ARMSecurityFeatures
Launchpad Entry: https://blueprints.launchpad.net/ubuntu/+spec/arm-m-missing-security-features/
Created: DaveMartin
Contributors: KeesCook, AmitKucheria, NicolasPitre
Packages affected: linux-fsl-imx51, linux-mvl-dove (+ any other ARM kernel trees)
Summary
A few generic Linux kernel security features are not currently implemented for ARM, such as SECCOMP, CONFIG_CC_STACKPROTECTOR, Address Space Layout Randomisation and /dev/mem protection.
The work carried out under this spec will investigate feasibility and implement support for these features, where appropriate.
Features to which this Spec Applies
* Security features on ARM (https://wiki.ubuntu.com/SecurityTeam/Roadmap/ARM)
PR_SET_SECCOMP (LP #375183, https://wiki.ubuntu.com/Security/Features#PR_SET_SECCOMP)
- [kees] May be used by Google, potentially Chromium, in the future.
Address Space Layout Randomization (https://wiki.ubuntu.com/Security/Features#ASLR)
- [dmart] no vdso for ARM yet, so we don't need to worry about relocating it
- mmap/libs, executable, stack and brk areas will need relocation
/dev/mem protection (https://wiki.ubuntu.com/Security/Features#/dev/mem%20protection)
CC_STACKPROTECTOR (https://wiki.ubuntu.com/Security/Features#CONFIG_CC_STACKPROTECTOR)
- Security updates
Release Note
Note: This section is a placeholder for the text which will go into the release note at release time.
On ARM platforms, a full set of Linux kernel security features are now supported, including: *** TODO: determine final list based on what is implemented ***
Rationale
This should cover the _why_: why is this change being proposed, what justifies it, where we see this justified.
Assumptions
It is assumed that there are no significant blocking issues preventing the implementation of the features for ARM. This will be determined further by investigative work done under this specification.
Implementation
Assignees and tasks are documented in the blueprint whiteboard area. See the top of this page for a link.
Code Changes
Only the Linux kernel trees for ARM are affected. It is expected that the proposed changes will be non-invasive and non-platform-specific: because if this, we should definitely mainline the changes at the earliest opportunity.
Migration
There should be no migration impact. This specification simply proposes to enable some features already supported by Ubuntu but not yet supported on ARM targets in particular.
Test/Demo Plan
It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release. Please add an entry to http://testcases.qa.ubuntu.com/Coverage/NewFeatures for tracking test coverage.
Kees already has testcases for these features: it should be a straightforward matter of removing the XFAIL checks for ARM.
Unresolved issues
TBD
BoF agenda and discussion
Kernel Security Features Missing from the ARM Trees
Agenda
- identify specific security features to implement for M
- assign feature development tasks
- discuss any exceptional issues relating to security updates for ARM
Features Under Discussion
- PR_SET_SECCOMP
- Amitk has a SoC patch, will post to bug lp #375183 for testing
- Address Space Layout Randomisation
- ARM VM layout similar to x86, but ARM has configurable user/kernel split
- potentially useful existing implementation for ASLR exists in grsecurity:
- /dev/mem protection
- SoC-specific drivers may poke device regs and mem from userspasce, but not typically through dev/mem directly(?)
- We sould turn it off and see if someone uses it
- VDSO
- Not relevant for ARM
- vector page exists, but does not appear to be security sensitive
- CONFIG_CC_STACKPROTECTOR
- GCC/userspace implements this, but the kernel glue is not there yet
- Kees has tests to see whether gcc stack protector is working:
- Might be nice to have a generic driver for accessing the trust zone areas
- not really a sane stable api from device to device
Action Items from BoF
- [dave-martin-arm] follow up with tools guys about how the GCC stack protector works for ARM
- [dave-martin-arm] follow up with Catalin Marinas and Nicolas Pitre on kernel details relating to ASLR
- [npitre] investigate CC_STACKPROTECTOR and ASLR
- [amitk] test SECCOMP patch and push upstream
- [kees] turn off /dev/mem
(See the launchpad blueprint page for the authoritative, current list and status.)
Specs/M/ARMSecurityFeatures (last edited 2010-05-28 13:15:12 by fw-tnat)