| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 19 Jun 2010 10:54:26 -0700 From: Kees Cook <kees.cook@...onical.com> To: Arjan van de Ven <arjan@...radead.org> Cc: Andi Kleen <andi@...stfloor.org>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Alexander Potashev <aspotashev@...il.com>, Tim Abbott <tabbott@...lice.com>, Sam Ravnborg <sam@...nborg.org>, Jan Beulich <jbeulich@...ell.com>, Jeremy Fitzhardinge <jeremy.fitzhardinge@...rix.com>, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2 0/4] x86: clear XD_DISABLED flag on Intel to regain NX Hi, On Sat, Jun 19, 2010 at 08:16:42AM -0700, Arjan van de Ven wrote: > On Sat, 19 Jun 2010 10:21:29 +0200 > Andi Kleen <andi@...stfloor.org> wrote: > > > Kees Cook <kees.cook@...onical.com> writes: > > > > > This will clear the MSR_IA32_MISC_ENABLE_XD_DISABLE bit so that NX > > > cannot be inappropriately controlled by the BIOS on Intel CPUs. If > > > NX actually needs to be disabled, "noexec=off" can be used. > > > > The patch still seems like a bad idea to me. What happens if > > the NX bit is broken for some reason and the BIOS is right > > to disable it? > > > overriding the bios like this is almost always a bad idea. > (you're doing a blanket override, not a specific, verified override) I've seen other things in the BIOS ignored (IDE bus settings jumps to mind), so I figured it wasn't strictly bad. From what I've been able to gather, this setting is never correct. If there are situations where it must be left alone, we could add those as exceptions. > you have no idea if the SMM code can deal with NX, etc etc. The pages don't get marked as actually NX until setup_nx() is called, at which point "noexec=off" would have already been handled, so if that happens, a system can still boot with that cmdline option. > the real answer is "fix your bios setting". Well, the "best" answer is "fix the bios", which is why I got Dell to fix their BIOSes. Unfortunately, there are still systems with this misconfigured. > Don't as owner of the machine turn something off in the bios that you > actually want. Most people don't know/care, so if they do and it's a problem, I thought using "noexec=off" would be sufficient while still allowing the bulk of systems to end up with NX correctly enabled. -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists