On 2017/05/16 10:56AM, Anshuman Khandual wrote: > On 05/16/2017 09:19 AM, Balbir Singh wrote: > > patch_instruction is enhanced in this RFC to support > > patching via a different virtual address (text_poke_area). > > Why writing instruction directly into the address is not > sufficient and need to go through this virtual address ?
To enable KERNEL_STRICT_RWX and map all of kernel text to be read-only? > > > The mapping of text_poke_area->addr is RW and not RWX. > > This way the mapping allows write for patching and then we tear > > down the mapping. The downside is that we introduce a spinlock > > which serializes our patching to one patch at a time. > > So whats the benifits we get otherwise in this approach when > we are adding a new lock into the equation. Instruction patching isn't performance critical, so the slow down is likely not noticeable. Marking kernel text read-only helps harden the kernel by catching unintended code modifications whether through exploits or through bugs. - Naveen
