On Mon, Nov 7, 2016 at 10:12 PM, Ricardo Neri <ricardo.neri-calderon@xxxxxxxxxxxxxxx> wrote: > User-Mode Instruction Prevention (UMIP) is a security feature present in > new Intel Processors. If enabled, it prevents the execution of certain > instructions if the Current Privilege Level (CPL) is greater than 0. If > these instructions were executed while in CPL > 0, user space applications > could have access to system-wide settings such as the global and local > descriptor tables, the task register and the interrupt descriptor table. > > These are the instructions covered by UMIP: > * SGDT - Store Global Descriptor Table > * SIDT - Store Interrupt Descriptor Table > * SLDT - Store Local Descriptor Table > * SMSW - Store Machine Status Word > * STR - Store Task Register > > If any of these instructions is executed with CPL > 0, a general protection > exception is issued when UMIP is enbled. > > Cc: Andy Lutomirski <luto@xxxxxxxxxx> > Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > Cc: Borislav Petkov <bp@xxxxxxx> > Cc: Brian Gerst <brgerst@xxxxxxxxx> > Cc: Chen Yucong <slaoub@xxxxxxxxx> > Cc: Chris Metcalf <cmetcalf@xxxxxxxxxxxx> > Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> > Cc: Fenghua Yu <fenghua.yu@xxxxxxxxx> > Cc: Huang Rui <ray.huang@xxxxxxx> > Cc: Jiri Slaby <jslaby@xxxxxxx> > Cc: Jonathan Corbet <corbet@xxxxxxx> > Cc: Michael S. Tsirkin <mst@xxxxxxxxxx> > Cc: Paul Gortmaker <paul.gortmaker@xxxxxxxxxxxxx> > Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx> > Cc: Ravi V. Shankar <ravi.v.shankar@xxxxxxxxx> > Cc: Shuah Khan <shuah@xxxxxxxxxx> > Cc: Vlastimil Babka <vbabka@xxxxxxx> > Signed-off-by: Ricardo Neri <ricardo.neri-calderon@xxxxxxxxxxxxxxx> > --- > arch/x86/include/asm/cpufeatures.h | 1 + > arch/x86/include/asm/disabled-features.h | 8 +++++++- > arch/x86/include/uapi/asm/processor-flags.h | 2 ++ > 3 files changed, 10 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h > index 5f0931b..81ef3bbe 100644 > --- a/arch/x86/include/asm/cpufeatures.h > +++ b/arch/x86/include/asm/cpufeatures.h > @@ -282,6 +282,7 @@ > #define X86_FEATURE_AVIC (15*32+13) /* Virtual Interrupt Controller */ > > /* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx), word 16 */ > +#define X86_FEATURE_UMIP (16*32+ 2) /* User Mode Instruction Protection */ > #define X86_FEATURE_PKU (16*32+ 3) /* Protection Keys for Userspace */ > #define X86_FEATURE_OSPKE (16*32+ 4) /* OS Protection Keys Enable */ > > diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h > index 85599ad..4707445 100644 > --- a/arch/x86/include/asm/disabled-features.h > +++ b/arch/x86/include/asm/disabled-features.h > @@ -16,6 +16,12 @@ > # define DISABLE_MPX (1<<(X86_FEATURE_MPX & 31)) > #endif > > +#ifdef CONFIG_X86_INTEL_UMIP ^^^^^ What's this? Let's try to do this with a minimum of configuration. -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
