lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 13 Nov 2014 16:48:31 +0100 (CET)
From:	Thomas Gleixner <tglx@...utronix.de>
To:	Borislav Petkov <bp@...e.de>
cc:	B_B_Singh@...L.com, stuart.w.hayes@...il.com, hpa@...or.com,
	mingo@...hat.com, x86@...nel.org, linux-kernel@...r.kernel.org,
	matt.fleming@...el.com, Jiri Kosina <jkosina@...e.cz>
Subject: Re: [PATCH] x86: Configure NX support earlier in setup_arch

On Thu, 13 Nov 2014, Borislav Petkov wrote:
> Revisit this patch how? I'm not sure I understand...

X86_64 starts with:

pteval_t __supported_pte_mask __read_mostly = ~0;

while i386 starts with:

pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL);

Now if the stupid BIOS disabled NX via setting bit 34 in
IA32_MISC_ENABLE, then X86_FEATURE_NX is off, but at the point where
we call x86_configure_nx() we already used the supported_pte_mask with
the NX bit set in the early remap code and accessed the mappings.

On 32bit we are safe because the early maps exclude NX at startup and
only enable it in x86_configure_nx().

That's one part of the issue. The other is that grub2 does not call in
via the trampoline, so we don't call verify_cpu. verify_cpu clears bit
34 in IA32_MISC_ENABLE depending on the cpu family/model, which is
true for 64bit machines.

So I think moving x86_configure_nx() to a point before we actually
create mappings is a sane thing to do in any case.

But of course we should also clear the stupid disable bit
unconditionally independent of the entry path for all cpus which
support it.

Thanks,

	tglx




--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