UBUNTU: SAUCE: nx-emu: further clarify dmesg reporting

03-30-2011, 11:06 PM

When booting a 32bit non-PAE kernel on a CPU that supports hardware NX,
dmesg did not indicate that NX emulation was being used. This changes
the dmesg reporting to be more clear. Warnings about lacking hardware
NX remain, and the state of NX-emulation is reported when enabled.

(Backported from Natty patch.)

BugLink: https://launchpad.net/bugs/745181

Signed-off-by: Kees Cook <kees.cook@canonical.com>
---
arch/x86/mm/setup_nx.c | 28 +++++++++++++++++-----------
1 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
index f068676..64f2d6a 100644
--- a/arch/x86/mm/setup_nx.c
+++ b/arch/x86/mm/setup_nx.c
@@ -43,19 +43,12 @@ void __cpuinit x86_configure_nx(void)

void __init x86_report_nx(void)
{
+ int nx_emulation = 0;
+
if (!cpu_has_nx) {
-#ifdef CONFIG_X86_32
- if (exec_shield)
- printk(KERN_INFO "NX (Execute Disable) protection: "
- "approximated by x86 segment limits
");
- else
- printk(KERN_INFO "NX (Execute Disable) protection: "
- "approximation disabled by kernel command "
- "line option
");
-#else
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
"missing in CPU or disabled in BIOS!
");
-#endif
+ nx_emulation = 1;
} else {
#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
if (disable_nx) {
@@ -68,7 +61,20 @@ void __init x86_report_nx(void)
#else
/* 32bit non-PAE kernel, NX cannot be used */
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
- "cannot be enabled: non-PAE kernel!
");
+ "cannot be enabled in hardware: non-PAE kernel!
");
+ nx_emulation = 1;
+#endif
+ }
+
+ if (nx_emulation) {
+#ifdef CONFIG_X86_32
+ if (exec_shield)
+ printk(KERN_INFO "NX (Execute Disable) protection: "
+ "approximated by x86 segment limits
");
+ else
+ printk(KERN_INFO "NX (Execute Disable) protection: "
+ "approximation disabled by kernel command "
+ "line option
");
#endif
}
}
--
1.7.4.1

--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

03-31-2011, 01:09 PM

On 03/30/2011 04:06 PM, Kees Cook wrote:

When booting a 32bit non-PAE kernel on a CPU that supports hardware NX,
dmesg did not indicate that NX emulation was being used. This changes
the dmesg reporting to be more clear. Warnings about lacking hardware
NX remain, and the state of NX-emulation is reported when enabled.

BugLink: https://launchpad.net/bugs/745181

Signed-off-by: Kees Cook<kees.cook@canonical.com>
---
arch/x86/mm/setup_nx.c | 28 +++++++++++++++++-----------
1 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
index 4323de4..90c9eff 100644
--- a/arch/x86/mm/setup_nx.c
+++ b/arch/x86/mm/setup_nx.c
@@ -40,19 +40,12 @@ void __cpuinit x86_configure_nx(void)

void __init x86_report_nx(void)
{
+ int nx_emulation = 0;
+
if (!cpu_has_nx) {
-#ifdef CONFIG_X86_32
- if (!disable_nx)
- printk(KERN_INFO "NX (Execute Disable) protection: "
- "approximated by x86 segment limits
");
- else
- printk(KERN_INFO "NX (Execute Disable) protection: "
- "approximation disabled by kernel command "
- "line option
");
-#else
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
"missing in CPU!
");
-#endif
+ nx_emulation = 1;
} else {
#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
if (disable_nx) {
@@ -65,7 +58,20 @@ void __init x86_report_nx(void)
#else
/* 32bit non-PAE kernel, NX cannot be used */
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
- "cannot be enabled: non-PAE kernel!
");
+ "cannot be enabled in hardware: non-PAE kernel!
");
+ nx_emulation = 1;
+#endif
+ }
+
+ if (nx_emulation) {
+#ifdef CONFIG_X86_32
+ if (!disable_nx)
+ printk(KERN_INFO "NX (Execute Disable) protection: "
+ "approximated by x86 segment limits
");
+ else
+ printk(KERN_INFO "NX (Execute Disable) protection: "
+ "approximation disabled by kernel command "
+ "line option
");
#endif
}
}

Possible strings before patch:

Notice: NX (Execute Disable) protection missing in CPU!
NX (Execute Disable) protection: disabled by kernel command line option
NX (Execute Disable) protection: active
Notice: NX (Execute Disable) protection cannot be enabled: non-PAE kernel!

Possible strings after patch:

Notice: NX (Execute Disable) protection missing in CPU!
NX (Execute Disable) protection: disabled by kernel command line option
NX (Execute Disable) protection: active
Notice: NX (Execute Disable) protection cannot be enabled in hardware:
non-PAE kernel!

NX (Execute Disable) protection: approximated by x86 segment limits
NX (Execute Disable) protection: approximation disabled by kernel
command line option

This is simple enough stuff. I assume this patch is in the merge window
pipeline? 'Cause its churny enough that it'll be a pain to resolve if it
doesn't make it upstream intact.

applied to Natty

rtg
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

03-31-2011, 01:11 PM

On 03/30/2011 05:06 PM, Kees Cook wrote:

When booting a 32bit non-PAE kernel on a CPU that supports hardware NX,
dmesg did not indicate that NX emulation was being used. This changes
the dmesg reporting to be more clear. Warnings about lacking hardware
NX remain, and the state of NX-emulation is reported when enabled.

(Backported from Natty patch.)

