lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 14 Jul 2014 10:28:43 -0700
From:	"H. Peter Anvin" <hpa@...or.com>
To:	Borislav Petkov <bp@...e.de>,
	Stuart Hayes <stuart.w.hayes@...il.com>
CC:	tglx@...utronix.de, mingo@...hat.com, x86@...nel.org,
	linux-kernel@...r.kernel.org, matt.fleming@...el.com
Subject: Re: [PATCH] x86: Configure NX support earlier in setup_arch

Oh, it is a case of Grub2 utter braindamage.  That figures.  I guess we need to invoke verify_cpu in yet another place.



On July 14, 2014 10:22:25 AM PDT, Borislav Petkov <bp@...e.de> wrote:
>On Wed, Jul 09, 2014 at 07:56:29PM -0500, Stuart Hayes wrote:
>> Well... I got this issue because a co-worker tripped over it. He had
>> NX disabled in BIOS for some reason, and found that linux wouldn't
>> boot--it hung right after grub2. I guess it took a while to figure
>out
>> that it was the fact that NX was disabled that caused linux not to
>> come up--and that could happen to other people. I don't know of any
>> real-world scenarios in which someone would actually prefer to run a
>> recent linux kernel with NX disabled, though.
>>
>> It looks like some of the other boot paths into the kernel
>> automatically clear the XD_DISABLE bit in the MISC_ENABLE MSR in the
>> CPU (in verify_cpu), but that doesn't happen when grub2 jumps to
>> startup_64 in arch/x86/boot/compressed/head_64.S. I guess instead
>> of this patch, I could try to make a patch that turns NX back on
>> (somewhere in startup_64), but since the kernel already supports NX
>> being disabled, so I thought maybe just fixing that would be better.
>I
>> didn't like seeing the kernel just die without giving any indication
>> of what the problem is.
>
>Well, hpa and I were talking about this briefly and this NX disabling
>in the BIOS is probably for some broken legacy applications/OSes. Linux
>enables NX unconditionally very early because disabling it is a very
>bad
>idea anyway, security-wise.
>
>So, if this is just a random trip over of a co-worker and doesn't have
>any sensible use case, I'd rather leave it as is an don't fix it at
>all.

-- 
Sent from my mobile phone.  Please pardon brevity and lack of formatting.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