Commit dbae0a93 authored by Borislav Petkov's avatar Borislav Petkov

x86/cpu: Remove CONFIG_X86_SMAP and "nosmap"

Those were added as part of the SMAP enablement but SMAP is currently
an integral part of kernel proper and there's no need to disable it
anymore.

Rip out that functionality. Leave --uaccess default on for objtool as
this is what objtool should do by default anyway.

If still needed - clearcpuid=smap.
Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
Reviewed-by: default avatarLai Jiangshan <jiangshanlai@gmail.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220127115626.14179-4-bp@alien8.de
parent c949110e
...@@ -3461,7 +3461,7 @@ ...@@ -3461,7 +3461,7 @@
noexec=on: enable non-executable mappings (default) noexec=on: enable non-executable mappings (default)
noexec=off: disable non-executable mappings noexec=off: disable non-executable mappings
nosmap [X86,PPC] nosmap [PPC]
Disable SMAP (Supervisor Mode Access Prevention) Disable SMAP (Supervisor Mode Access Prevention)
even if it is supported by processor. even if it is supported by processor.
......
...@@ -140,9 +140,8 @@ from #define X86_FEATURE_UMIP (16*32 + 2). ...@@ -140,9 +140,8 @@ from #define X86_FEATURE_UMIP (16*32 + 2).
In addition, there exists a variety of custom command-line parameters that In addition, there exists a variety of custom command-line parameters that
disable specific features. The list of parameters includes, but is not limited disable specific features. The list of parameters includes, but is not limited
to, nofsgsbase, nosmap, and nosmep. 5-level paging can also be disabled using to, nofsgsbase, and nosmep. 5-level paging can also be disabled using
"no5lvl". SMAP and SMEP are disabled with the aforementioned parameters, "no5lvl". SMEP is disabled with the aforementioned parameter.
respectively.
e: The feature was known to be non-functional. e: The feature was known to be non-functional.
---------------------------------------------- ----------------------------------------------
......
...@@ -1816,17 +1816,6 @@ config ARCH_RANDOM ...@@ -1816,17 +1816,6 @@ config ARCH_RANDOM
If supported, this is a high bandwidth, cryptographically If supported, this is a high bandwidth, cryptographically
secure hardware random number generator. secure hardware random number generator.
config X86_SMAP
def_bool y
prompt "Supervisor Mode Access Prevention" if EXPERT
help
Supervisor Mode Access Prevention (SMAP) is a security
feature in newer Intel processors. There is a small
performance cost if this enabled and turned on; there is
also a small increase in the kernel size if this is enabled.
If unsure, say Y.
config X86_UMIP config X86_UMIP
def_bool y def_bool y
prompt "User Mode Instruction Prevention" if EXPERT prompt "User Mode Instruction Prevention" if EXPERT
......
...@@ -10,12 +10,6 @@ ...@@ -10,12 +10,6 @@
* cpu_feature_enabled(). * cpu_feature_enabled().
*/ */
#ifdef CONFIG_X86_SMAP
# define DISABLE_SMAP 0
#else
# define DISABLE_SMAP (1<<(X86_FEATURE_SMAP & 31))
#endif
#ifdef CONFIG_X86_UMIP #ifdef CONFIG_X86_UMIP
# define DISABLE_UMIP 0 # define DISABLE_UMIP 0
#else #else
...@@ -80,7 +74,7 @@ ...@@ -80,7 +74,7 @@
#define DISABLED_MASK6 0 #define DISABLED_MASK6 0
#define DISABLED_MASK7 (DISABLE_PTI) #define DISABLED_MASK7 (DISABLE_PTI)
#define DISABLED_MASK8 0 #define DISABLED_MASK8 0
#define DISABLED_MASK9 (DISABLE_SMAP|DISABLE_SGX) #define DISABLED_MASK9 (DISABLE_SGX)
#define DISABLED_MASK10 0 #define DISABLED_MASK10 0
#define DISABLED_MASK11 0 #define DISABLED_MASK11 0
#define DISABLED_MASK12 0 #define DISABLED_MASK12 0
......
...@@ -19,25 +19,14 @@ ...@@ -19,25 +19,14 @@
#ifdef __ASSEMBLY__ #ifdef __ASSEMBLY__
#ifdef CONFIG_X86_SMAP
#define ASM_CLAC \ #define ASM_CLAC \
ALTERNATIVE "", __ASM_CLAC, X86_FEATURE_SMAP ALTERNATIVE "", __ASM_CLAC, X86_FEATURE_SMAP
#define ASM_STAC \ #define ASM_STAC \
ALTERNATIVE "", __ASM_STAC, X86_FEATURE_SMAP ALTERNATIVE "", __ASM_STAC, X86_FEATURE_SMAP
#else /* CONFIG_X86_SMAP */
#define ASM_CLAC
#define ASM_STAC
#endif /* CONFIG_X86_SMAP */
#else /* __ASSEMBLY__ */ #else /* __ASSEMBLY__ */
