[PATCH 0/3] Enable SMEP CPU Feature

[PATCH 0/3] Enable SMEP CPU Feature

[Fenghua Yu]

From: Fenghua Yu <fenghua.yu@intel.com>

Intel new CPU supports SMEP (Supervisor Mode Execution Protection). SMEP
prevents kernel from executing code in application. Updated Intel SDM describes
this CPU feature. The document will be published soon.

Fenghua Yu (3):
  x86, cpu: Add CPU flags for SMEP
  x86, cpu: Add SMEP CPU feature in CR4
  x86, cpu: Enable/disable SMEP

 Documentation/kernel-parameters.txt    |    4 ++++
 arch/x86/include/asm/cpufeature.h      |    1 +
 arch/x86/include/asm/processor-flags.h |    1 +
 arch/x86/kernel/cpu/common.c           |   21 +++++++++++++++++++++
 arch/x86/kernel/cpu/scattered.c        |    1 +
 5 files changed, 28 insertions(+), 0 deletions(-)

-- 
1.7.2

[PATCH 1/3] x86, cpu: Add CPU flags for SMEP

[Fenghua Yu]

From: Fenghua Yu <fenghua.yu@intel.com>

Add support for newly documented SMEP (Supervisor Mode Execution Protection) CPU
feature flags.

Signed-off-by: Fenghua Yu <fenghua.yu@intel.com>
---
 arch/x86/include/asm/cpufeature.h |    1 +
 arch/x86/kernel/cpu/scattered.c   |    1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
index 50c0d30..e773f13 100644
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -174,6 +174,7 @@
 #define X86_FEATURE_PLN		(7*32+ 5) /* Intel Power Limit Notification */
 #define X86_FEATURE_PTS		(7*32+ 6) /* Intel Package Thermal Status */
 #define X86_FEATURE_DTS		(7*32+ 7) /* Digital Thermal Sensor */
+#define X86_FEATURE_SMEP	(7*32+ 8) /* Supervisor Mode Execution Protection*/
 
 /* Virtualization flags: Linux defined, word 8 */
 #define X86_FEATURE_TPR_SHADOW  (8*32+ 0) /* Intel TPR Shadow */
diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c
index c7f64e6..2de3aea 100644
--- a/arch/x86/kernel/cpu/scattered.c
+++ b/arch/x86/kernel/cpu/scattered.c
@@ -38,6 +38,7 @@ void __cpuinit init_scattered_cpuid_features(struct cpuinfo_x86 *c)
 		{ X86_FEATURE_PTS,		CR_EAX, 6, 0x00000006, 0 },
 		{ X86_FEATURE_APERFMPERF,	CR_ECX, 0, 0x00000006, 0 },
 		{ X86_FEATURE_EPB,		CR_ECX, 3, 0x00000006, 0 },
+		{ X86_FEATURE_SMEP,		CR_EBX, 7, 0x00000007, 0 },
 		{ X86_FEATURE_XSAVEOPT,		CR_EAX,	0, 0x0000000d, 1 },
 		{ X86_FEATURE_CPB,		CR_EDX, 9, 0x80000007, 0 },
 		{ X86_FEATURE_NPT,		CR_EDX, 0, 0x8000000a, 0 },
-- 
1.7.2

[PATCH 2/3] x86, cpu: Add SMEP CPU feature in CR4

[Fenghua Yu]

From: Fenghua Yu <fenghua.yu@intel.com>

Add support for newly documented SMEP (Supervisor Mode Execution Protection)
CPU feature in CR4.

