Re: [PATCH 33/33] x86, pkeys: execute-only support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Feb 17, 2016 at 1:33 PM, Dave Hansen <dave@xxxxxxxx> wrote:
> On 02/17/2016 01:27 PM, Kees Cook wrote:
>> Is there a way to detect this feature's availability without userspace
>> having to set up a segv handler and attempting to read a
>> PROT_EXEC-only region? (i.e. cpu flag for protection keys, or a way to
>> check the protection to see if PROT_READ got added automatically,
>> etc?)
>
> You can kinda do it with /proc/$pid/(s)maps.  Here's smaps, for instance:
>
>> 00401000-00402000 --xp 00001000 08:14 4897479                            /root/pkeys/pkey-xonly
>> Size:                  4 kB
>> Rss:                   4 kB
> ...
>> KernelPageSize:        4 kB
>> MMUPageSize:           4 kB
>> Locked:                0 kB
>> ProtectionKey:        15
>> VmFlags: ex mr mw me dw

Ah-ha, perfect. Thanks!

> You can see "--x" and the ProtectionKey itself being nonzero.  That's a
> reasonable indication.  There's also the "OSPKE" cpuid bit which only
> shows up when the kernel has enabled protection keys.  This is
> _separate_ from the bit that says whether the processor support pkeys.
>
> I check them in test code like this:
>
>> static inline void __cpuid(unsigned int *eax, unsigned int *ebx,
>>                                 unsigned int *ecx, unsigned int *edx)
>> {
>>         /* ecx is often an input as well as an output. */
>>         asm volatile(
>>                 "cpuid;"
>>                 : "=a" (*eax),
>>                   "=b" (*ebx),
>>                   "=c" (*ecx),
>>                   "=d" (*edx)
>>                 : "0" (*eax), "2" (*ecx));
>> }
>>
>> /* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx) */
>> #define X86_FEATURE_PKU        (1<<3) /* Protection Keys for Userspace */
>> #define X86_FEATURE_OSPKE      (1<<4) /* OS Protection Keys Enable */
>>
>> static inline int cpu_has_pku(void)
>> {
>>         unsigned int eax;
>>         unsigned int ebx;
>>         unsigned int ecx;
>>         unsigned int edx;
>>         eax = 0x7;
>>         ecx = 0x0;
>>         __cpuid(&eax, &ebx, &ecx, &edx);
>>
>>         if (!(ecx & X86_FEATURE_PKU)) {
>>                 dprintf2("cpu does not have PKU\n");
>>                 return 0;
>>         }
>>         if (!(ecx & X86_FEATURE_OSPKE)) {
>>                 dprintf2("cpu does not have OSPKE\n");
>>                 return 0;
>>         }
>>         return 1;
>> }
>

Great, thanks for the example!

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]