From: Ingo Molnar <mingo@kernel.org>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
linux-kernel@vger.kernel.org, "H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCH] x86_64: test that userspace stack is in fact NX
Date: Tue, 3 Oct 2023 21:06:51 +0200 [thread overview]
Message-ID: <ZRxmS/3nr6pDa1+z@gmail.com> (raw)
In-Reply-To: <f972d59c-40dd-2a68-ff13-a2658513a25b@intel.com>
* Dave Hansen <dave.hansen@intel.com> wrote:
> On 10/3/23 06:00, Alexey Dobriyan wrote:
> > On Mon, Oct 02, 2023 at 07:23:10AM -0700, Dave Hansen wrote:
> >> Basically, could you spend a moment in the changelog to talk about:
> >>
> >> 1. 32-bit kernels on NX hardware
> >> and
> >> 2. 64-bit kernels on non-NX hardware
> >
> > Sure. My logic whas that i386 is dead arch, but this test is easy to
> > port to i386, only 2 simple functions.
>
> I honestly don't feel strongly about it one way or the other. But
> whatever we do, let's explain it, please.
>
> > I don't want to parse /proc/cpuinfo. If someone knows they're shipping
> > NX-incapable hardware, just let them disable the test.
>
> Other than clearcpuid=nx, I don't _think_ we have any way to clear the
> X86_FEATURE_NX bit right now. That should mean that you can use regular
> old CPUID to see if the booted kernel supports NX. [...]
I think that's probably overkill - the test should report a failure if
NX is not available for whatever reason.
Because not having NX in 2023 on any system that is threatened is a
big security vulnerability in itself, and whether the vendor or owner
intentionally did that or not doesn't really matter, and a failing
kernel testcase will be the least of their problems.
In fact I'd argue that we should fail this testcase in that situation
as a matter of principle: NX clearly doesn't work and there's very
few situations where that's acceptable.
Anyone who doesn't want or have NX can skip paying attention to this
failing testcase just fine.
Thanks,
Ingo
next prev parent reply other threads:[~2023-10-03 19:06 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-01 16:31 [PATCH] x86_64: test that userspace stack is in fact NX Alexey Dobriyan
2023-10-02 13:12 ` Ingo Molnar
2023-10-03 13:03 ` Alexey Dobriyan
2023-10-02 14:23 ` Dave Hansen
2023-10-03 13:00 ` Alexey Dobriyan
2023-10-03 14:23 ` Dave Hansen
2023-10-03 19:06 ` Ingo Molnar [this message]
2023-10-03 19:30 ` Ingo Molnar
2023-10-03 20:46 ` Dave Hansen
2023-10-03 21:53 ` H. Peter Anvin
2023-10-03 16:18 ` [PATCH v2] x86: " Alexey Dobriyan
2023-10-03 19:01 ` Ingo Molnar
2023-10-03 19:12 ` [tip: x86/mm] selftests/x86/mm: Add new " tip-bot2 for Alexey Dobriyan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZRxmS/3nr6pDa1+z@gmail.com \
--to=mingo@kernel.org \
--cc=adobriyan@gmail.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox