From: Hauke Mehrtens Date: Sat, 17 Aug 2024 13:12:31 +0000 (+0200) Subject: kernel: Enable CONFIG_ARM64_PAN to restrict kernel access to user space memory X-Git-Tag: v24.10.0-rc1~965 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F16189%2Fhead;p=thirdparty%2Fopenwrt.git kernel: Enable CONFIG_ARM64_PAN to restrict kernel access to user space memory Enable the CONFIG_ARM64_PAN kernel security option, which leverages the ARMv8.1 Privileged Access Never (PAN) extension to prevent the kernel from directly accessing user space memory. Instead, copy_to_user and similar functions must be used for data transfer between kernel and user space. This feature is automatically disabled at runtime on CPUs without PAN support, making it a no-op in those cases. Link: https://github.com/openwrt/openwrt/pull/16189 Signed-off-by: Hauke Mehrtens --- diff --git a/target/linux/armsr/armv8/config-6.6 b/target/linux/armsr/armv8/config-6.6 index 3ce25c60d82..64356e27f4b 100644 --- a/target/linux/armsr/armv8/config-6.6 +++ b/target/linux/armsr/armv8/config-6.6 @@ -93,7 +93,6 @@ CONFIG_ARM64_HW_AFDBM=y CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y CONFIG_ARM64_MTE=y CONFIG_ARM64_PAGE_SHIFT=12 -CONFIG_ARM64_PAN=y CONFIG_ARM64_PA_BITS=48 CONFIG_ARM64_PA_BITS_48=y CONFIG_ARM64_PTR_AUTH=y diff --git a/target/linux/bcm27xx/bcm2710/config-6.6 b/target/linux/bcm27xx/bcm2710/config-6.6 index 4ab0e03ee27..961fd2c71ee 100644 --- a/target/linux/bcm27xx/bcm2710/config-6.6 +++ b/target/linux/bcm27xx/bcm2710/config-6.6 @@ -34,7 +34,6 @@ CONFIG_ARM64_ERRATUM_843419=y CONFIG_ARM64_HW_AFDBM=y CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y CONFIG_ARM64_PAGE_SHIFT=12 -CONFIG_ARM64_PAN=y CONFIG_ARM64_PA_BITS=48 CONFIG_ARM64_PA_BITS_48=y CONFIG_ARM64_PTR_AUTH=y diff --git a/target/linux/bcm27xx/bcm2711/config-6.6 b/target/linux/bcm27xx/bcm2711/config-6.6 index 915fe29cae8..6aeedc1c312 100644 --- a/target/linux/bcm27xx/bcm2711/config-6.6 +++ b/target/linux/bcm27xx/bcm2711/config-6.6 @@ -29,7 +29,6 @@ CONFIG_ARM64_ERRATUM_1319367=y CONFIG_ARM64_HW_AFDBM=y CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y CONFIG_ARM64_PAGE_SHIFT=12 -CONFIG_ARM64_PAN=y CONFIG_ARM64_PA_BITS=48 CONFIG_ARM64_PA_BITS_48=y CONFIG_ARM64_PTR_AUTH=y diff --git a/target/linux/bcm27xx/bcm2712/config-6.6 b/target/linux/bcm27xx/bcm2712/config-6.6 index d61796fb24f..81cc66e9c47 100644 --- a/target/linux/bcm27xx/bcm2712/config-6.6 +++ b/target/linux/bcm27xx/bcm2712/config-6.6 @@ -33,7 +33,6 @@ CONFIG_ARM64_ERRATUM_3194386=y CONFIG_ARM64_HW_AFDBM=y CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y CONFIG_ARM64_PAGE_SHIFT=12 -CONFIG_ARM64_PAN=y CONFIG_ARM64_PA_BITS=48 CONFIG_ARM64_PA_BITS_48=y CONFIG_ARM64_PTR_AUTH=y diff --git a/target/linux/generic/config-5.15 b/target/linux/generic/config-5.15 index 90650ac7dd2..1b8ad1cf42c 100644 --- a/target/linux/generic/config-5.15 +++ b/target/linux/generic/config-5.15 @@ -349,7 +349,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 # CONFIG_ARM64_LSE_ATOMICS is not set CONFIG_ARM64_MODULE_PLTS=y # CONFIG_ARM64_MTE is not set -# CONFIG_ARM64_PAN is not set +CONFIG_ARM64_PAN=y # CONFIG_ARM64_PMEM is not set # CONFIG_ARM64_PSEUDO_NMI is not set # CONFIG_ARM64_PTDUMP_DEBUGFS is not set diff --git a/target/linux/generic/config-6.1 b/target/linux/generic/config-6.1 index 3460be73b11..81c66f41df9 100644 --- a/target/linux/generic/config-6.1 +++ b/target/linux/generic/config-6.1 @@ -383,7 +383,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 # CONFIG_ARM64_LSE_ATOMICS is not set CONFIG_ARM64_MODULE_PLTS=y # CONFIG_ARM64_MTE is not set -# CONFIG_ARM64_PAN is not set +CONFIG_ARM64_PAN=y # CONFIG_ARM64_PMEM is not set # CONFIG_ARM64_PSEUDO_NMI is not set # CONFIG_ARM64_PTDUMP_DEBUGFS is not set diff --git a/target/linux/generic/config-6.6 b/target/linux/generic/config-6.6 index c169e107dfd..4fcb93fd25c 100644 --- a/target/linux/generic/config-6.6 +++ b/target/linux/generic/config-6.6 @@ -358,7 +358,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 # CONFIG_ARM64_HW_AFDBM is not set # CONFIG_ARM64_LSE_ATOMICS is not set # CONFIG_ARM64_MTE is not set -# CONFIG_ARM64_PAN is not set +CONFIG_ARM64_PAN=y # CONFIG_ARM64_PMEM is not set # CONFIG_ARM64_PSEUDO_NMI is not set # CONFIG_ARM64_PTR_AUTH is not set diff --git a/target/linux/layerscape/armv8_64b/config-6.1 b/target/linux/layerscape/armv8_64b/config-6.1 index 2ebe59c7ccf..8693370c197 100644 --- a/target/linux/layerscape/armv8_64b/config-6.1 +++ b/target/linux/layerscape/armv8_64b/config-6.1 @@ -40,7 +40,6 @@ CONFIG_ARM64_ERRATUM_843419=y CONFIG_ARM64_HW_AFDBM=y CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y CONFIG_ARM64_PAGE_SHIFT=12 -CONFIG_ARM64_PAN=y CONFIG_ARM64_PA_BITS=48 CONFIG_ARM64_PA_BITS_48=y CONFIG_ARM64_PTR_AUTH=y diff --git a/target/linux/layerscape/armv8_64b/config-6.6 b/target/linux/layerscape/armv8_64b/config-6.6 index 6d9d2ba2d56..133b75addb1 100644 --- a/target/linux/layerscape/armv8_64b/config-6.6 +++ b/target/linux/layerscape/armv8_64b/config-6.6 @@ -41,7 +41,6 @@ CONFIG_ARM64_ERRATUM_843419=y CONFIG_ARM64_HW_AFDBM=y CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y CONFIG_ARM64_PAGE_SHIFT=12 -CONFIG_ARM64_PAN=y CONFIG_ARM64_PA_BITS=48 CONFIG_ARM64_PA_BITS_48=y CONFIG_ARM64_PTR_AUTH=y diff --git a/target/linux/rockchip/armv8/config-6.6 b/target/linux/rockchip/armv8/config-6.6 index dd9908869fa..bdb7d2b4936 100644 --- a/target/linux/rockchip/armv8/config-6.6 +++ b/target/linux/rockchip/armv8/config-6.6 @@ -48,7 +48,6 @@ CONFIG_ARM64_ERRATUM_858921=y CONFIG_ARM64_HW_AFDBM=y CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y CONFIG_ARM64_PAGE_SHIFT=12 -CONFIG_ARM64_PAN=y CONFIG_ARM64_PA_BITS=48 CONFIG_ARM64_PA_BITS_48=y CONFIG_ARM64_PTR_AUTH=y