x86, smap: Turn on Supervisor Mode Access Prevention

If Supervisor Mode Access Prevention is available and not disabled by the user, turn it on. Also fix the expansion of SMEP (Supervisor Mode Execution Prevention.) Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Link: http://lkml.kernel.org/r/1348256595-29119-10-git-send-email-hpa@linux.intel.com

x86, smap: Turn on Supervisor Mode Access Prevention
If Supervisor Mode Access Prevention is available and not disabled by the user, turn it on. Also fix the expansion of SMEP (Supervisor Mode Execution Prevention.) Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Link: http://lkml.kernel.org/r/1348256595-29119-10-git-send-email-hpa@linux.intel.com
H. Peter Anvin
1 parent 63bcff2a30
Showing 2 changed files with 31 additions and 1 deletions Side-by-side Diff
Documentation/kernel-parameters.txt
arch/x86/kernel/cpu/common.c
@@ -1812,8 +1812,12 @@
 			noexec=on: enable non-executable mappings (default)
 			noexec=off: disable non-executable mappings
  
+	nosmap		[X86]
+			Disable SMAP (Supervisor Mode Access Prevention)
+			even if it is supported by processor.
+
 	nosmep		[X86]
-			Disable SMEP (Supervisor Mode Execution Protection)
+			Disable SMEP (Supervisor Mode Execution Prevention)
 			even if it is supported by processor.
  
 	noexec32	[X86-64]
@@ -278,6 +278,31 @@
 	}
 }
  
+static int disable_smap __cpuinitdata;
+static __init int setup_disable_smap(char *arg)
+{
+	disable_smap = 1;
+	return 1;
+}
+__setup("nosmap", setup_disable_smap);
+
+static __cpuinit void setup_smap(struct cpuinfo_x86 *c)
+{
+	if (cpu_has(c, X86_FEATURE_SMAP)) {
+		if (unlikely(disable_smap)) {
+			setup_clear_cpu_cap(X86_FEATURE_SMAP);
+			clear_in_cr4(X86_CR4_SMAP);
+		} else {
+			set_in_cr4(X86_CR4_SMAP);
+			/*
+			 * Don't use clac() here since alternatives
+			 * haven't run yet...
+			 */
+			asm volatile(__stringify(__ASM_CLAC) ::: "memory");
+		}
+	}
+}
+
 /*
  * Some CPU features depend on higher CPUID levels, which may not always
  * be available due to CPUID level capping or broken virtualization
@@ -713,6 +738,7 @@
 	filter_cpuid_features(c, false);
  
 	setup_smep(c);
+	setup_smap(c);
  
 	if (this_cpu->c_bsp_init)
 		this_cpu->c_bsp_init(c);
...	...	@@ -1812,8 +1812,12 @@
1812	1812	noexec=on: enable non-executable mappings (default)
1813	1813	noexec=off: disable non-executable mappings
1814	1814
	1815	+ nosmap [X86]
	1816	+ Disable SMAP (Supervisor Mode Access Prevention)
	1817	+ even if it is supported by processor.
	1818	+
1815	1819	nosmep [X86]
1816		- Disable SMEP (Supervisor Mode Execution Protection)
	1820	+ Disable SMEP (Supervisor Mode Execution Prevention)
1817	1821	even if it is supported by processor.
1818	1822
1819	1823	noexec32 [X86-64]
...	...	@@ -278,6 +278,31 @@
278	278	}
279	279	}
280	280
	281	+static int disable_smap __cpuinitdata;
	282	+static __init int setup_disable_smap(char *arg)
	283	+{
	284	+ disable_smap = 1;
	285	+ return 1;
	286	+}
	287	+__setup("nosmap", setup_disable_smap);
	288	+
	289	+static __cpuinit void setup_smap(struct cpuinfo_x86 *c)
	290	+{
	291	+ if (cpu_has(c, X86_FEATURE_SMAP)) {
	292	+ if (unlikely(disable_smap)) {
	293	+ setup_clear_cpu_cap(X86_FEATURE_SMAP);
	294	+ clear_in_cr4(X86_CR4_SMAP);
	295	+ } else {
	296	+ set_in_cr4(X86_CR4_SMAP);
	297	+ /*
	298	+ * Don't use clac() here since alternatives
	299	+ * haven't run yet...
	300	+ */
	301	+ asm volatile(__stringify(__ASM_CLAC) ::: "memory");
	302	+ }
	303	+ }
	304	+}
	305	+
281	306	/*
282	307	* Some CPU features depend on higher CPUID levels, which may not always
283	308	* be available due to CPUID level capping or broken virtualization
...	...	@@ -713,6 +738,7 @@
713	738	filter_cpuid_features(c, false);
714	739
715	740	setup_smep(c);
	741	+ setup_smap(c);
716	742
717	743	if (this_cpu->c_bsp_init)
718	744	this_cpu->c_bsp_init(c);