Added kernel section clear/protect after init

This is a huge security improvement as it prevents potential exploits of using or modifying internal kernel functions or data.
author: Marvin Borner 2021-04-02 23:26:28 +0200
committer: Marvin Borner 2021-04-02 23:26:28 +0200
commit: ce98400f8a9ebd4e62e76b9e292b7598d0d66cc0 (patch)
tree: 823f06c2c325ead611863eeb3ac974c1ae562878 /kernel/link.ld
parent: fe468b476d567b6aa0695a030c408ccf46278c7d (diff)
1 files changed, 25 insertions, 4 deletions
diff --git a/kernel/link.ld b/kernel/link.ld
index c3b59b3..3b92e82 100644
--- a/kernel/link.ld
+++ b/kernel/link.ld
@@ -8,22 +8,42 @@ SECTIONS
 	. = phys;
 
 	kernel_ro_start = .;
+
 	.text BLOCK(4K) : ALIGN(4K)
 	{
-		*(.text)
+		*(.text*)
 	}
 
 	.rodata BLOCK(4K) : ALIGN(4K)
 	{
-		*(.rodata)
+		*(.rodata*)
 	}
-	kernel_ro_end = .;
 
+	kernel_ro_end = .;
 
 	kernel_rw_start = .;
+
+	/* Clear after init */
+	.temp_clear BLOCK(4K) : ALIGN(4K)
+	{
+		kernel_temp_clear_start = .;
+		*(.temp_clear)
+		kernel_temp_clear_end = .;
+		. = ALIGN(4K);
+	}
+
+	/* Make read-only after init */
+	.temp_protect BLOCK(4K) : ALIGN(4K)
+	{
+		kernel_temp_protect_start = .;
+		*(.temp_protect)
+		kernel_temp_protect_end = .;
+		. = ALIGN(4K);
+	}
+
 	.data BLOCK(4K) : ALIGN(4K)
 	{
-		*(.data)
+		*(.data*)
 	}
 
 	.bss BLOCK(4K) : ALIGN(4K)
@@ -31,5 +51,6 @@ SECTIONS
 		*(COMMON)
 		*(.bss)
 	}
+
 	kernel_rw_end = .;
 }
author	Marvin Borner	2021-04-02 23:26:28 +0200
committer	Marvin Borner	2021-04-02 23:26:28 +0200
commit	ce98400f8a9ebd4e62e76b9e292b7598d0d66cc0 (patch)
tree	823f06c2c325ead611863eeb3ac974c1ae562878 /kernel/link.ld
parent	fe468b476d567b6aa0695a030c408ccf46278c7d (diff)