lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5jJraZJc2nYZUEDeroa9qwy_sN9kvFYAJvdubQ_wky25zw@mail.gmail.com>
Date:	Mon, 24 Sep 2012 13:43:07 -0700
From:	Kees Cook <keescook@...omium.org>
To:	"H. Peter Anvin" <hpa@...or.com>
Cc:	Ingo Molnar <mingo@...nel.org>,
	"H. Peter Anvin" <hpa@...ux.intel.com>,
	Dave Jones <davej@...hat.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Linda Wang <lwang@...hat.com>,
	Matt Fleming <matt.fleming@...el.com>
Subject: Re: [PATCH 00/11] x86: Supervisor Mode Access Prevention

On Mon, Sep 24, 2012 at 1:31 PM, H. Peter Anvin <hpa@...or.com> wrote:
> On 09/22/2012 04:32 AM, Ingo Molnar wrote:
>>
>> * H. Peter Anvin <hpa@...ux.intel.com> wrote:
>>
>>> On 09/21/2012 03:08 PM, Dave Jones wrote:
>>>>
>>>> Perhaps add a printk somewhere to show that it's actually been enabled maybe ?
>>>>
>>>> Also, would it be feasible to add something like we have for test_nx ?
>>>> If this feature regresses in some way in the future, I suspect we'd like
>>>> to know about it sooner rather than later.
>>>
>>> Good idea... should add this both for SMEP and SMAP.
>>
>> Very much agreed - these exploit preventation hardware features
>> are really useful, and it's good to inform the user that they
>> are active.
>>
>
> I was thinking about this, do you think a printk would be better, or a
> new field in /proc/cpuinfo?

We use printk for displaying the possible states of NX, however, this
is rather ephemeral and scrolls away, making its harder for an admin
to find later. It might make sense for a new field in cpuinfo for all
three, however, unlike NX, the status of SMEP/SMAP isn't (normally)
discoverable from userspace. That said, their CPU feature flags are
already right there, and the cases where it would be disabled are very
small.

How about this...

mem protection  : nx smap smep

Maybe the "why" of a cpu feature being missing from the "mem
protection" line can stay in printk?

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