Re: [PATCH] x86/boot: Restrict directmap permissions for .text/.rodata

2023-03-28 Thread Jan Beulich
On 28.03.2023 12:27, Andrew Cooper wrote: > On 27/03/2023 4:43 pm, Jan Beulich wrote: >> On 24.03.2023 23:08, Andrew Cooper wrote: >>> * For backporting, this patch depends on c/s e7f147bf4ac7 ("x86/crash: Drop >>>manual hooking of exception_table[]") and c/s e7db635f4428 ("x86/pv-shim: >>>

Re: [PATCH] x86/boot: Restrict directmap permissions for .text/.rodata

2023-03-28 Thread Andrew Cooper
On 27/03/2023 4:43 pm, Jan Beulich wrote: > On 24.03.2023 23:08, Andrew Cooper wrote: >> While we've been diligent to ensure that the main text/data/rodata mappings >> have suitable restrictions, their aliases via the directmap were left fully >> read/write. Worse, we even had pieces of code makin

Re: [PATCH] x86/boot: Restrict directmap permissions for .text/.rodata

2023-03-27 Thread Jan Beulich
On 24.03.2023 23:08, Andrew Cooper wrote: > While we've been diligent to ensure that the main text/data/rodata mappings > have suitable restrictions, their aliases via the directmap were left fully > read/write. Worse, we even had pieces of code making use of this as a > feature. > > Restrict the

[PATCH] x86/boot: Restrict directmap permissions for .text/.rodata

2023-03-24 Thread Andrew Cooper
While we've been diligent to ensure that the main text/data/rodata mappings have suitable restrictions, their aliases via the directmap were left fully read/write. Worse, we even had pieces of code making use of this as a feature. Restrict the permissions for .text/rodata, as we have no legitimat

Re: [PATCH] x86/boot: Restrict directmap permissions for .text/.rodata

2023-03-24 Thread Andrew Cooper
On 06/12/2021 3:21 pm, Jan Beulich wrote: > On 06.12.2021 16:11, Andrew Cooper wrote: >> On 06/12/2021 13:58, Jan Beulich wrote: >>> On 06.12.2021 14:08, Andrew Cooper wrote: While we've been diligent to ensure that the main text/data/rodata mappings have suitable restrictions, their

Re: [PATCH] x86/boot: Restrict directmap permissions for .text/.rodata

2021-12-06 Thread Jan Beulich
On 06.12.2021 16:11, Andrew Cooper wrote: > On 06/12/2021 13:58, Jan Beulich wrote: >> On 06.12.2021 14:08, Andrew Cooper wrote: >>> While we've been diligent to ensure that the main text/data/rodata mappings >>> have suitable restrictions, their aliases via the directmap were left fully >>> RW. W

Re: [PATCH] x86/boot: Restrict directmap permissions for .text/.rodata

2021-12-06 Thread Andrew Cooper
On 06/12/2021 13:58, Jan Beulich wrote: > On 06.12.2021 14:08, Andrew Cooper wrote: >> While we've been diligent to ensure that the main text/data/rodata mappings >> have suitable restrictions, their aliases via the directmap were left fully >> RW. Worse, we even had pieces of code making use of t

Re: [PATCH] x86/boot: Restrict directmap permissions for .text/.rodata

2021-12-06 Thread Jan Beulich
On 06.12.2021 14:08, Andrew Cooper wrote: > While we've been diligent to ensure that the main text/data/rodata mappings > have suitable restrictions, their aliases via the directmap were left fully > RW. Worse, we even had pieces of code making use of this as a feature. > > Restrict the permissio

[PATCH] x86/boot: Restrict directmap permissions for .text/.rodata

2021-12-06 Thread Andrew Cooper
While we've been diligent to ensure that the main text/data/rodata mappings have suitable restrictions, their aliases via the directmap were left fully RW. Worse, we even had pieces of code making use of this as a feature. Restrict the permissions, as we have no legitimate need for writeability o