[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 7/8] x86/boot: Support __ro_after_init
- To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- From: Jan Beulich <jbeulich@xxxxxxxx>
- Date: Thu, 2 Dec 2021 14:10:38 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UQYj5oYY6VsL0JHEj4lCg5XtGqCxDMxbgQGAgqeDzdc=; b=WvXLeoO8zmX6AnSpAg5qHiKLyMxl5P5v7KbVnubXsqzthIU3EJAnFp2EfH4X9d5RC0JdGm+GysO/uNrLIrUgrK0IVArUl4KwA/nla0TrqsxNSNahw2Z2t+ZarAEUZRyZ+KeW3YrVaqW7SZ0H21+e7jBAlOvqvVC0AT86SeCMAlJjTT/i9s72M7ZMtoYs8Yu/7vzqbs77oOHgOCzKnwTcQVRa1MY2T6I2n1Su4Yu0LtaOu0ZGLupJMvou1qatEhSz1iZ9D+xOAWU5myP1zlm4mVIIC9iVoUP8sedqO2tcj6NRC+ERBclr/Ua9RcKgTJQfsThO0bUJ7RVzKPRKKlKFtw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X2V0q3MdGG7JjfS5gL7I5ewEyqNwIpSxxdtBgBkttblI+TPHNUCQSTVe6bz4vXghucJTZx2bY/S5XMLk/VstV7vYBzcnLnSCA94lHlYpNwrC2CRoS+LgQ1rOIVrTZkMWZufU7/Zt+ritb7IgNZsnRIDSRYFF6snwVCqW15KoKjc7bi+CpGUJUnGrhSWUCN6RXQjjjkmxbqIWN3Zqe6dKDN86Yf/0irU2H4oIL7cVJjVy7ag/DR0uyQ61iaZBL+tVrEbPq/mUUZ/BBFQ6LCts/3ZVcmDpo39dK2arxSRWK4fPd4AnkzqfYTNSP0O7nCypsJMMW8Ed5vw7L5pR0z86PQ==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
- Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Thu, 02 Dec 2021 13:10:54 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 30.11.2021 11:04, Andrew Cooper wrote:
> For security hardening reasons, it advantageous to make setup-once data
> immutable after boot. Borrow __ro_after_init from Linux.
>
> On x86, place .data.ro_after_init at the start of .rodata, excluding it from
> the early permission restrictions. Re-apply RO restrictions to the whole of
> .rodata in init_done(), attempting to reform the superpage if possible.
>
> For architectures which don't implement __ro_after_init explicitly, variables
> merges into .data.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
|
