Re: [PATCH 33/33] x86, pkeys: execute-only support
From: Kees Cook
Date: Wed Feb 17 2016 - 16:36:20 EST
On Wed, Feb 17, 2016 at 1:33 PM, Dave Hansen <dave@xxxxxxxx> wrote:
> On 02/17/2016 01:27 PM, Kees Cook wrote:
>> Is there a way to detect this feature's availability without userspace
>> having to set up a segv handler and attempting to read a
>> PROT_EXEC-only region? (i.e. cpu flag for protection keys, or a way to
>> check the protection to see if PROT_READ got added automatically,
>> etc?)
>
> You can kinda do it with /proc/$pid/(s)maps. Here's smaps, for instance:
>
>> 00401000-00402000 --xp 00001000 08:14 4897479 /root/pkeys/pkey-xonly
>> Size: 4 kB
>> Rss: 4 kB
> ...
>> KernelPageSize: 4 kB
>> MMUPageSize: 4 kB
>> Locked: 0 kB
>> ProtectionKey: 15
>> VmFlags: ex mr mw me dw
Ah-ha, perfect. Thanks!
> You can see "--x" and the ProtectionKey itself being nonzero. That's a
> reasonable indication. There's also the "OSPKE" cpuid bit which only
> shows up when the kernel has enabled protection keys. This is
> _separate_ from the bit that says whether the processor support pkeys.
>
> I check them in test code like this:
>
>> static inline void __cpuid(unsigned int *eax, unsigned int *ebx,
>> unsigned int *ecx, unsigned int *edx)
>> {
>> /* ecx is often an input as well as an output. */
>> asm volatile(
>> "cpuid;"
>> : "=a" (*eax),
>> "=b" (*ebx),
>> "=c" (*ecx),
>> "=d" (*edx)
>> : "0" (*eax), "2" (*ecx));
>> }
>>
>> /* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx) */
>> #define X86_FEATURE_PKU (1<<3) /* Protection Keys for Userspace */
>> #define X86_FEATURE_OSPKE (1<<4) /* OS Protection Keys Enable */
>>
>> static inline int cpu_has_pku(void)
>> {
>> unsigned int eax;
>> unsigned int ebx;
>> unsigned int ecx;
>> unsigned int edx;
>> eax = 0x7;
>> ecx = 0x0;
>> __cpuid(&eax, &ebx, &ecx, &edx);
>>
>> if (!(ecx & X86_FEATURE_PKU)) {
>> dprintf2("cpu does not have PKU\n");
>> return 0;
>> }
>> if (!(ecx & X86_FEATURE_OSPKE)) {
>> dprintf2("cpu does not have OSPKE\n");
>> return 0;
>> }
>> return 1;
>> }
>
Great, thanks for the example!
-Kees
--
Kees Cook
Chrome OS & Brillo Security