From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752129AbbJCHuu (ORCPT ); Sat, 3 Oct 2015 03:50:50 -0400 Received: from mail-wi0-f181.google.com ([209.85.212.181]:37036 "EHLO mail-wi0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751712AbbJCHut (ORCPT ); Sat, 3 Oct 2015 03:50:49 -0400 Date: Sat, 3 Oct 2015 09:50:45 +0200 From: Ingo Molnar To: Borislav Petkov Cc: Kees Cook , Stephen Smalley , "x86@kernel.org" , LKML Subject: Re: [RFC][PATCH] x86/mm: warn on W+x mappings Message-ID: <20151003075045.GC25143@gmail.com> References: <1443716923-6072-1-git-send-email-sds@tycho.nsa.gov> <20151001194121.GC3764@pd.tnic> <20151002072643.GA5035@gmail.com> <20151002080239.GC16538@pd.tnic> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151002080239.GC16538@pd.tnic> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Borislav Petkov wrote: > On Fri, Oct 02, 2015 at 09:26:44AM +0200, Ingo Molnar wrote: > > It's better to generate a WARN()ing programmatically if the W+X condition occurs, > > that gets noticed by tools and people alike. I'd like to start treating that > > condition as a hard kernel bug. > > > > A dump in dmesg is subject to random noise by printk crusaders and is also subject > > to general bitrot, nor does it provide any ready warning to act upon. > > You're not going to enable this option in production anyway. [...] Why not? I'd suggest distros do it too, it's not too much code to run during bootup. That way if we one some weird configuration forget about a W+X mapping, the distro is warned that there's a security problem. > > I'd even add this debug check as default-enabled in the x86 defconfigs, so > > that my own continuous kernel testing kit picks up any new warnings from it. > > There's the problem with exposing sensitive info in debugfs if you do that. And > nowadays we're trying hard not to leak any of that. Ah, I think you missed the following detail: the patch I suggested would separate the debugfs bits from the checking bits and would thus allow a 'security check only' .config setting. Distros would normally not want to enable the debugfs file, agreed about that. Thanks, Ingo