Re: [PATCH 4/4] arm64: Unmap kernel data/bss entirely from the linear map

[PATCH 0/4] arm64: Unmap linear alias of kernel data/bss · Ard Biesheuvel <hidden> · 2026-01-19
[PATCH 1/4] arm64: Move fixmap page tables to end of kernel image · Ard Biesheuvel <hidden> · 2026-01-19
Re: [PATCH 1/4] arm64: Move fixmap page tables to end of kernel image · Anshuman Khandual <hidden> · 2026-01-23
Re: [PATCH 1/4] arm64: Move fixmap page tables to end of kernel image · Ard Biesheuvel <ardb@kernel.org> · 2026-01-23
[PATCH 2/4] arm64: Map the kernel data/bss read-only in the linear map · Ard Biesheuvel <hidden> · 2026-01-19
Re: [PATCH 2/4] arm64: Map the kernel data/bss read-only in the linear map · Anshuman Khandual <hidden> · 2026-01-23
[PATCH 3/4] arm64: Move the zero page to rodata · Ard Biesheuvel <hidden> · 2026-01-19
Re: [PATCH 3/4] arm64: Move the zero page to rodata · Anshuman Khandual <hidden> · 2026-01-23
Re: [PATCH 3/4] arm64: Move the zero page to rodata · Ard Biesheuvel <ardb@kernel.org> · 2026-01-23
[PATCH 4/4] arm64: Unmap kernel data/bss entirely from the linear map · Ard Biesheuvel <hidden> · 2026-01-19
Re: [PATCH 4/4] arm64: Unmap kernel data/bss entirely from the linear map · Anshuman Khandual <hidden> · 2026-01-23
Re: [PATCH 4/4] arm64: Unmap kernel data/bss entirely from the linear map · Ard Biesheuvel <ardb@kernel.org> · 2026-01-23

From: Ard Biesheuvel <ardb@kernel.org>
Date: 2026-01-23 07:27:52
Also in: linux-hardening, lkml

On Fri, 23 Jan 2026 at 07:52, Anshuman Khandual
[off-list ref] wrote:



On 19/01/26 10:17 PM, Ard Biesheuvel wrote:

quoted

From: Ard Biesheuvel <ardb@kernel.org>

The linear aliases of the kernel text and rodata are mapped read-only as
well. Given that the contents of these regions are mostly identical to
the version in the loadable image, mapping them read-only is a
reasonable hardening measure.

Data and bss, however, are now also mapped read-only but the contents of
these regions are more likely to contain data that we'd rather not leak.
So let's unmap these entirely in the linear map when the kernel is
running normally.

Only when going into hibernation or waking up from it do these regions
need to be mapped, so take care of this using a PM notifier.

Just curious - why do we need them mapped while going into or coming back
from the hibernation ?

Because the kernel image is preserved/restored via the linear map. For
some reason, it appears to be sufficient for this mapping to be
read-only but unmapping it entirely results in failures to resume from
hibernation.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help