kernel_ConfigVerify: expect SET_MODULE_RONX on ARM

CONFIG_SET_MODULE_RONX is available on ARM for 3.8 now. Update the
expected configuration logic.

BUG=chromium:342951,chromium:341583
TEST=daisy_spring passes
CQ-DEPEND=Ia6a675fa8ffdbceaef5ebe9eb8c706b4dc9cd7d2

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/185967
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Aviv Keshet <akeshet@chromium.org>

Change-Id: I2a1d2ac0eab486d8ca305ce98696ef57742f88af
(cherry picked from commit 17dfff506c7d7cda134f7c7ba4af88dab451c7c1)
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/188372
Reviewed-by: Will Drewry <wad@chromium.org>
diff --git a/client/site_tests/kernel_ConfigVerify/kernel_ConfigVerify.py b/client/site_tests/kernel_ConfigVerify/kernel_ConfigVerify.py
index 1a8c335..d5e6d9c 100644
--- a/client/site_tests/kernel_ConfigVerify/kernel_ConfigVerify.py
+++ b/client/site_tests/kernel_ConfigVerify/kernel_ConfigVerify.py
@@ -266,6 +266,9 @@
         # Locate and load the list of kernel config variables.
         self._config = self._load_configs()
 
+        # Adjust for kernel-version-specific changes
+        kernel_ver = os.uname()[2]
+
         # Run the static checks.
         map(self.has_builtin, self.IS_BUILTIN)
         map(self.has_module, self.IS_MODULE)
@@ -294,11 +297,18 @@
 
         # Security; marks data segments as RO/NX.
         if self._arch.startswith('arm'):
-            # TODO(kees): ARM kernel needs the module RO/NX logic added.
+            # On ARM RODATA is not a config option, it is hardcoded.
             self.is_missing('DEBUG_RODATA')
-            self.is_missing('DEBUG_SET_MODULE_RONX')
         else:
             self.has_builtin('DEBUG_RODATA')
+        # DEBUG_SET_MODULE_RONX exists on all x86 and on ARM in 3.4.
+        if self._arch.startswith('arm'):
+            if utils.compare_versions(kernel_ver, "3.4") >= 0 and \
+               utils.compare_versions(kernel_ver, "3.8") < 0:
+                self.has_builtin('DEBUG_SET_MODULE_RONX')
+            else:
+                self.is_missing('DEBUG_SET_MODULE_RONX')
+        else:
             self.has_builtin('DEBUG_SET_MODULE_RONX')
 
         # Kernel: make sure port 0xED is the one used for I/O delay