Kees Cook <[email protected]> writes: > On Thu, Feb 21, 2019 at 4:09 PM Russell Currey <[email protected]> wrote: >> On Thu, 2019-02-21 at 08:07 -0800, Kees Cook wrote: >> > On Thu, Feb 21, 2019 at 1:36 AM Russell Currey <[email protected]> >> > wrote: >> > > The first three patches of these series are from Christophe's work >> > > and are >> > > the bare minimum framework needed to implement the support for >> > > radix. >> > > >> > > In patch 3, I have removed from Christophe's patch my >> > > implementation of >> > > the 64-bit exception handling code, since we don't have an answer >> > > for >> > > making nested exceptions work yet. This is mentioned in the final >> > > KUAP >> > > patch. Regardless, this is still a significant security >> > > improvement >> > > and greatly narrows the attack surface. >> > >> > Nice! Am I understanding correctly that with this series powerpc9 and >> > later, using radix, will pass the lkdtm tests for KUAP and KUEP (i.e. >> > EXEC_USERSPACE and ACCESS_USERSPACE)? >> >> Yes! We've had execution prevention for a while on radix (which is >> default on POWER9) since 3b10d0095a1e, the only functional thing this >> series does is allow disabling it with nosmep. This series adds access >> prevention. > > Ah-ha; excellent. And CONFIG_PPC_RADIX_MMU is "default y" already. :)
Though on real hardware it doesn't really work yet, at least if there are any idle states enabled. Patch under discussion to fix it: https://patchwork.ozlabs.org/patch/1038568/ cheers
