Ubuntu
linux package

CONFIG_IO_STRICT_DEVMEM should be enabled

Bug #1855338 reported by Tyler Hicks
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

We should enable CONFIG_IO_STRICT_DEVMEM to restrict userspace access of active io-memory ranges.

This could impact kernel debugability. In that case, you may reboot with
iomem=relaxed on the kernel commandline to override this setting.

This config option is recommended by the Kernel Self Protection Project[1] and a 2019 study performed by Capsule 8 shows that it is enabled in many other major distro kernels[2].

[1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[2] https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/

See original description
Tags: focal
Tyler Hicks (tyhicks)
description: updated
Seth Forshee (sforshee)
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Laurent Bonnaud (laurent-bonnaud) wrote :

The problem is still there in Ubuntu 20.04/focal:

$ grep CONFIG_IO_STRICT_DEVMEM /boot/config-5.*
/boot/config-5.4.0-21-generic:# CONFIG_IO_STRICT_DEVMEM is not set
/boot/config-5.4.0-21-lowlatency:# CONFIG_IO_STRICT_DEVMEM is not set
/boot/config-5.6.3-050603-generic:# CONFIG_IO_STRICT_DEVMEM is not set

Committing a fix is good, but releasing it is even better :>.

tags: added: focal
Revision history for this message
Tyler Hicks (tyhicks) wrote :

This change was applied during the Focal development cycle but then reverted pending performance testing results. That performance testing work was never finished and I'm no longer working on this bug.

Changed in linux (Ubuntu):
assignee: Tyler Hicks (tyhicks) → nobody
status: Fix Committed → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.8.0-16.17

---------------
linux (5.8.0-16.17) groovy; urgency=medium

  * groovy/linux: 5.8.0-16.17 -proposed tracker (LP: #1891233)

  * Miscellaneous Ubuntu changes
    - hio -- Update to use bio_{start,end}_io_acct with 5.8+
    - Enable hio driver
    - [Packaging] Temporarily disable building doc package contents

linux (5.8.0-15.16) groovy; urgency=medium

  * groovy/linux: 5.8.0-15.16 -proposed tracker (LP: #1891177)

  * Miscellaneous Ubuntu changes
    - SAUCE: Documentation: import error c_funcptr_sig_re, c_sig_re (sphinx-
      doc/sphinx@0f49e30c)

linux (5.8.0-14.15) groovy; urgency=medium

  * groovy/linux: 5.8.0-14.15 -proposed tracker (LP: #1891085)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * msg_zerocopy.sh in net from ubuntu_kernel_selftests failed (LP: #1812620)
    - selftests/net: relax cpu affinity requirement in msg_zerocopy test

  * Fix missing HDMI/DP Audio on an HP Desktop (LP: #1890441)
    - ALSA: hda/hdmi: Add quirk to force connectivity

  * Add initial audio support for Lenovo ThinkStation P620 (LP: #1890317)
    - ALSA: usb-audio: Add support for Lenovo ThinkStation P620

  * Fix IOMMU error on AMD Radeon Pro W5700 (LP: #1890306)
    - PCI: Mark AMD Navi10 GPU rev 0x00 ATS as broken

  * Enlarge hisi_sec2 capability (LP: #1890222)
    - crypto: hisilicon - update SEC driver module parameter

  * Miscellaneous Ubuntu changes
    - [Config] Re-enable signing for ppc64el

 -- Seth Forshee <email address hidden> Tue, 11 Aug 2020 15:32:58 -0500

Changed in linux (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.