Re: [PATCH 33/33] x86, pkeys: execute-only support
From: Dave Hansen
Date: Wed Feb 17 2016 - 16:33:26 EST
On 02/17/2016 01:27 PM, Kees Cook wrote:
> Is there a way to detect this feature's availability without userspace
> having to set up a segv handler and attempting to read a
> PROT_EXEC-only region? (i.e. cpu flag for protection keys, or a way to
> check the protection to see if PROT_READ got added automatically,
> etc?)
You can kinda do it with /proc/$pid/(s)maps. Here's smaps, for instance:
> 00401000-00402000 --xp 00001000 08:14 4897479 /root/pkeys/pkey-xonly
> Size: 4 kB
> Rss: 4 kB
...
> KernelPageSize: 4 kB
> MMUPageSize: 4 kB
> Locked: 0 kB
> ProtectionKey: 15
> VmFlags: ex mr mw me dw
You can see "--x" and the ProtectionKey itself being nonzero. That's a
reasonable indication. There's also the "OSPKE" cpuid bit which only
shows up when the kernel has enabled protection keys. This is
_separate_ from the bit that says whether the processor support pkeys.
I check them in test code like this:
> static inline void __cpuid(unsigned int *eax, unsigned int *ebx,
> unsigned int *ecx, unsigned int *edx)
> {
> /* ecx is often an input as well as an output. */
> asm volatile(
> "cpuid;"
> : "=a" (*eax),
> "=b" (*ebx),
> "=c" (*ecx),
> "=d" (*edx)
> : "0" (*eax), "2" (*ecx));
> }
>
> /* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx) */
> #define X86_FEATURE_PKU (1<<3) /* Protection Keys for Userspace */
> #define X86_FEATURE_OSPKE (1<<4) /* OS Protection Keys Enable */
>
> static inline int cpu_has_pku(void)
> {
> unsigned int eax;
> unsigned int ebx;
> unsigned int ecx;
> unsigned int edx;
> eax = 0x7;
> ecx = 0x0;
> __cpuid(&eax, &ebx, &ecx, &edx);
>
> if (!(ecx & X86_FEATURE_PKU)) {
> dprintf2("cpu does not have PKU\n");
> return 0;
> }
> if (!(ecx & X86_FEATURE_OSPKE)) {
> dprintf2("cpu does not have OSPKE\n");
> return 0;
> }
> return 1;
> }