* Kees Cook keesc...@chromium.org wrote:
Make a copy of the IDT (as seen via the sidt instruction) read-only.
This primarily removes the IDT from being a target for arbitrary memory
write attacks, and has the added benefit of also not leaking the kernel
base offset, if it has been relocated.
Ingo Molnar mi...@kernel.org writes:
This looks very nice to me now. Peter, any objections?
it seems pointless without randomized main kernel text location, because
the IDT will be still at a known per kernel fixed writable location in
the direct mapping.
As long as such randomization is not
Kees posted that one too.
Andi Kleen a...@firstfloor.org wrote:
Ingo Molnar mi...@kernel.org writes:
This looks very nice to me now. Peter, any objections?
it seems pointless without randomized main kernel text location,
because
the IDT will be still at a known per kernel fixed writable
Make a copy of the IDT (as seen via the sidt instruction) read-only.
This primarily removes the IDT from being a target for arbitrary memory
write attacks, and has the added benefit of also not leaking the kernel
base offset, if it has been relocated.
We already did this on vendor == Intel and
