEL
|
|
---help---
|
|
This option causes additional code to be generated which
|
|
fails if static_cpu_has() is used before alternatives have
|
|
run.
|
|
|
|
If unsure, say N.
|
|
|
|
config X86_DEBUG_FPU
|
|
bool "Debug the x86 FPU code"
|
|
depends on DEBUG_KERNEL
|
|
default y
|
|
---help---
|
|
If this option is enabled then there will be extra sanity
|
|
checks and (boot time) debug printouts added to the kernel.
|
|
This debugging adds some small amount of runtime overhead
|
|
to the kernel.
|
|
|
|
If unsure, say N.
|
|
|
|
config PUNIT_ATOM_DEBUG
|
|
tristate "ATOM Punit debug driver"
|
|
select DEBUG_FS
|
|
select IOSF_MBI
|
|
---help---
|
|
This is a debug driver, which gets the power states
|
|
of all Punit North Complex devices. The power states of
|
|
each device is exposed as part of the debugfs interface.
|
|
The current power state can be read from
|
|
/sys/kernel/debug/punit_atom/dev_power_state
|
|
|
|
endmenu
|