Re: [PATCH v2 0/4] x86: clear XD_DISABLED flag on Intel to regain NX

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Kees Cook

Subject: Re: [PATCH v2 0/4] x86: clear XD_DISABLED flag on Intel to regain NX

Date: Saturday, June 19, 2010 - 10:54 am

Hi,

On Sat, Jun 19, 2010 at 08:16:42AM -0700, Arjan van de Ven wrote:
quoted text> On Sat, 19 Jun 2010 10:21:29 +0200
> Andi Kleen <andi@firstfloor.org> wrote:
> 
> > Kees Cook <kees.cook@canonical.com> writes:
> > 
> > > This will clear the MSR_IA32_MISC_ENABLE_XD_DISABLE bit so that NX
> > > cannot be inappropriately controlled by the BIOS on Intel CPUs.  If
> > > NX actually needs to be disabled, "noexec=off" can be used.
> > 
> > The patch still seems like a bad idea to me. What happens if 
> > the NX bit is broken for some reason and the BIOS is right
> > to disable it?
> 
> 
> overriding the bios like this is almost always a bad idea.
> (you're doing a blanket override, not a specific, verified override)

I've seen other things in the BIOS ignored (IDE bus settings jumps to
mind), so I figured it wasn't strictly bad.  From what I've been able to
gather, this setting is never correct.  If there are situations where it
must be left alone, we could add those as exceptions.

quoted text> you have no idea if the SMM code can deal with NX, etc etc.

The pages don't get marked as actually NX until setup_nx() is called, at
which point "noexec=off" would have already been handled, so if that
happens, a system can still boot with that cmdline option.

quoted text> the real answer is "fix your bios setting".

Well, the "best" answer is "fix the bios", which is why I got Dell to
fix their BIOSes.  Unfortunately, there are still systems with this
misconfigured.

quoted text> Don't as owner of the machine turn something off in the bios that you
> actually want.

Most people don't know/care, so if they do and it's a problem, I thought
using "noexec=off" would be sufficient while still allowing the bulk of
systems to end up with NX correctly enabled.

-Kees

-- 
Kees Cook
Ubuntu Security Team
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH v2 0/4] x86: clear XD_DISABLED flag on Intel to reg ..., Kees Cook, (Fri Jun 18, 10:50 pm)

[PATCH 1/4] x86: rename verify_cpu_64.S to verify_cpu.S, Kees Cook, (Fri Jun 18, 10:51 pm)

[PATCH 2/4] x86: clear XD_DISABLED flag on Intel to regain NX, Kees Cook, (Fri Jun 18, 10:52 pm)

[PATCH 3/4] x86: call verify_cpu during 32bit CPU startup, Kees Cook, (Fri Jun 18, 10:52 pm)

[PATCH 4/4] x86: only CPU features determine NX capabilities, Kees Cook, (Fri Jun 18, 10:53 pm)

Re: [PATCH v2 0/4] x86: clear XD_DISABLED flag on Intel to ..., Andi Kleen, (Sat Jun 19, 1:21 am)

Re: [PATCH v2 0/4] x86: clear XD_DISABLED flag on Intel to ..., Arjan van de Ven, (Sat Jun 19, 8:16 am)

Re: [PATCH v2 0/4] x86: clear XD_DISABLED flag on Intel to ..., Kees Cook, (Sat Jun 19, 9:21 am)

Re: [PATCH v2 0/4] x86: clear XD_DISABLED flag on Intel to ..., Kees Cook, (Sat Jun 19, 10:54 am)

Re: [PATCH v2 0/4] x86: clear XD_DISABLED flag on Intel to ..., H. Peter Anvin, (Sat Jun 19, 11:08 am)

Navigation

Popular discussions


linux-kernel:
Greg Kroah-Hartman	[PATCH 041/196] kobject: add kobject_init_and_add function
Lukas Hejtmanek	Re: Another libata error related to OCZ SSD
Greg Kroah-Hartman	[PATCH 023/196] MCP_UCB1200: Convert from class_device to device
Florian Fainelli	Re: System clock runs too fast after 2.6.27 -> 2.6.28.1 upgrade
Christoph Lameter	[patch 1/4] mmu_notifier: Core code
git:
Johannes Schindelin	Re: [PATCH 1/2] Add strbuf_initf()
John Bito	[EGIT] Push to GitHub caused corruption
Jakub Narebski	Re: [PATCH 0/2] gitweb: patch view
Junio C Hamano	Re: [PATCH] When a remote is added but not fetched, tell the user.
Andy Parkins	Re: [RFC] Submodules in GIT
git-commits-head:
Linux Kernel Mailing List	ahci: Workaround HW bug for SB600/700 SATA controller PMP support
Linux Kernel Mailing List	V4L/DVB (11086): au0828: rename macro for currently non-function VBI support
Linux Kernel Mailing List	ceph: client types
Linux Kernel Mailing List	ceph: on-wire types
Linux Kernel Mailing List	crypto: chainiv - Use kcrypto_wq instead of keventd_wq
linux-netdev:
Andrew Morton	Re: [Bugme-new] [Bug 14969] New: b44: WOL does not work in suspended state
Giuseppe CAVALLARO	Re: [PATCH 03/13] stmmac: add the new Header file for stmmac platform data
Taku Izumi	[PATCH 3/3] ixgbe: add registers etc. printout code just before resetting adapters
Eric Dumazet	rps: some comments
Thomas Gleixner	Re: [RFC PATCH 02/12] On Tue, 23 Sep 2008, David Miller wrote:
openbsd-misc:
Stephan Andreas	problems with login after xlock in OpenBSD release 4.7
pmc	Make A Change. Alcoholism and Drug Addiction Treatment
ropers	Re: what exactly is enc0?
Fuad NAHDI	Re: What does your environment look like?
Matthew Szudzik	Typo on OpenBSD 4.4 CD Set

Colocation donated by:

Syndicate