On Sun, 26 Nov 2017, Borislav Petkov wrote: > On Fri, Nov 24, 2017 at 06:23:53PM +0100, Ingo Molnar wrote: > > + * Take a PGD location (pgdp) and a pgd value that needs > > + * to be set there. Populates the shadow and returns > > + * the resulting PGD that must be set in the kernel copy > > + * of the page tables. > > + */ > > +static inline pgd_t kaiser_set_shadow_pgd(pgd_t *pgdp, pgd_t pgd) > > +{ > > +#ifdef CONFIG_KAISER > > + if (pgd_userspace_access(pgd)) { > > + if (pgdp_maps_userspace(pgdp)) { > > + /* > > + * The user/shadow page tables get the full > > + * PGD, accessible from userspace: > > + */ > > + kernel_to_shadow_pgdp(pgdp)->pgd = pgd.pgd; > > + /* > > + * For the copy of the pgd that the kernel > > + * uses, make it unusable to userspace. This > > + * ensures if we get out to userspace with the > > + * wrong CR3 value, userspace will crash > > + * instead of running. > > + */ > > + pgd.pgd |= _PAGE_NX; > > Lemme hold this down here so that we don't forget (and tglx is working on it > already... ):
A worse problem exists vs. PAGE_GLOBAL. Its enforced by KAISER unconditionally... Fixes are posted soon as an update to the series I sent earlier today. > So we need to handle the case where we boot with "noexec=off" and thus > clear _PAGE_NX from __supported_pte_mask. I'd vouch for a conservative > solution where we warn if _PAGE_NX is not set in __supported_pte_mask > and thus at least tell the user that she shouldn't do noexec kernels and > expect kaiser protection... Let me add that. Thanks, tglx