Ard Biesheuvel | f80fb3a | 2016-01-26 14:12:01 +0100 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2016 Linaro Ltd <ard.biesheuvel@linaro.org> |
| 3 | * |
| 4 | * This program is free software; you can redistribute it and/or modify |
| 5 | * it under the terms of the GNU General Public License version 2 as |
| 6 | * published by the Free Software Foundation. |
| 7 | */ |
| 8 | |
| 9 | #include <linux/crc32.h> |
| 10 | #include <linux/init.h> |
| 11 | #include <linux/libfdt.h> |
| 12 | #include <linux/mm_types.h> |
| 13 | #include <linux/sched.h> |
| 14 | #include <linux/types.h> |
| 15 | |
| 16 | #include <asm/fixmap.h> |
| 17 | #include <asm/kernel-pgtable.h> |
| 18 | #include <asm/memory.h> |
| 19 | #include <asm/mmu.h> |
| 20 | #include <asm/pgtable.h> |
| 21 | #include <asm/sections.h> |
| 22 | |
| 23 | u64 __read_mostly module_alloc_base; |
Ard Biesheuvel | c031a42 | 2016-01-29 11:59:03 +0100 | [diff] [blame] | 24 | u16 __initdata memstart_offset_seed; |
Ard Biesheuvel | f80fb3a | 2016-01-26 14:12:01 +0100 | [diff] [blame] | 25 | |
| 26 | static __init u64 get_kaslr_seed(void *fdt) |
| 27 | { |
| 28 | int node, len; |
| 29 | u64 *prop; |
| 30 | u64 ret; |
| 31 | |
| 32 | node = fdt_path_offset(fdt, "/chosen"); |
| 33 | if (node < 0) |
| 34 | return 0; |
| 35 | |
| 36 | prop = fdt_getprop_w(fdt, node, "kaslr-seed", &len); |
| 37 | if (!prop || len != sizeof(u64)) |
| 38 | return 0; |
| 39 | |
| 40 | ret = fdt64_to_cpu(*prop); |
| 41 | *prop = 0; |
| 42 | return ret; |
| 43 | } |
| 44 | |
| 45 | static __init const u8 *get_cmdline(void *fdt) |
| 46 | { |
| 47 | static __initconst const u8 default_cmdline[] = CONFIG_CMDLINE; |
| 48 | |
| 49 | if (!IS_ENABLED(CONFIG_CMDLINE_FORCE)) { |
| 50 | int node; |
| 51 | const u8 *prop; |
| 52 | |
| 53 | node = fdt_path_offset(fdt, "/chosen"); |
| 54 | if (node < 0) |
| 55 | goto out; |
| 56 | |
| 57 | prop = fdt_getprop(fdt, node, "bootargs", NULL); |
| 58 | if (!prop) |
| 59 | goto out; |
| 60 | return prop; |
| 61 | } |
| 62 | out: |
| 63 | return default_cmdline; |
| 64 | } |
| 65 | |
| 66 | extern void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, |
| 67 | pgprot_t prot); |
| 68 | |
| 69 | /* |
| 70 | * This routine will be executed with the kernel mapped at its default virtual |
| 71 | * address, and if it returns successfully, the kernel will be remapped, and |
| 72 | * start_kernel() will be executed from a randomized virtual offset. The |
| 73 | * relocation will result in all absolute references (e.g., static variables |
| 74 | * containing function pointers) to be reinitialized, and zero-initialized |
| 75 | * .bss variables will be reset to 0. |
| 76 | */ |
Ard Biesheuvel | 08cdac6 | 2016-04-18 17:09:47 +0200 | [diff] [blame] | 77 | u64 __init kaslr_early_init(u64 dt_phys, u64 modulo_offset) |
Ard Biesheuvel | f80fb3a | 2016-01-26 14:12:01 +0100 | [diff] [blame] | 78 | { |
| 79 | void *fdt; |
| 80 | u64 seed, offset, mask, module_range; |
| 81 | const u8 *cmdline, *str; |
| 82 | int size; |
| 83 | |
| 84 | /* |
| 85 | * Set a reasonable default for module_alloc_base in case |
| 86 | * we end up running with module randomization disabled. |
| 87 | */ |
| 88 | module_alloc_base = (u64)_etext - MODULES_VSIZE; |
| 89 | |
| 90 | /* |
| 91 | * Try to map the FDT early. If this fails, we simply bail, |
| 92 | * and proceed with KASLR disabled. We will make another |
| 93 | * attempt at mapping the FDT in setup_machine() |
| 94 | */ |
| 95 | early_fixmap_init(); |
| 96 | fdt = __fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL); |
| 97 | if (!fdt) |
| 98 | return 0; |
| 99 | |
| 100 | /* |
