| Message ID | 20110330220632.GA4050@outflux.net |
|---|---|
| State | New |
| Headers | show |
On 03/30/2011 04:06 PM, Kees Cook wrote: > When booting a 32bit non-PAE kernel on a CPU that supports hardware NX, > dmesg did not indicate that NX emulation was being used. This changes > the dmesg reporting to be more clear. Warnings about lacking hardware > NX remain, and the state of NX-emulation is reported when enabled. > > BugLink: https://launchpad.net/bugs/745181 > > Signed-off-by: Kees Cook<kees.cook@canonical.com> > --- > arch/x86/mm/setup_nx.c | 28 +++++++++++++++++----------- > 1 files changed, 17 insertions(+), 11 deletions(-) > > diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c > index 4323de4..90c9eff 100644 > --- a/arch/x86/mm/setup_nx.c > +++ b/arch/x86/mm/setup_nx.c > @@ -40,19 +40,12 @@ void __cpuinit x86_configure_nx(void) > > void __init x86_report_nx(void) > { > + int nx_emulation = 0; > + > if (!cpu_has_nx) { > -#ifdef CONFIG_X86_32 > - if (!disable_nx) > - printk(KERN_INFO "NX (Execute Disable) protection: " > - "approximated by x86 segment limits\n"); > - else > - printk(KERN_INFO "NX (Execute Disable) protection: " > - "approximation disabled by kernel command " > - "line option\n"); > -#else > printk(KERN_NOTICE "Notice: NX (Execute Disable) protection " > "missing in CPU!\n"); > -#endif > + nx_emulation = 1; > } else { > #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE) > if (disable_nx) { > @@ -65,7 +58,20 @@ void __init x86_report_nx(void) > #else > /* 32bit non-PAE kernel, NX cannot be used */ > printk(KERN_NOTICE "Notice: NX (Execute Disable) protection " > - "cannot be enabled: non-PAE kernel!\n"); > + "cannot be enabled in hardware: non-PAE kernel!\n"); > + nx_emulation = 1; > +#endif > + } > + > + if (nx_emulation) { > +#ifdef CONFIG_X86_32 > + if (!disable_nx) > + printk(KERN_INFO "NX (Execute Disable) protection: " > + "approximated by x86 segment limits\n"); > + else > + printk(KERN_INFO "NX (Execute Disable) protection: " > + "approximation disabled by kernel command " > + "line option\n"); > #endif > } > } Possible strings before patch: Notice: NX (Execute Disable) protection missing in CPU! NX (Execute Disable) protection: disabled by kernel command line option NX (Execute Disable) protection: active Notice: NX (Execute Disable) protection cannot be enabled: non-PAE kernel! Possible strings after patch: Notice: NX (Execute Disable) protection missing in CPU! NX (Execute Disable) protection: disabled by kernel command line option NX (Execute Disable) protection: active Notice: NX (Execute Disable) protection cannot be enabled in hardware: non-PAE kernel! NX (Execute Disable) protection: approximated by x86 segment limits NX (Execute Disable) protection: approximation disabled by kernel command line option This is simple enough stuff. I assume this patch is in the merge window pipeline? 'Cause its churny enough that it'll be a pain to resolve if it doesn't make it upstream intact. applied to Natty rtg
Hi Tim, On Thu, Mar 31, 2011 at 07:09:40AM -0600, Tim Gardner wrote: > This is simple enough stuff. I assume this patch is in the merge > window pipeline? 'Cause its churny enough that it'll be a pain to > resolve if it doesn't make it upstream intact. I'm waiting for the nx-emu upstream[1] to rebase to 2.6.38 before sending this patch (since 2.6.38 changes these strings slightly), but I expect it to be accepted. > applied to Natty Thanks! -Kees [1] http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation
diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c index 4323de4..90c9eff 100644 --- a/arch/x86/mm/setup_nx.c +++ b/arch/x86/mm/setup_nx.c @@ -40,19 +40,12 @@ void __cpuinit x86_configure_nx(void) void __init x86_report_nx(void) { + int nx_emulation = 0; + if (!cpu_has_nx) { -#ifdef CONFIG_X86_32 - if (!disable_nx) - printk(KERN_INFO "NX (Execute Disable) protection: " - "approximated by x86 segment limits\n"); - else - printk(KERN_INFO "NX (Execute Disable) protection: " - "approximation disabled by kernel command " - "line option\n"); -#else printk(KERN_NOTICE "Notice: NX (Execute Disable) protection " "missing in CPU!\n"); -#endif + nx_emulation = 1; } else { #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE) if (disable_nx) { @@ -65,7 +58,20 @@ void __init x86_report_nx(void) #else /* 32bit non-PAE kernel, NX cannot be used */ printk(KERN_NOTICE "Notice: NX (Execute Disable) protection " - "cannot be enabled: non-PAE kernel!\n"); + "cannot be enabled in hardware: non-PAE kernel!\n"); + nx_emulation = 1; +#endif + } + + if (nx_emulation) { +#ifdef CONFIG_X86_32 + if (!disable_nx) + printk(KERN_INFO "NX (Execute Disable) protection: " + "approximated by x86 segment limits\n"); + else + printk(KERN_INFO "NX (Execute Disable) protection: " + "approximation disabled by kernel command " + "line option\n"); #endif } }
When booting a 32bit non-PAE kernel on a CPU that supports hardware NX, dmesg did not indicate that NX emulation was being used. This changes the dmesg reporting to be more clear. Warnings about lacking hardware NX remain, and the state of NX-emulation is reported when enabled. BugLink: https://launchpad.net/bugs/745181 Signed-off-by: Kees Cook <kees.cook@canonical.com> --- arch/x86/mm/setup_nx.c | 28 +++++++++++++++++----------- 1 files changed, 17 insertions(+), 11 deletions(-)