x86, vmlinux.lds.S: Page align RO data for xo text

RO data starts right after the kernel text. If the kernel text doesn’t end
exactly on a 2MB page boundary, then the last page of text will share a page
with the RO data. This prevents all of the text being set as execute-only,
since it would make the RO data not readable.

So page align the start of the RO data when CONFIG_XO_TEXT so this does not
happen. This usually results in the last page of kernel text being a 4k page
instead of a 2MB one. The RO data could be 2MB aligned to avoid this, but at
the cost of extra memory usage. So have it be a 4k page, as it is the
compromise PTI used when setting some pages non-global.

Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>

Author: rpedgeco

arch/Kconfig

@@ -872,6 +872,9 @@ config STRICT_MODULE_RWX
 	  and non-text memory will be made non-executable. This provides
 	  protection against certain security exploits (e.g. writing to text)
 
+config STRICT_KERNEL_NR
+	bool "Align kernel rodata so all kernel text can be set not readable"
+
 # select if the architecture provides an asm/dma-direct.h header
 config ARCH_HAS_PHYS_TO_DMA
 	bool

arch/x86/kernel/vmlinux.lds.S

@@ -143,6 +143,14 @@ SECTIONS
 #endif
 	} :text = 0x9090
 
+	/*
+	 * If the kernel text is XO, make sure no data shares the page with the
+	 * kernel text.
+	 */
+#ifdef CONFIG_XO_TEXT
+ 	. = ALIGN(PAGE_SIZE);
+#endif
+
 	/* End of text section */
 	_etext = .;