Signed-off-by: Fenghua Yu <fenghua.yu@intel.com>
---
 arch/x86/include/asm/processor-flags.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/arch/x86/include/asm/processor-flags.h b/arch/x86/include/asm/processor-flags.h
index a898a2b..59ab4df 100644
--- a/arch/x86/include/asm/processor-flags.h
+++ b/arch/x86/include/asm/processor-flags.h
@@ -60,6 +60,7 @@
 #define X86_CR4_OSXMMEXCPT 0x00000400 /* enable unmasked SSE exceptions */
 #define X86_CR4_VMXE	0x00002000 /* enable VMX virtualization */
 #define X86_CR4_OSXSAVE 0x00040000 /* enable xsave and xrestore */
+#define X86_CR4_SMEP	0x00100000 /* enable SMEP support */
 
 /*
  * x86-64 Task Priority Register, CR8
-- 
1.7.2

[PATCH 3/3] x86, cpu: Enable/disable SMEP

[Fenghua Yu]

From: Fenghua Yu <fenghua.yu@intel.com>

Enable/disable newly documented SMEP (Supervisor Mode Execution Protection) CPU
feature in kernel. CR4.SMEP (bit 20) is 0 at power-on. If the feature is
supported by CPU (X86_FEATURE_SMEP), enable SMEP by setting CR4.SMEP. New kernel
option nosmep disables the feature even if the feature is supported by CPU.

Signed-off-by: Fenghua Yu <fenghua.yu@intel.com>
---
 Documentation/kernel-parameters.txt |    4 ++++
 arch/x86/kernel/cpu/common.c        |   21 +++++++++++++++++++++
 2 files changed, 25 insertions(+), 0 deletions(-)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index cc85a92..56fb8c1 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1664,6 +1664,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 			noexec=on: enable non-executable mappings (default)
 			noexec=off: disable non-executable mappings
 
+	nosmep		[X86]
+			Disable SMEP (Supervisor Mode Execution Protection)
+			even if it is supported by processor.
+
 	noexec32	[X86-64]
 			This affects only 32-bit executables.
 			noexec32=on: enable non-executable mappings (default)
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index e2ced00..f06b2d5 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -254,6 +254,25 @@ static inline void squash_the_stupid_serial_number(struct cpuinfo_x86 *c)
 }
 #endif
 
+static int disable_smep;
+static __init int setup_disable_smep(char *arg)
+{
+	disable_smep = 1;
+	return 1;
+}
+__setup("nosmep", setup_disable_smep);
+
+static __init void setup_smep(struct cpuinfo_x86 *c)
+{
+	if (cpu_has(c, X86_FEATURE_SMEP)) {
+		if (unlikely(disable_smep)) {
+			setup_clear_cpu_cap(X86_FEATURE_SMEP);
+			clear_in_cr4(X86_CR4_SMEP);
+		} else
+			set_in_cr4(X86_CR4_SMEP);
+	}
+}
+
 /*
  * Some CPU features depend on higher CPUID levels, which may not always
  * be available due to CPUID level capping or broken virtualization
@@ -867,6 +886,8 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
 	/* Init Machine Check Exception if available. */
 	mcheck_cpu_init(c);
 
+	setup_smep(c);
+
 	select_idle_routine(c);
 
 #ifdef CONFIG_NUMA
-- 
1.7.2

Re: [PATCH 3/3] x86, cpu: Enable/disable SMEP

[Andi Kleen]

"Fenghua Yu" <fenghua.yu@intel.com> writes:
  
> +static int disable_smep;

If you add a __initdata here the whole thing will completely disappear
after boot.

> @@ -867,6 +886,8 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
>  	/* Init Machine Check Exception if available. */
>  	mcheck_cpu_init(c);
>  
> +	setup_smep(c);

My feeling is you're setting this too late. In theory there could be
early overflows. Better use a early_param and set it as early
as possible, directly after the cpuid flags are set up in early
initialization.

-Andi
-- 
ak@linux.intel.com -- Speaking for myself only

Re: [PATCH 3/3] x86, cpu: Enable/disable SMEP

[H. Peter Anvin]

On 05/11/2011 03:36 PM, Andi Kleen wrote:
> "Fenghua Yu"<fenghua.yu@intel.com>  writes:
>
>> +static int disable_smep;
>
> If you add a __initdata here the whole thing will completely disappear
> after boot.
>
>> @@ -867,6 +886,8 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
>>   	/* Init Machine Check Exception if available. */
>>   	mcheck_cpu_init(c);
>>
>> +	setup_smep(c);
>
> My feeling is you're setting this too late. In theory there could be
> early overflows. Better use a early_param and set it as early
> as possible, directly after the cpuid flags are set up in early
> initialization.
>
> -Andi

SMEP only matters if we can into userspace code, so I *think* the above 
should be okay.  However, the most logical place would be to enable it 
in the same place(s) where we enable NX.

