Re: x86/umip: Enable User-Mode Instruction Prevention at runtime

Re: x86/umip: Enable User-Mode Instruction Prevention at runtime

[Dave Jones]

On Mon, Nov 13, 2017 at 11:44:02PM +0000, Linux Kernel wrote:
 > Web:        https://git.kernel.org/torvalds/c/aa35f896979d9610bb11df485cf7bb6ca241febb
 > Commit:     aa35f896979d9610bb11df485cf7bb6ca241febb
 > Parent:     c6a960bbf6a36572a06bde866d94a7338c7f256a
 > Refname:    refs/heads/master
 > Author:     Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
 > AuthorDate: Sun Nov 5 18:27:54 2017 -0800
 > Committer:  Ingo Molnar <mingo@kernel.org>
 > CommitDate: Wed Nov 8 11:16:23 2017 +0100
 > 
 >     x86/umip: Enable User-Mode Instruction Prevention at runtime
 

 > +config X86_INTEL_UMIP
 > +	def_bool n
 > +	depends on CPU_SUP_INTEL
 > +	prompt "Intel User Mode Instruction Prevention" if EXPERT
 > +	---help---
 > +	  The User Mode Instruction Prevention (UMIP) is a security
 > +	  feature in newer Intel processors.

Can we start defining which CPU generation features appear in in Kconfigs ?

In six months time, "newer" will mean even less than it does today.

It'd be nice to be able to answer oldconfig without having to look
things up in the SDM.

	Dave

Re: x86/umip: Enable User-Mode Instruction Prevention at runtime

[Ingo Molnar]

* Dave Jones <davej@codemonkey.org.uk> wrote:

> On Mon, Nov 13, 2017 at 11:44:02PM +0000, Linux Kernel wrote:
>  > Web:        https://git.kernel.org/torvalds/c/aa35f896979d9610bb11df485cf7bb6ca241febb
>  > Commit:     aa35f896979d9610bb11df485cf7bb6ca241febb
>  > Parent:     c6a960bbf6a36572a06bde866d94a7338c7f256a
>  > Refname:    refs/heads/master
>  > Author:     Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
>  > AuthorDate: Sun Nov 5 18:27:54 2017 -0800
>  > Committer:  Ingo Molnar <mingo@kernel.org>
>  > CommitDate: Wed Nov 8 11:16:23 2017 +0100
>  > 
>  >     x86/umip: Enable User-Mode Instruction Prevention at runtime
>  
> 
>  > +config X86_INTEL_UMIP
>  > +	def_bool n
>  > +	depends on CPU_SUP_INTEL
>  > +	prompt "Intel User Mode Instruction Prevention" if EXPERT
>  > +	---help---
>  > +	  The User Mode Instruction Prevention (UMIP) is a security
>  > +	  feature in newer Intel processors.
> 
> Can we start defining which CPU generation features appear in in Kconfigs ?
> 
> In six months time, "newer" will mean even less than it does today.
> 
> It'd be nice to be able to answer oldconfig without having to look
> things up in the SDM.

So while I agree, the 'newer Intel CPUs' phrasing here is really weasel words for 
"it's not in officially announced CPUs yet".

If I'm reading the tech rumor press correctly then I believe UMIP will be in 
Cannonlake, which will be released in 2018. Once it's definitely included in a CPU 
you can buy we can update the Kconfig to reference the real CPU microarchitecture 
it's included in.

Or is there some official info already?

Maybe the phrasing should be changed to:

 +	  The User Mode Instruction Prevention (UMIP) is a security
 +	  feature that will be included in future Intel processors.

?

Thanks,

	Ingo