Avoiding RWX segments in XEN3_DOM0/XEN3_DOMU kernels

To: port-xen%NetBSD.org@localhost
Subject: Avoiding RWX segments in XEN3_DOM0/XEN3_DOMU kernels
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Sun, 16 Jul 2023 10:24:35 +0000

The linker script for NetBSD/xen kernels, used to set up the right
notes for the Xen bootloader or something, currently has the side
effect of putting both .text and .rodata and .data into a single
segment with read/write/execute permissions.

This is bad for security, and currently causes the following warning
during build time, which should really be a fatal error (but I'm not
sure offhand how to make it so):

           link  XEN3_DOMU/netbsd
    /home/riastradh/netbsd/current/src/../obj.amd64/tooldir/bin/x86_64--netbsd-ld: warning: netbsd has a LOAD segment with RWX permissions


The attached patch tries to fix it by splitting the linker script into
three different segments -- one with read/execute (for .text), one
read-only (for .rodata and various others), and one with read/write
(for .data and everything else), along with the note.

Can someone try this and report back, or take a look and tell me if
I'm barking up the wrong tree to fix the problem?  (Not a linker
script expert here.)

From 92591120bb7797850fe14b9feea189a57881039d Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Thu, 13 Jul 2023 13:34:37 +0000
Subject: [PATCH] xen: Split segments into read/exec, read-only, and
 read/write.

Attempts to fix:

       link  XEN3_DOMU/netbsd
/home/riastradh/netbsd/current/src/../obj.amd64/tooldir/bin/x86_64--netbsd-ld: warning: netbsd has a LOAD segment with RWX permissions

This was broken in the change to fix the .note.Xen program header
required by some versions of the Xen kernel, which set some explicit
program headers, overriding defaults.
---
 sys/arch/amd64/conf/kern.ldscript.Xen | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/sys/arch/amd64/conf/kern.ldscript.Xen b/sys/arch/amd64/conf/kern.ldscript.Xen
index b03bd4666a2f..2babb037b9c0 100644
--- a/sys/arch/amd64/conf/kern.ldscript.Xen
+++ b/sys/arch/amd64/conf/kern.ldscript.Xen
@@ -13,7 +13,7 @@ SECTIONS
 		*(.text.*)
 		*(.stub)
 		. = ALIGN(__PAGE_SIZE);
-	} :main =0xCC
+	} :rxmain =0xCC
 	_etext = . ;
 	PROVIDE (etext = .) ;
 
@@ -26,7 +26,7 @@ SECTIONS
 		__rodata_hotpatch_start = . ;
 		*(.rodata.hotpatch)
 		__rodata_hotpatch_end = . ;
-	}
+	} :romain
 
 	.rodata :
 	{
@@ -36,7 +36,7 @@ SECTIONS
 		__CTOR_LIST__ = .;
 		*(.ctors)
 		__CTOR_END__ = .;
-	}
+	} :romain
 
 	. = ALIGN(__PAGE_SIZE);
 
@@ -44,18 +44,18 @@ SECTIONS
 	.data :
 	{
 		*(.data)
-	}
+	} :rwmain
 
 	. = ALIGN(COHERENCY_UNIT);
 	.data.cacheline_aligned :
 	{
 		*(.data.cacheline_aligned)
-	}
+	} :rwmain
 	. = ALIGN(COHERENCY_UNIT);
 	.data.read_mostly :
 	{
 		*(.data.read_mostly)
-	}
+	} :rwmain
 	. = ALIGN(COHERENCY_UNIT);
 
 	_edata = . ;
@@ -67,7 +67,7 @@ SECTIONS
 		*(.bss.*)
 		*(COMMON)
 		. = ALIGN(__PAGE_SIZE);
-	}
+	} :rwmain
 
 	. = ALIGN(__PAGE_SIZE);
 
@@ -79,7 +79,7 @@ SECTIONS
 	.note.netbsd.ident :
 	{
 		KEEP(*(.note.netbsd.ident));
-	}
+	} /* no section */
 	.note.Xen :
 	{
 		KEEP(*(.note.Xen));
@@ -88,6 +88,8 @@ SECTIONS
 
 PHDRS
 {
-	main PT_LOAD;
+	rxmain PT_LOAD;
+	romain PT_LOAD;
+	rwmain PT_LOAD;
 	notes PT_NOTE;
 }

Follow-Ups:
- Re: Avoiding RWX segments in XEN3_DOM0/XEN3_DOMU kernels
  - From: Martin Husemann

Prev by Date: Re: does i386 still work?
Next by Date: xbd and large sectors
Previous by Thread: does i386 still work?
Next by Thread: Re: Avoiding RWX segments in XEN3_DOM0/XEN3_DOMU kernels
Indexes:

Home | Main Index | Thread Index | Old Index