• Ricardo Neri's avatar
    x86/umip: Enable User-Mode Instruction Prevention at runtime · aa35f896
    Ricardo Neri authored
    User-Mode Instruction Prevention (UMIP) is enabled by setting/clearing a
    bit in %cr4.
    
    It makes sense to enable UMIP at some point while booting, before user
    spaces come up. Like SMAP and SMEP, is not critical to have it enabled
    very early during boot. This is because UMIP is relevant only when there is
    a user space to be protected from. Given these similarities, UMIP can be
    enabled along with SMAP and SMEP.
    
    At the moment, UMIP is disabled by default at build time. It can be enabled
    at build time by selecting CONFIG_X86_INTEL_UMIP. If enabled at build time,
    it can be disabled at run time by adding clearcpuid=514 to the kernel
    parameters.
    Signed-off-by: default avatarRicardo Neri <ricardo.neri-calderon@linux.intel.com>
    Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Chen Yucong <slaoub@gmail.com>
    Cc: Chris Metcalf <cmetcalf@mellanox.com>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: Fenghua Yu <fenghua.yu@intel.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Huang Rui <ray.huang@amd.com>
    Cc: Jiri Slaby <jslaby@suse.cz>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: Michael S. Tsirkin <mst@redhat.com>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Ravi V. Shankar <ravi.v.shankar@intel.com>
    Cc: Shuah Khan <shuah@kernel.org>
    Cc: Tony Luck <tony.luck@intel.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: ricardo.neri@intel.com
    Link: http://lkml.kernel.org/r/1509935277-22138-10-git-send-email-ricardo.neri-calderon@linux.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
    aa35f896
common.c 41 KB