Number: 179282
Category: amd64
Synopsis: [PATCH] Intel SMAP for FreeBSD-CURRENT
Confidential: no
Severity: non-critical
Priority: low
Responsible:freebsd-amd64
State: open
Quarter:
Keywords:
Date-Required:
Class: change-request
Submitter-Id: current-users
Arrival-Date: Mon Jun 03 23:10:01 UTC 2013
Closed-Date:
Last-Modified:
Originator: Oliver Pinter
Release:FreeBSD 10-CURRENT
Organization:
Environment:
Description:
As subpart of my thesis, I implemented Intel SMAP[1] support for FreeBSD.
The current stable version of patch (attached) have compile time
option to enable SMAP.*
A feature complete dynamic version is expected by the end of the
month, which patched the kernel on boot time, when the feautre
presented in CPU.
[1] http://lwn.net/Articles/517475/
patches: https://github.com/opntr/freebsd-patches-2013-tavasz
smap-test: https://github.com/opntr/freebsd-smap-tester
How-To-Repeat:
Fix:
Patch attached with submission follows:
From ae18b374b38401f736e4e13a8ab5fab82985df2b Mon Sep 17 00:00:00 2001
From: Oliver Pinter oliver.p...@gmail.com
Date: Tue, 16 Apr 2013 01:32:25 +0200
Subject: [PATCH] added SMAP support for FreeBSD against r250423
This patch implemented support for Intel's new protection technology.
Supervisor Mode Access Prevention (SMAP) is newest security feature from
Intel, which first appears in the Haswell Line of processors.
When SMAP enabled, the kernel cannot access pages that are in userspace.
In some cases the kernel does have to access user pages, for this reason
the technology provided two instruction, to temporarily disable this
protection.
When SMAP detect protection violation, the kernel must call panic().
Intel's SMAP documentation:
http://software.intel.com/sites/default/files/319433-014.pdf
Test case:
https://github.com/opntr/freebsd-smap-tester
some parts of this patch discussed with kib freebsd org and Hunger
Signed-off-by: Oliver Pinter oliver.p...@gmail.com
--
* added void clac(void) and void stac(void) to cpufunc.h
* added STAC/CLAC instruction and added config options
* added basic support for SMAP
* added stac/clac in support.S around userspace memory access
* added RFLAGS.AC clearing to exception.S related to SMAP
* added RFLAGS.AC clearing to ia32_exception.S related to SMAP
* added RFLAGS.AC clearing to asmacros.h related to SMAP
* clac and stac functions depend on INTEL_SMAP
* added trap handler to SMAP
For security reason, when PF occured by SMAP, the kernel should paniced.
[...]
The above items imply that the error code delivered by a page-fault
exception due to SMAP is either 1 (for reads) or 3 (for writes).
Note that the only page-fault exceptions that deliver an error code
of 1 are those induced by SMAP. (If CR0.WP = 1, some page-fault
exceptions may deliver an error code of 3 even if CR4.SMAP = 0.)
[...] - intel 319433-014.pdf 9.3.3
* Clear the RFLAGS.AC on the start of nmi handler
suggested by kib@:
I think that NMI handler should have CLAC executed unconditionally and
much earlier then it is done in your patch. Since NMI could interrupt
the copy*() functions, you would get some kernel code unneccessary
executing with SMAP off.
* added note to fault handlers related to SMAP
suggested by kib@:
I believe that exception labels in the support.S, like copyout_fault
etc
deserve a comment describing that EFLAGS.AC bit gets cleared by the
exception entry point before the control reaches the label.
* added AC flag checking and factor out SMAP checking in trap_pfault() to make
it more readable and
partially suggested by kib:
The trap_pfault() fragment should check for the error code equal to 1 or
3, as described in the 9.3.3, instead of only checking for the present
bit set. More, I suggest you to explicitely check that the #PF exception
came from the kernel mode and that EFLAGS.AC was also set, before
decidingto panic due to SMAP-detected failure.
* build fix, when INTEL_SMAP has not set in kernel config
/usr/home/op/git/freebsd-base.git.http/sys/amd64/amd64/trap.c:889:1: error:
unused function 'smap_access_violation' [-Werror,-Wunused-function]
smap_access_violation(struct trapframe *frame, int usermode)
^
1 error generated.
*** [trap.o] Error code 1
1 error
*** [buildkernel] Error code 2
1 error
*** [buildkernel] Error code 2
1 error
* fixed smap_access_violation(...), spotted by Hunger
* fix smap_access_violatrion() when the CPU does not support SMAP
* use the CLAC and STAC macro, instead of the .byte sequence
* added memory clobber to clac and stac inline assembly
clac and stac are sensitive instructions,
to prevent instruction reordering added memory clobber
spotted by Hunger, PaXTeam
Signed-off-by: Oliver Pinter oliver.p...@gmail.com
---
sys/amd64/amd64/exception.S | 6 ++
sys/amd64/amd64/identcpu.c | 28