| 101 | * Retrieve (and wipe) the seed from the FDT |
| 102 | */ |
| 103 | seed = get_kaslr_seed(fdt); |
| 104 | if (!seed) |
| 105 | return 0; |
| 106 | |
| 107 | /* |
| 108 | * Check if 'nokaslr' appears on the command line, and |
| 109 | * return 0 if that is the case. |
| 110 | */ |
| 111 | cmdline = get_cmdline(fdt); |
| 112 | str = strstr(cmdline, "nokaslr"); |
| 113 | if (str == cmdline || (str > cmdline && *(str - 1) == ' ')) |
| 114 | return 0; |
| 115 | |
| 116 | /* |
| 117 | * OK, so we are proceeding with KASLR enabled. Calculate a suitable |
| 118 | * kernel image offset from the seed. Let's place the kernel in the |
| 119 | * lower half of the VMALLOC area (VA_BITS - 2). |
| 120 | * Even if we could randomize at page granularity for 16k and 64k pages, |
| 121 | * let's always round to 2 MB so we don't interfere with the ability to |
| 122 | * map using contiguous PTEs |
| 123 | */ |
| 124 | mask = ((1UL << (VA_BITS - 2)) - 1) & ~(SZ_2M - 1); |
| 125 | offset = seed & mask; |
| 126 | |
Ard Biesheuvel | c031a42 | 2016-01-29 11:59:03 +0100 | [diff] [blame] | 127 | /* use the top 16 bits to randomize the linear region */ |
| 128 | memstart_offset_seed = seed >> 48; |
| 129 | |
Ard Biesheuvel | f80fb3a | 2016-01-26 14:12:01 +0100 | [diff] [blame] | 130 | /* |
| 131 | * The kernel Image should not extend across a 1GB/32MB/512MB alignment |
| 132 | * boundary (for 4KB/16KB/64KB granule kernels, respectively). If this |
| 133 | * happens, increase the KASLR offset by the size of the kernel image. |
| 134 | */ |
Ard Biesheuvel | 08cdac6 | 2016-04-18 17:09:47 +0200 | [diff] [blame] | 135 | if ((((u64)_text + offset + modulo_offset) >> SWAPPER_TABLE_SHIFT) != |
| 136 | (((u64)_end + offset + modulo_offset) >> SWAPPER_TABLE_SHIFT)) |
Ard Biesheuvel | f80fb3a | 2016-01-26 14:12:01 +0100 | [diff] [blame] | 137 | offset = (offset + (u64)(_end - _text)) & mask; |
| 138 | |
| 139 | if (IS_ENABLED(CONFIG_KASAN)) |
| 140 | /* |
| 141 | * KASAN does not expect the module region to intersect the |
| 142 | * vmalloc region, since shadow memory is allocated for each |
| 143 | * module at load time, whereas the vmalloc region is shadowed |
| 144 | * by KASAN zero pages. So keep modules out of the vmalloc |
| 145 | * region if KASAN is enabled. |
| 146 | */ |
| 147 | return offset; |
| 148 | |
| 149 | if (IS_ENABLED(CONFIG_RANDOMIZE_MODULE_REGION_FULL)) { |
| 150 | /* |
| 151 | * Randomize the module region independently from the core |
| 152 | * kernel. This prevents modules from leaking any information |
| 153 | * about the address of the kernel itself, but results in |
| 154 | * branches between modules and the core kernel that are |
| 155 | * resolved via PLTs. (Branches between modules will be |
| 156 | * resolved normally.) |
| 157 | */ |
| 158 | module_range = VMALLOC_END - VMALLOC_START - MODULES_VSIZE; |
| 159 | module_alloc_base = VMALLOC_START; |
| 160 | } else { |
| 161 | /* |
| 162 | * Randomize the module region by setting module_alloc_base to |
| 163 | * a PAGE_SIZE multiple in the range [_etext - MODULES_VSIZE, |
| 164 | * _stext) . This guarantees that the resulting region still |
| 165 | * covers [_stext, _etext], and that all relative branches can |
| 166 | * be resolved without veneers. |
| 167 | */ |
| 168 | module_range = MODULES_VSIZE - (u64)(_etext - _stext); |
| 169 | module_alloc_base = (u64)_etext + offset - MODULES_VSIZE; |
| 170 | } |
| 171 | |
| 172 | /* use the lower 21 bits to randomize the base of the module region */ |
| 173 | module_alloc_base += (module_range * (seed & ((1 << 21) - 1))) >> 21; |
| 174 | module_alloc_base &= PAGE_MASK; |
| 175 | |
| 176 | return offset; |
| 177 | } |