On Mon, Sep 24, 2012 at 1:31 PM, H. Peter Anvin <h...@zytor.com> wrote: > On 09/22/2012 04:32 AM, Ingo Molnar wrote: >> >> * H. Peter Anvin <h...@linux.intel.com> wrote: >> >>> On 09/21/2012 03:08 PM, Dave Jones wrote: >>>> >>>> Perhaps add a printk somewhere to show that it's actually been enabled >>>> maybe ? >>>> >>>> Also, would it be feasible to add something like we have for test_nx ? >>>> If this feature regresses in some way in the future, I suspect we'd like >>>> to know about it sooner rather than later. >>> >>> Good idea... should add this both for SMEP and SMAP. >> >> Very much agreed - these exploit preventation hardware features >> are really useful, and it's good to inform the user that they >> are active. >> > > I was thinking about this, do you think a printk would be better, or a > new field in /proc/cpuinfo?
We use printk for displaying the possible states of NX, however, this is rather ephemeral and scrolls away, making its harder for an admin to find later. It might make sense for a new field in cpuinfo for all three, however, unlike NX, the status of SMEP/SMAP isn't (normally) discoverable from userspace. That said, their CPU feature flags are already right there, and the cases where it would be disabled are very small. How about this... mem protection : nx smap smep Maybe the "why" of a cpu feature being missing from the "mem protection" line can stay in printk? -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/