Linux 6.1 Default Kernel Config To Warn At Boot Of W+X Mappings
Going back to 2015 has been the "CONFIG_DEBUG_WX" kernel option to warn of mappings at kernel boot time that are set to writable and executable, since they pose a security risk. The intention of this "debug" option is to warn of W+X mappings left by the kernel after applying NX. Any mappings will be dumped to the kernel log for uncovering potential kernel problems.
CONFIG_DEBUG_WX has been happily working on Linux kernel releases for the past seven years albeit not part of the x86/x86_64 default kernel configuration. But with this week's TIP x86/mm changes of material queuing ahead of the Linux 6.1 merge window, CONFIG_DEBUG_WX would be enabled by default.
This commit adds the CONFIG_DEBUG_WX option by default for the i386 and x86_64 defconfigs. Non-x86 architectures are currently unchanged in their DEBUG_WX default configuration. Of course, this is all just about the default configuration and users/distributions are free to ship with their own customizations -- most distribution kernels are likely already shipping with this option enabled, as far as I know. This W+X checking only happens at boot time with no run-time or memory performance impact from this change, so it should be a safe default kernel configuration change for users moving forward.