Re: [PATCH] x86: Configure NX support earlier in setup_arch

[Thomas Gleixner]

On Thu, 13 Nov 2014, Borislav Petkov wrote:
> Revisit this patch how? I'm not sure I understand...

X86_64 starts with:

pteval_t __supported_pte_mask __read_mostly = ~0;

while i386 starts with:

pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL);

Now if the stupid BIOS disabled NX via setting bit 34 in
IA32_MISC_ENABLE, then X86_FEATURE_NX is off, but at the point where
we call x86_configure_nx() we already used the supported_pte_mask with
the NX bit set in the early remap code and accessed the mappings.

On 32bit we are safe because the early maps exclude NX at startup and
only enable it in x86_configure_nx().

That's one part of the issue. The other is that grub2 does not call in
via the trampoline, so we don't call verify_cpu. verify_cpu clears bit
34 in IA32_MISC_ENABLE depending on the cpu family/model, which is
true for 64bit machines.

So I think moving x86_configure_nx() to a point before we actually
create mappings is a sane thing to do in any case.

But of course we should also clear the stupid disable bit
unconditionally independent of the entry path for all cpus which
support it.

Thanks,

	tglx




--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/