From ce98400f8a9ebd4e62e76b9e292b7598d0d66cc0 Mon Sep 17 00:00:00 2001
From: Marvin Borner
Date: Fri, 2 Apr 2021 23:26:28 +0200
Subject: Added kernel section clear/protect after init

This is a huge security improvement as it prevents potential exploits
of using or modifying internal kernel functions or data.
---
 kernel/link.ld | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

(limited to 'kernel/link.ld')

diff --git a/kernel/link.ld b/kernel/link.ld
index c3b59b3..3b92e82 100644
--- a/kernel/link.ld
+++ b/kernel/link.ld
@@ -8,22 +8,42 @@ SECTIONS
 	. = phys;
 
 	kernel_ro_start = .;
+
 	.text BLOCK(4K) : ALIGN(4K)
 	{
-		*(.text)
+		*(.text*)
 	}
 
 	.rodata BLOCK(4K) : ALIGN(4K)
 	{
-		*(.rodata)
+		*(.rodata*)
 	}
-	kernel_ro_end = .;
 
+	kernel_ro_end = .;
 
 	kernel_rw_start = .;
+
+	/* Clear after init */
+	.temp_clear BLOCK(4K) : ALIGN(4K)
+	{
+		kernel_temp_clear_start = .;
+		*(.temp_clear)
+		kernel_temp_clear_end = .;
+		. = ALIGN(4K);
+	}
+
+	/* Make read-only after init */
+	.temp_protect BLOCK(4K) : ALIGN(4K)
+	{
+		kernel_temp_protect_start = .;
+		*(.temp_protect)
+		kernel_temp_protect_end = .;
+		. = ALIGN(4K);
+	}
+
 	.data BLOCK(4K) : ALIGN(4K)
 	{
-		*(.data)
+		*(.data*)
 	}
 
 	.bss BLOCK(4K) : ALIGN(4K)
@@ -31,5 +51,6 @@ SECTIONS
 		*(COMMON)
 		*(.bss)
 	}
+
 	kernel_rw_end = .;
 }
-- 
cgit v1.2.3