Re: [PATCH] RTIC: selinux: ARM64: Move selinux_state to a separate page

[pnagar]

On 2021-02-17 02:02, Miguel Ojeda wrote:
> On Tue, Feb 16, 2021 at 11:22 AM Preeti Nagar <pnagar@xxxxxxxxxxxxxx> 
> wrote:
> > The changes introduce a new security feature, RunTime Integrity Check
> > (RTIC), designed to protect Linux Kernel at runtime. The motivation
> > behind these changes is:
> > 1. The system protection offered by Security Enhancements(SE) for
> > Android relies on the assumption of kernel integrity. If the kernel
> > itself is compromised (by a perhaps as yet unknown future 
> > vulnerability),
> > SE for Android security mechanisms could potentially be disabled and
> > rendered ineffective.
> > 2. Qualcomm Snapdragon devices use Secure Boot, which adds 
> > cryptographic
> > checks to each stage of the boot-up process, to assert the 
> > authenticity
> > of all secure software images that the device executes.  However, due 
> > to
> > various vulnerabilities in SW modules, the integrity of the system can 
> > be
> > compromised at any time after device boot-up, leading to un-authorized
> > SW executing.
> >
> > The feature's idea is to move some sensitive kernel structures to a
> > separate page and monitor further any unauthorized changes to these,
> > from higher Exception Levels using stage 2 MMU. Moving these to a
> > different page will help avoid getting page faults from un-related 
> > data.
> > The mechanism we have been working on removes the write permissions 
> > for
> > HLOS in the stage 2 page tables for the regions to be monitored, such
> > that any modification attempts to these will lead to faults being
> > generated and handled by handlers. If the protected assets are moved 
> > to
> > a separate page, faults will be generated corresponding to change 
> > attempts
> > to these assets only. If not moved to a separate page, write attempts 
> > to
> > un-related data present on the monitored pages will also be generated.
> >
> > Using this feature, some sensitive variables of the kernel which are
> > initialized after init or are updated rarely can also be protected 
> > from
> > simple overwrites and attacks trying to modify these.
> >
> > Currently, the change moves selinux_state structure to a separate 
> > page.
> > The page is 2MB aligned not 4K to avoid TLB related performance impact 
> > as,
> > for some CPU core designs, the TLB does not cache 4K stage 2 (IPA to 
> > PA)
> > mappings if the IPA comes from a stage 1 mapping. In future, we plan 
> > to
> > move more security-related kernel assets to this page to enhance
> > protection.
>
> Part of this commit message should likely be added as a new file under
> Documentation/ somewhere.
Yes, that will be helpful, will put it in Documentation/security in the
next update. Thank you!

> > diff --git a/security/Kconfig b/security/Kconfig
> > index 7561f6f..1af913a 100644
> > --- a/security/Kconfig
> > +++ b/security/Kconfig
> > @@ -291,5 +291,16 @@ config LSM
> >
> >  source "security/Kconfig.hardening"
> >
> > +config SECURITY_RTIC
> > +       bool "RunTime Integrity Check feature"
> > +       depends on ARM64
> > +       help
> > +         RTIC(RunTime Integrity Check) feature is to protect Linux 
> > kernel
> > +         at runtime. This relocates some of the security sensitive 
> > kernel
> > +         structures to a separate RTIC specific page.
> > +
> > +         This is to enable monitoring and protection of these kernel 
> > assets
> > +         from a higher exception level(EL) against any unauthorized 
> > changes.
>
> Rewording suggestion:
>
>          The RTIC (RunTime Integrity Check) feature protects the kernel
>          at runtime by relocating some of its security-sensitive 
> structures
>          to a separate RTIC-specific page. This enables monitoring and
>          and protecting them from a higher exception level against
>          unauthorized changes.
Thanks :)

> Cheers,
> Miguel