| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Dec 2015 12:30:06 -0800 From: Kees Cook <keescook@...omium.org> To: Borislav Petkov <bp@...en8.de> Cc: Matt Fleming <matt@...eblueprint.co.uk>, Kosuke Tatsukawa <tatsu@...jp.nec.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, "x86@...nel.org" <x86@...nel.org>, "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [PATCH 1/2] x86: Fix kernel panic when booting with XD disabled in uEFI firmware On Tue, Dec 8, 2015 at 6:19 AM, Borislav Petkov <bp@...en8.de> wrote: > On Tue, Dec 08, 2015 at 12:25:57PM +0000, Matt Fleming wrote: >> On Mon, 07 Dec, at 11:10:43PM, Kosuke Tatsukawa wrote: >> > >> > Thank you pointing that out. >> > >> > linux-4.4-rc3 booted without a problem on a real server even with XD >> > turned off by the firmware. I didn't notice this before because I was > > The aforementioned patch reenables NX. > >> Borislav, what do you think about stripping PAGE_NX from 'page_flags' >> in kernel_map_pages_in_pgd() if NX isn't supported, rather than >> returning EINVAL? At least that way EFI runtime services would still >> work. > > I guess we can - I mean, I don't see what can go wrong more when > allowing the kernel to execute even NX UEFI regions. Maybe easier > generation of "gadgets" in the ROP sense ... > > On a related node, I'm very sceptical of the existence of this "noexec" > chicken bit, if you ask me. It is a really bad idea, security-wise, to > disable NX. Is there even a valid use case to disable NX? > > Because if not, I'd vote for removing that chicken bit or at least > taining the kernel with > > add_taint(TAINT_USER_MORON, ... ); If we add this for not-nx, I would like to add it for not-rodata too. > Kees, has this NX disabling practice come up in the past, per chance... ? I've never seen anyone actually use it. I was asked to include it out of fear of some kind of rogue imagined CPU configuration that mixed NX and non-NX capable CPUs in a single machine where the forced NX re-enablement code would cause problems. As you might imagine, I'm not aware of this case ever being an issue. ;) -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists