The AArch64 virtual memory architecture supports the so-called WXN attribute, which is a global attribute that can be set to make all writable mappings implicitly non-exec. Currently, we cannot enable this in the kernel, as the early mapping code does not separate code and data regions properly, so enabling it today would break the boot.
Unfortunately, this control applies to both the kernel (EL1) and user space (EL0) privilege levels at the same time, which means that once we fix the kernel part, we can still only enable it on systems where user space is not relying on being able to execute from writable mappings. However, in the context of confidential computing, or other restricted user spaces such as Chrome OS (?), this may be solvable.
Fix for kernel part proposed as part of this series
The AArch64 virtual memory architecture supports the so-called WXN attribute, which is a global attribute that can be set to make all writable mappings implicitly non-exec. Currently, we cannot enable this in the kernel, as the early mapping code does not separate code and data regions properly, so enabling it today would break the boot.
Unfortunately, this control applies to both the kernel (EL1) and user space (EL0) privilege levels at the same time, which means that once we fix the kernel part, we can still only enable it on systems where user space is not relying on being able to execute from writable mappings. However, in the context of confidential computing, or other restricted user spaces such as Chrome OS (?), this may be solvable.
Fix for kernel part proposed as part of this series