#ifdef CONFIG_X86_SMAP
static __always_inline void clac(void) static __always_inline void clac(void)
{ {
/* Note: a barrier is implicit in alternative() */ /* Note: a barrier is implicit in alternative() */
...@@ -76,19 +65,6 @@ static __always_inline void smap_restore(unsigned long flags) ...@@ -76,19 +65,6 @@ static __always_inline void smap_restore(unsigned long flags)
#define ASM_STAC \ #define ASM_STAC \
ALTERNATIVE("", __ASM_STAC, X86_FEATURE_SMAP) ALTERNATIVE("", __ASM_STAC, X86_FEATURE_SMAP)
#else /* CONFIG_X86_SMAP */
static inline void clac(void) { }
static inline void stac(void) { }
static inline unsigned long smap_save(void) { return 0; }
static inline void smap_restore(unsigned long flags) { }
#define ASM_CLAC
#define ASM_STAC
#endif /* CONFIG_X86_SMAP */
#endif /* __ASSEMBLY__ */ #endif /* __ASSEMBLY__ */
#endif /* _ASM_X86_SMAP_H */ #endif /* _ASM_X86_SMAP_H */
...@@ -382,13 +382,6 @@ static __always_inline void setup_smep(struct cpuinfo_x86 *c) ...@@ -382,13 +382,6 @@ static __always_inline void setup_smep(struct cpuinfo_x86 *c)
cr4_set_bits(X86_CR4_SMEP); cr4_set_bits(X86_CR4_SMEP);
} }
static __init int setup_disable_smap(char *arg)
{
setup_clear_cpu_cap(X86_FEATURE_SMAP);
return 1;
}
__setup("nosmap", setup_disable_smap);
static __always_inline void setup_smap(struct cpuinfo_x86 *c) static __always_inline void setup_smap(struct cpuinfo_x86 *c)
{ {
unsigned long eflags = native_save_fl(); unsigned long eflags = native_save_fl();
...@@ -396,14 +389,8 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c) ...@@ -396,14 +389,8 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
/* This should have been cleared long ago */ /* This should have been cleared long ago */
BUG_ON(eflags & X86_EFLAGS_AC); BUG_ON(eflags & X86_EFLAGS_AC);
if (cpu_has(c, X86_FEATURE_SMAP)) { if (cpu_has(c, X86_FEATURE_SMAP))
#ifdef CONFIG_X86_SMAP
cr4_set_bits(X86_CR4_SMAP); cr4_set_bits(X86_CR4_SMAP);
#else
clear_cpu_cap(c, X86_FEATURE_SMAP);
cr4_clear_bits(X86_CR4_SMAP);
#endif
}
} }
static __always_inline void setup_umip(struct cpuinfo_x86 *c) static __always_inline void setup_umip(struct cpuinfo_x86 *c)
......
...@@ -233,7 +233,7 @@ objtool_args = \ ...@@ -233,7 +233,7 @@ objtool_args = \
$(if $(CONFIG_FRAME_POINTER),, --no-fp) \ $(if $(CONFIG_FRAME_POINTER),, --no-fp) \
$(if $(CONFIG_GCOV_KERNEL)$(CONFIG_LTO_CLANG), --no-unreachable)\ $(if $(CONFIG_GCOV_KERNEL)$(CONFIG_LTO_CLANG), --no-unreachable)\
$(if $(CONFIG_RETPOLINE), --retpoline) \ $(if $(CONFIG_RETPOLINE), --retpoline) \
$(if $(CONFIG_X86_SMAP), --uaccess) \ --uaccess \
$(if $(CONFIG_FTRACE_MCOUNT_USE_OBJTOOL), --mcount) \ $(if $(CONFIG_FTRACE_MCOUNT_USE_OBJTOOL), --mcount) \
$(if $(CONFIG_SLS), --sls) $(if $(CONFIG_SLS), --sls)
......
...@@ -146,9 +146,9 @@ objtool_link() ...@@ -146,9 +146,9 @@ objtool_link()
if is_enabled CONFIG_RETPOLINE; then if is_enabled CONFIG_RETPOLINE; then
objtoolopt="${objtoolopt} --retpoline" objtoolopt="${objtoolopt} --retpoline"
fi fi
if is_enabled CONFIG_X86_SMAP; then
objtoolopt="${objtoolopt} --uaccess" objtoolopt="${objtoolopt} --uaccess"
fi
if is_enabled CONFIG_SLS; then if is_enabled CONFIG_SLS; then
objtoolopt="${objtoolopt} --sls" objtoolopt="${objtoolopt} --sls"
fi fi
......
...@@ -10,12 +10,6 @@ ...@@ -10,12 +10,6 @@
* cpu_feature_enabled(). * cpu_feature_enabled().
*/ */
#ifdef CONFIG_X86_SMAP
# define DISABLE_SMAP 0
#else
# define DISABLE_SMAP (1<<(X86_FEATURE_SMAP & 31))
#endif
#ifdef CONFIG_X86_UMIP #ifdef CONFIG_X86_UMIP
# define DISABLE_UMIP 0 # define DISABLE_UMIP 0
#else #else
...@@ -80,7 +74,7 @@ ...@@ -80,7 +74,7 @@
#define DISABLED_MASK6 0 #define DISABLED_MASK6 0
#define DISABLED_MASK7 (DISABLE_PTI) #define DISABLED_MASK7 (DISABLE_PTI)
#define DISABLED_MASK8 0 #define DISABLED_MASK8 0
#define DISABLED_MASK9 (DISABLE_SMAP|DISABLE_SGX) #define DISABLED_MASK9 (DISABLE_SGX)
#define DISABLED_MASK10 0 #define DISABLED_MASK10 0
#define DISABLED_MASK11 0 #define DISABLED_MASK11 0
#define DISABLED_MASK12 0 #define DISABLED_MASK12 0
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment