Re: [PATCH 31/31] x86, pkeys: execute-only support

From: Dave Hansen
Date: Thu Jan 07 2016 - 17:26:11 EST

Next message: Aaro Koskinen: "[PATCH] mfd: tps65010: fix init when the driver is built-in"
Previous message: Tushar Dave: "[PATCH v2 net-next] ixgbe: Fix for RAR0 not being set to default MAC addr"
In reply to: Kees Cook: "Re: [PATCH 31/31] x86, pkeys: execute-only support"
Next in thread: Andy Lutomirski: "Re: [PATCH 31/31] x86, pkeys: execute-only support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 01/07/2016 01:02 PM, Kees Cook wrote:
>> > I haven't found any userspace that does this today. With this
>> > facility in place, we expect userspace to move to use it
>> > eventually.
> And the magic benefit here is that linker/loaders can switch to just
> PROT_EXEC without PROT_READ, and everything that doesn't support this
> protection will silently include PROT_READ, so no runtime detection by
> the loader is needed.

Yep, completely agree.

I'll update the description.

>> > The security provided by this approach is not comprehensive. The
> Perhaps specifically mention what it does provide, which would be
> protection against leaking executable memory contents, as generally
> done by attackers who are attempting to find ROP gadgets on the fly.

Good point.

Next message: Aaro Koskinen: "[PATCH] mfd: tps65010: fix init when the driver is built-in"
Previous message: Tushar Dave: "[PATCH v2 net-next] ixgbe: Fix for RAR0 not being set to default MAC addr"
In reply to: Kees Cook: "Re: [PATCH 31/31] x86, pkeys: execute-only support"
Next in thread: Andy Lutomirski: "Re: [PATCH 31/31] x86, pkeys: execute-only support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]