BugLink: https://launchpad.net/bugs/745181

Signed-off-by: Kees Cook<kees.cook@canonical.com>
---
arch/x86/mm/setup_nx.c | 28 +++++++++++++++++-----------
1 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
index f068676..64f2d6a 100644
--- a/arch/x86/mm/setup_nx.c
+++ b/arch/x86/mm/setup_nx.c
@@ -43,19 +43,12 @@ void __cpuinit x86_configure_nx(void)

void __init x86_report_nx(void)
{
+ int nx_emulation = 0;
+
if (!cpu_has_nx) {
-#ifdef CONFIG_X86_32
- if (exec_shield)
- printk(KERN_INFO "NX (Execute Disable) protection: "
- "approximated by x86 segment limits
");
- else
- printk(KERN_INFO "NX (Execute Disable) protection: "
- "approximation disabled by kernel command "
- "line option
");
-#else
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
"missing in CPU or disabled in BIOS!
");
-#endif
+ nx_emulation = 1;
} else {
#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
if (disable_nx) {
@@ -68,7 +61,20 @@ void __init x86_report_nx(void)
#else
/* 32bit non-PAE kernel, NX cannot be used */
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
- "cannot be enabled: non-PAE kernel!
");
+ "cannot be enabled in hardware: non-PAE kernel!
");
+ nx_emulation = 1;
+#endif
+ }
+
+ if (nx_emulation) {
+#ifdef CONFIG_X86_32
+ if (exec_shield)
+ printk(KERN_INFO "NX (Execute Disable) protection: "
+ "approximated by x86 segment limits
");
+ else
+ printk(KERN_INFO "NX (Execute Disable) protection: "
+ "approximation disabled by kernel command "
+ "line option
");
#endif
}
}

Acked-by: Tim Gardner <tim.gardner@canonical.com>

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

03-31-2011, 04:08 PM

Hi Tim,

On Thu, Mar 31, 2011 at 07:09:40AM -0600, Tim Gardner wrote:
> This is simple enough stuff. I assume this patch is in the merge
> window pipeline? 'Cause its churny enough that it'll be a pain to
> resolve if it doesn't make it upstream intact.

I'm waiting for the nx-emu upstream[1] to rebase to 2.6.38 before sending this
patch (since 2.6.38 changes these strings slightly), but I expect it to be
accepted.

> applied to Natty

Thanks!

-Kees

[1] http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation

--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

03-31-2011, 05:03 PM

On 03/30/2011 04:06 PM, Kees Cook wrote:

When booting a 32bit non-PAE kernel on a CPU that supports hardware NX,
dmesg did not indicate that NX emulation was being used. This changes
the dmesg reporting to be more clear. Warnings about lacking hardware
NX remain, and the state of NX-emulation is reported when enabled.

(Backported from Natty patch.)

BugLink: https://launchpad.net/bugs/745181

Signed-off-by: Kees Cook<kees.cook@canonical.com>
---
arch/x86/mm/setup_nx.c | 28 +++++++++++++++++-----------
1 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
index f068676..64f2d6a 100644
--- a/arch/x86/mm/setup_nx.c
+++ b/arch/x86/mm/setup_nx.c
@@ -43,19 +43,12 @@ void __cpuinit x86_configure_nx(void)

void __init x86_report_nx(void)
{
+ int nx_emulation = 0;
+
if (!cpu_has_nx) {
-#ifdef CONFIG_X86_32
- if (exec_shield)
- printk(KERN_INFO "NX (Execute Disable) protection: "
- "approximated by x86 segment limits
");
- else
- printk(KERN_INFO "NX (Execute Disable) protection: "
- "approximation disabled by kernel command "
- "line option
");
-#else
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
"missing in CPU or disabled in BIOS!
");
-#endif
+ nx_emulation = 1;
} else {
#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
if (disable_nx) {
@@ -68,7 +61,20 @@ void __init x86_report_nx(void)
#else
/* 32bit non-PAE kernel, NX cannot be used */
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
- "cannot be enabled: non-PAE kernel!
");
+ "cannot be enabled in hardware: non-PAE kernel!
");
+ nx_emulation = 1;
+#endif
+ }
+
+ if (nx_emulation) {
+#ifdef CONFIG_X86_32
+ if (exec_shield)
+ printk(KERN_INFO "NX (Execute Disable) protection: "
+ "approximated by x86 segment limits
");
+ else
+ printk(KERN_INFO "NX (Execute Disable) protection: "
+ "approximation disabled by kernel command "
+ "line option
");
#endif
}
}

Where's the SRU justification text?

--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

04-01-2011, 02:38 PM

On 03/30/2011 05:06 PM, Kees Cook wrote:

When booting a 32bit non-PAE kernel on a CPU that supports hardware NX,
dmesg did not indicate that NX emulation was being used. This changes
the dmesg reporting to be more clear. Warnings about lacking hardware
NX remain, and the state of NX-emulation is reported when enabled.

(Backported from Natty patch.)

BugLink: https://launchpad.net/bugs/745181

Signed-off-by: Kees Cook<kees.cook@canonical.com>
---
arch/x86/mm/setup_nx.c | 28 +++++++++++++++++-----------
1 files changed, 17 insertions(+), 11 deletions(-)

Kees - the Maverick portion of the bug still needs the SRU Justification.

applied, pushed.

rtg
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

04-05-2011, 08:26 PM

Hi Tim,

On Fri, Apr 01, 2011 at 08:38:34AM -0600, Tim Gardner wrote:
> Kees - the Maverick portion of the bug still needs the SRU Justification.
>
> applied, pushed.

Thanks! I've added justification and a testcase.

-Kees

--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team