[PATCH 0/7] Kernel Userspace Protection for radix
Kees Cook
keescook at chromium.org
Fri Feb 22 11:16:12 AEDT 2019
On Thu, Feb 21, 2019 at 4:09 PM Russell Currey <ruscur at russell.cc> wrote:
> On Thu, 2019-02-21 at 08:07 -0800, Kees Cook wrote:
> > On Thu, Feb 21, 2019 at 1:36 AM Russell Currey <ruscur at russell.cc>
> > wrote:
> > > The first three patches of these series are from Christophe's work
> > > and are
> > > the bare minimum framework needed to implement the support for
> > > radix.
> > >
> > > In patch 3, I have removed from Christophe's patch my
> > > implementation of
> > > the 64-bit exception handling code, since we don't have an answer
> > > for
> > > making nested exceptions work yet. This is mentioned in the final
> > > KUAP
> > > patch. Regardless, this is still a significant security
> > > improvement
> > > and greatly narrows the attack surface.
> >
> > Nice! Am I understanding correctly that with this series powerpc9 and
> > later, using radix, will pass the lkdtm tests for KUAP and KUEP (i.e.
> > EXEC_USERSPACE and ACCESS_USERSPACE)?
>
> Yes! We've had execution prevention for a while on radix (which is
> default on POWER9) since 3b10d0095a1e, the only functional thing this
> series does is allow disabling it with nosmep. This series adds access
> prevention.
Ah-ha; excellent. And CONFIG_PPC_RADIX_MMU is "default y" already. :)
--
Kees Cook
More information about the Linuxppc-dev
mailing list