kernel: Enable CONFIG_ARM64_PAN to restrict kernel access to user spa…

…ce memory

Enable the CONFIG_ARM64_PAN kernel security option, which leverages the
ARMv8.1 Privileged Access Never (PAN) extension to prevent the kernel
from directly accessing user space memory.

Instead, copy_to_user and similar functions must be used for data
transfer between kernel and user space. This feature is automatically
disabled at runtime on CPUs without PAN support, making it a no-op in
those cases.

Link: openwrt#16189
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

target/linux/armsr/armv8/config-6.6

@@ -93,7 +93,6 @@ CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_MTE=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

target/linux/bcm27xx/bcm2710/config-6.6

@@ -34,7 +34,6 @@ CONFIG_ARM64_ERRATUM_843419=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

target/linux/bcm27xx/bcm2711/config-6.6

@@ -29,7 +29,6 @@ CONFIG_ARM64_ERRATUM_1319367=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

target/linux/bcm27xx/bcm2712/config-6.6

@@ -33,7 +33,6 @@ CONFIG_ARM64_ERRATUM_3194386=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

target/linux/generic/config-5.15

@@ -349,7 +349,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
 # CONFIG_ARM64_LSE_ATOMICS is not set
 CONFIG_ARM64_MODULE_PLTS=y
 # CONFIG_ARM64_MTE is not set
-# CONFIG_ARM64_PAN is not set
+CONFIG_ARM64_PAN=y
 # CONFIG_ARM64_PMEM is not set
 # CONFIG_ARM64_PSEUDO_NMI is not set
 # CONFIG_ARM64_PTDUMP_DEBUGFS is not set

target/linux/generic/config-6.1

@@ -383,7 +383,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
 # CONFIG_ARM64_LSE_ATOMICS is not set
 CONFIG_ARM64_MODULE_PLTS=y
 # CONFIG_ARM64_MTE is not set
-# CONFIG_ARM64_PAN is not set
+CONFIG_ARM64_PAN=y
 # CONFIG_ARM64_PMEM is not set
 # CONFIG_ARM64_PSEUDO_NMI is not set
 # CONFIG_ARM64_PTDUMP_DEBUGFS is not set

target/linux/generic/config-6.6

@@ -358,7 +358,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
 # CONFIG_ARM64_HW_AFDBM is not set
 # CONFIG_ARM64_LSE_ATOMICS is not set
 # CONFIG_ARM64_MTE is not set
-# CONFIG_ARM64_PAN is not set
+CONFIG_ARM64_PAN=y
 # CONFIG_ARM64_PMEM is not set
 # CONFIG_ARM64_PSEUDO_NMI is not set
 # CONFIG_ARM64_PTR_AUTH is not set

target/linux/layerscape/armv8_64b/config-6.1

@@ -40,7 +40,6 @@ CONFIG_ARM64_ERRATUM_843419=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

target/linux/layerscape/armv8_64b/config-6.6

@@ -41,7 +41,6 @@ CONFIG_ARM64_ERRATUM_843419=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y

target/linux/rockchip/armv8/config-6.6

@@ -48,7 +48,6 @@ CONFIG_ARM64_ERRATUM_858921=y
 CONFIG_ARM64_HW_AFDBM=y
 CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y
 CONFIG_ARM64_PAGE_SHIFT=12
-CONFIG_ARM64_PAN=y
 CONFIG_ARM64_PA_BITS=48
 CONFIG_ARM64_PA_BITS_48=y
 CONFIG_ARM64_PTR_AUTH=y