Re: [PATCH 00/11] x86: Supervisor Mode Access Prevention

[Kees Cook]

On Mon, Sep 24, 2012 at 1:31 PM, H. Peter Anvin <hpa@xxxxxxxxx> wrote:
> On 09/22/2012 04:32 AM, Ingo Molnar wrote:
>>
>> * H. Peter Anvin <hpa@xxxxxxxxxxxxxxx> wrote:
>>
>>> On 09/21/2012 03:08 PM, Dave Jones wrote:
>>>>
>>>> Perhaps add a printk somewhere to show that it's actually been enabled maybe ?
>>>>
>>>> Also, would it be feasible to add something like we have for test_nx ?
>>>> If this feature regresses in some way in the future, I suspect we'd like
>>>> to know about it sooner rather than later.
>>>
>>> Good idea... should add this both for SMEP and SMAP.
>>
>> Very much agreed - these exploit preventation hardware features
>> are really useful, and it's good to inform the user that they
>> are active.
>>
>
> I was thinking about this, do you think a printk would be better, or a
> new field in /proc/cpuinfo?

We use printk for displaying the possible states of NX, however, this
is rather ephemeral and scrolls away, making its harder for an admin
to find later. It might make sense for a new field in cpuinfo for all
three, however, unlike NX, the status of SMEP/SMAP isn't (normally)
discoverable from userspace. That said, their CPU feature flags are
already right there, and the cases where it would be disabled are very
small.

How about this...

mem protection  : nx smap smep

Maybe the "why" of a cpu feature being missing from the "mem
protection" line can stay in printk?

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/