Commit 76ea0025 authored by Borislav Petkov's avatar Borislav Petkov

x86/cpu: Remove "noexec"

It doesn't make any sense to disable non-executable mappings -
security-wise or else.

So rip out that switch and move the remaining code into setup.c and
delete setup_nx.c
Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
Reviewed-by: default avatarLai Jiangshan <jiangshanlai@gmail.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220127115626.14179-6-bp@alien8.de
parent 385d2ae0
...@@ -3456,11 +3456,6 @@ ...@@ -3456,11 +3456,6 @@
noexec [IA-64] noexec [IA-64]
noexec [X86]
On X86-32 available only on PAE configured kernels.
noexec=on: enable non-executable mappings (default)
noexec=off: disable non-executable mappings
nosmap [PPC] nosmap [PPC]
Disable SMAP (Supervisor Mode Access Prevention) Disable SMAP (Supervisor Mode Access Prevention)
even if it is supported by processor. even if it is supported by processor.
......
...@@ -157,15 +157,6 @@ Rebooting ...@@ -157,15 +157,6 @@ Rebooting
newer BIOS, or newer board) using this option will ignore the built-in newer BIOS, or newer board) using this option will ignore the built-in
quirk table, and use the generic default reboot actions. quirk table, and use the generic default reboot actions.
Non Executable Mappings
=======================
noexec=on|off
on
Enable(default)
off
Disable
NUMA NUMA
==== ====
......
...@@ -35,7 +35,6 @@ void xen_entry_INT80_compat(void); ...@@ -35,7 +35,6 @@ void xen_entry_INT80_compat(void);
#endif #endif
void x86_configure_nx(void); void x86_configure_nx(void);
void x86_report_nx(void);
extern int reboot_force; extern int reboot_force;
......
...@@ -756,6 +756,30 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p) ...@@ -756,6 +756,30 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p)
return 0; return 0;
} }
void x86_configure_nx(void)
{
if (boot_cpu_has(X86_FEATURE_NX))
__supported_pte_mask |= _PAGE_NX;
else
__supported_pte_mask &= ~_PAGE_NX;
}
static void __init x86_report_nx(void)
{
if (!boot_cpu_has(X86_FEATURE_NX)) {
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
"missing in CPU!\n");
} else {
#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
printk(KERN_INFO "NX (Execute Disable) protection: active\n");
#else
/* 32bit non-PAE kernel, NX cannot be used */
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
"cannot be enabled: non-PAE kernel!\n");
#endif
}
}
/* /*
* Determine if we were loaded by an EFI loader. If so, then we have also been * Determine if we were loaded by an EFI loader. If so, then we have also been
* passed the efi memmap, systab, etc., so we should use these data structures * passed the efi memmap, systab, etc., so we should use these data structures
...@@ -896,9 +920,7 @@ void __init setup_arch(char **cmdline_p) ...@@ -896,9 +920,7 @@ void __init setup_arch(char **cmdline_p)
/* /*
* x86_configure_nx() is called before parse_early_param() to detect * x86_configure_nx() is called before parse_early_param() to detect
* whether hardware doesn't support NX (so that the early EHCI debug * whether hardware doesn't support NX (so that the early EHCI debug
* console setup can safely call set_fixmap()). It may then be called * console setup can safely call set_fixmap()).
* again from within noexec_setup() during parsing early parameters
* to honor the respective command line option.
*/ */
x86_configure_nx(); x86_configure_nx();
......
...@@ -20,13 +20,12 @@ CFLAGS_REMOVE_mem_encrypt_identity.o = -pg ...@@ -20,13 +20,12 @@ CFLAGS_REMOVE_mem_encrypt_identity.o = -pg
endif endif
obj-y := init.o init_$(BITS).o fault.o ioremap.o extable.o mmap.o \ obj-y := init.o init_$(BITS).o fault.o ioremap.o extable.o mmap.o \
pgtable.o physaddr.o setup_nx.o tlb.o cpu_entry_area.o maccess.o pgtable.o physaddr.o tlb.o cpu_entry_area.o maccess.o
obj-y += pat/ obj-y += pat/
# Make sure __phys_addr has no stackprotector # Make sure __phys_addr has no stackprotector
CFLAGS_physaddr.o := -fno-stack-protector CFLAGS_physaddr.o := -fno-stack-protector
CFLAGS_setup_nx.o := -fno-stack-protector
CFLAGS_mem_encrypt_identity.o := -fno-stack-protector CFLAGS_mem_encrypt_identity.o := -fno-stack-protector
CFLAGS_fault.o := -I $(srctree)/$(src)/../include/asm/trace CFLAGS_fault.o := -I $(srctree)/$(src)/../include/asm/trace
......
...@@ -110,7 +110,6 @@ int force_personality32; ...@@ -110,7 +110,6 @@ int force_personality32;
/* /*
* noexec32=on|off * noexec32=on|off
* Control non executable heap for 32bit processes. * Control non executable heap for 32bit processes.
* To control the stack too use noexec=off
* *
* on PROT_READ does not imply PROT_EXEC for 32-bit processes (default) * on PROT_READ does not imply PROT_EXEC for 32-bit processes (default)
* off PROT_READ implies PROT_EXEC * off PROT_READ implies PROT_EXEC
......
// SPDX-License-Identifier: GPL-2.0
#include <linux/spinlock.h>
#include <linux/errno.h>
#include <linux/init.h>
#include <linux/pgtable.h>
#include <asm/proto.h>
#include <asm/cpufeature.h>
static int disable_nx;
/*
* noexec = on|off
*
* Control non-executable mappings for processes.
*
* on Enable
* off Disable
*/
static int __init noexec_setup(char *str)
{
if (!str)
return -EINVAL;
if (!strncmp(str, "on", 2)) {
disable_nx = 0;
} else if (!strncmp(str, "off", 3)) {
disable_nx = 1;
}
x86_configure_nx();
return 0;
}
early_param("noexec", noexec_setup);
void x86_configure_nx(void)
{
if (boot_cpu_has(X86_FEATURE_NX) && !disable_nx)
__supported_pte_mask |= _PAGE_NX;
else
__supported_pte_mask &= ~_PAGE_NX;
}
void __init x86_report_nx(void)
{
if (!boot_cpu_has(X86_FEATURE_NX)) {
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
"missing in CPU!\n");
} else {
#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
if (disable_nx) {
printk(KERN_INFO "NX (Execute Disable) protection: "
"disabled by kernel command line option\n");
} else {
printk(KERN_INFO "NX (Execute Disable) protection: "
"active\n");
}
#else
/* 32bit non-PAE kernel, NX cannot be used */
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
"cannot be enabled: non-PAE kernel!\n");
#endif
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment