kernel: Enable CONFIG_ARM64_PAN to restrict kernel access to user space memory

Enable the CONFIG_ARM64_PAN kernel security option, which leverages the
ARMv8.1 Privileged Access Never (PAN) extension to prevent the kernel
from directly accessing user space memory.

Instead, copy_to_user and similar functions must be used for data
transfer between kernel and user space. This feature is automatically
disabled at runtime on CPUs without PAN support, making it a no-op in
those cases.

Link: https://github.com/openwrt/openwrt/pull/16189
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/target/linux/armsr/armv8/config-6.6 b/target/linux/armsr/armv8/config-6.6
index 3ce25c60d82c1fc350b138bf09dc01f3fbdbe0d0..64356e27f4ba53ee52ed0377e7517c3ac28353c2 100644 (file)
--- a/target/linux/armsr/armv8/config-6.6
+++ b/target/linux/armsr/armv8/config-6.6
@@ -93,7 +93,6 @@ CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_MTE=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

diff --git a/target/linux/bcm27xx/bcm2710/config-6.6 b/target/linux/bcm27xx/bcm2710/config-6.6
index 4ab0e03ee271a5c0a1c485494e5c0c090cfa63f2..961fd2c71eeaff8eab76859892b50a55939bed3e 100644 (file)
--- a/target/linux/bcm27xx/bcm2710/config-6.6
+++ b/target/linux/bcm27xx/bcm2710/config-6.6
@@ -34,7 +34,6 @@ CONFIG_ARM64_ERRATUM_843419=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

diff --git a/target/linux/bcm27xx/bcm2711/config-6.6 b/target/linux/bcm27xx/bcm2711/config-6.6
index 915fe29cae8f7730d9ed397a6a2ffedbfe7e7ddf..6aeedc1c3129baacf25e4e41cb693121f9a09034 100644 (file)
--- a/target/linux/bcm27xx/bcm2711/config-6.6
+++ b/target/linux/bcm27xx/bcm2711/config-6.6
@@ -29,7 +29,6 @@ CONFIG_ARM64_ERRATUM_1319367=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

diff --git a/target/linux/bcm27xx/bcm2712/config-6.6 b/target/linux/bcm27xx/bcm2712/config-6.6
index d61796fb24f6cf537b9f02abe323461fa9bd27d9..81cc66e9c47d954d9677d90edab898d05e9fb045 100644 (file)
--- a/target/linux/bcm27xx/bcm2712/config-6.6
+++ b/target/linux/bcm27xx/bcm2712/config-6.6
@@ -33,7 +33,6 @@ CONFIG_ARM64_ERRATUM_3194386=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

diff --git a/target/linux/generic/config-5.15 b/target/linux/generic/config-5.15
index 90650ac7dd2773f1288879d1c4274a4bd814ebe2..1b8ad1cf42c593fa830ae566f23c2d22de7dd453 100644 (file)
--- a/target/linux/generic/config-5.15
+++ b/target/linux/generic/config-5.15
@@ -349,7 +349,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
 # CONFIG_ARM64_LSE_ATOMICS is not set
 CONFIG_ARM64_MODULE_PLTS=y
 # CONFIG_ARM64_MTE is not set
-# CONFIG_ARM64_PAN is not set
+CONFIG_ARM64_PAN=y
 # CONFIG_ARM64_PMEM is not set
 # CONFIG_ARM64_PSEUDO_NMI is not set
 # CONFIG_ARM64_PTDUMP_DEBUGFS is not set

diff --git a/target/linux/generic/config-6.1 b/target/linux/generic/config-6.1
index 3460be73b116857392f7db873a0172e7cbca82cd..81c66f41df9b8d267acdd8abff6426dc7c25646d 100644 (file)
--- a/target/linux/generic/config-6.1
+++ b/target/linux/generic/config-6.1
@@ -383,7 +383,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
 # CONFIG_ARM64_LSE_ATOMICS is not set
 CONFIG_ARM64_MODULE_PLTS=y
 # CONFIG_ARM64_MTE is not set
-# CONFIG_ARM64_PAN is not set
+CONFIG_ARM64_PAN=y
 # CONFIG_ARM64_PMEM is not set
 # CONFIG_ARM64_PSEUDO_NMI is not set
 # CONFIG_ARM64_PTDUMP_DEBUGFS is not set

diff --git a/target/linux/generic/config-6.6 b/target/linux/generic/config-6.6
index c169e107dfda2ffd16436b003b89b3c4020443d1..4fcb93fd25c93356c3c00a88e8b7f0d5cbe960a3 100644 (file)
--- a/target/linux/generic/config-6.6
+++ b/target/linux/generic/config-6.6
@@ -358,7 +358,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
 # CONFIG_ARM64_HW_AFDBM is not set
 # CONFIG_ARM64_LSE_ATOMICS is not set
 # CONFIG_ARM64_MTE is not set
-# CONFIG_ARM64_PAN is not set
+CONFIG_ARM64_PAN=y
 # CONFIG_ARM64_PMEM is not set
 # CONFIG_ARM64_PSEUDO_NMI is not set
 # CONFIG_ARM64_PTR_AUTH is not set

diff --git a/target/linux/layerscape/armv8_64b/config-6.1 b/target/linux/layerscape/armv8_64b/config-6.1
index 2ebe59c7ccf2c6f97b2c07610a723687bb42565a..8693370c197b0e89bc6ebe20da97b1953abddce2 100644 (file)
--- a/target/linux/layerscape/armv8_64b/config-6.1
+++ b/target/linux/layerscape/armv8_64b/config-6.1
@@ -40,7 +40,6 @@ CONFIG_ARM64_ERRATUM_843419=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

diff --git a/target/linux/layerscape/armv8_64b/config-6.6 b/target/linux/layerscape/armv8_64b/config-6.6
index 6d9d2ba2d56882c681efe23d728eb62e2f429c6d..133b75addb1ee44642ad9349bddaf81650a76342 100644 (file)
--- a/target/linux/layerscape/armv8_64b/config-6.6
+++ b/target/linux/layerscape/armv8_64b/config-6.6
@@ -41,7 +41,6 @@ CONFIG_ARM64_ERRATUM_843419=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

diff --git a/target/linux/rockchip/armv8/config-6.6 b/target/linux/rockchip/armv8/config-6.6
index dd9908869fa88e85df803943945ecbfef159d04e..bdb7d2b4936d783098431c7a0a90061d6d705140 100644 (file)
--- a/target/linux/rockchip/armv8/config-6.6
+++ b/target/linux/rockchip/armv8/config-6.6
@@ -48,7 +48,6 @@ CONFIG_ARM64_ERRATUM_858921=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y