	-hpa

Re: [PATCH 3/3] x86, cpu: Enable/disable SMEP

[Ingo Molnar]

* Fenghua Yu <fenghua.yu@intel.com> wrote:

> From: Fenghua Yu <fenghua.yu@intel.com>
> 
> Enable/disable newly documented SMEP (Supervisor Mode Execution Protection) CPU
> feature in kernel. CR4.SMEP (bit 20) is 0 at power-on. If the feature is
> supported by CPU (X86_FEATURE_SMEP), enable SMEP by setting CR4.SMEP. New kernel
> option nosmep disables the feature even if the feature is supported by CPU.

Please add a clearer explanation to the changelog and the code as well, 
something like:

   SMEP prevents the CPU in kernel-mode to jump to an executable page that does
   not have the kernel/system flag set in the pte. This prevents the kernel
   from executing user-space code accidentally or maliciously, so it for 
   example prevents kernel exploits from jumping to specially prepared 
   user-mode shell code.

> Signed-off-by: Fenghua Yu <fenghua.yu@intel.com>
> ---
>  Documentation/kernel-parameters.txt |    4 ++++
>  arch/x86/kernel/cpu/common.c        |   21 +++++++++++++++++++++
>  2 files changed, 25 insertions(+), 0 deletions(-)
> 
> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
> index cc85a92..56fb8c1 100644
> --- a/Documentation/kernel-parameters.txt
> +++ b/Documentation/kernel-parameters.txt
> @@ -1664,6 +1664,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>  			noexec=on: enable non-executable mappings (default)
>  			noexec=off: disable non-executable mappings
>  
> +	nosmep		[X86]
> +			Disable SMEP (Supervisor Mode Execution Protection)
> +			even if it is supported by processor.

Typo: s/by processor/by the processor

> +
>  	noexec32	[X86-64]
>  			This affects only 32-bit executables.
>  			noexec32=on: enable non-executable mappings (default)
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index e2ced00..f06b2d5 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -254,6 +254,25 @@ static inline void squash_the_stupid_serial_number(struct cpuinfo_x86 *c)
>  }
>  #endif
>  
> +static int disable_smep;
> +static __init int setup_disable_smep(char *arg)

Nit: please put a newline between variables and the next function.

Also, since setup_smep() is __init this could be __initdata.

> +{
> +	disable_smep = 1;
> +	return 1;
> +}
> +__setup("nosmep", setup_disable_smep);

Naming nit: s/setup_disable_smep/setup_nosmep

> +static __init void setup_smep(struct cpuinfo_x86 *c)
> +{
> +	if (cpu_has(c, X86_FEATURE_SMEP)) {
> +		if (unlikely(disable_smep)) {
> +			setup_clear_cpu_cap(X86_FEATURE_SMEP);
> +			clear_in_cr4(X86_CR4_SMEP);
> +		} else
> +			set_in_cr4(X86_CR4_SMEP);

Nit: Please use symmetric curly braces.

> +	}
> +}
> +
>  /*
>   * Some CPU features depend on higher CPUID levels, which may not always
>   * be available due to CPUID level capping or broken virtualization
> @@ -867,6 +886,8 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
>  	/* Init Machine Check Exception if available. */
>  	mcheck_cpu_init(c);
>  
> +	setup_smep(c);
> +
>  	select_idle_routine(c);

The other option would be to enable SMEP in arch/x86/kernel/head_32/64.S where 
we twiddle the cr4 anyway and enable PAE and PGE, and where we do a cpuid to 
check whether the CPU supports NX.

This means we enable SMEP unconditionally on all CPUs that support it, the 
nosmep boot option would turn it off shortly afterwards.

Also, is there some KVM impact of this CPU feature? If the hypervisor can pass 
this to the guest kernel as well then we want to add support there as well, and 
probably want to turn it on by default. (unless it breaks something in a bad 
way)

Thanks,

	Ingo