From patchwork Fri Sep 23 22:17:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Hansen X-Patchwork-Id: 609017 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30D62C6FA83 for ; Fri, 23 Sep 2022 22:17:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231315AbiIWWRg (ORCPT ); Fri, 23 Sep 2022 18:17:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51546 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229511AbiIWWRd (ORCPT ); Fri, 23 Sep 2022 18:17:33 -0400 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC8EC11E97D; Fri, 23 Sep 2022 15:17:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663971452; x=1695507452; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=8tE/QBR6Q/gediWIXN96SP8n9NX5gdozFhDqCtkEAms=; b=TAAo2GnTWOpEr9PzjxlZtNnsmGcudY2xkDMoZxtefQ23ujLxlN3x6Jlr af8/S2hMWxauyr4lHmCuLxiHwSrLKbc1yZooktCiIxZQF5mvNmROz6SzF qcb6Ufh/ODWl4iuiXd1dUEJvtMsE2yasJlw2VE24d6cv7aUbPN8mngk+8 9yl3v/f0fczuQXDYCnZ/bNgv2dr1t8gJqgUg87FUgjJkLyMQxQNWD6isA K70jvoiNq8gooiI/3GE1gB5q+iqrH92VXgb4DPAkfyo6IDCR2mC2tLZkC nSc0IID/lk1V+KIbhsvwsZotb210PnGMihByL8yz4oMmdn71oEUjf+fjA g==; X-IronPort-AV: E=McAfee;i="6500,9779,10479"; a="301599009" X-IronPort-AV: E=Sophos;i="5.93,340,1654585200"; d="scan'208";a="301599009" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Sep 2022 15:17:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.93,340,1654585200"; d="scan'208";a="745954546" Received: from viggo.jf.intel.com (HELO ray2.amr.corp.intel.com) ([10.54.77.144]) by orsmga004.jf.intel.com with ESMTP; 23 Sep 2022 15:17:31 -0700 From: Dave Hansen To: linux-kernel@vger.kernel.org Cc: Dave Hansen , Guenter Roeck , Ard Biesheuvel , Darren Hart , Andy Shevchenko , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, linux-efi@vger.kernel.org, "H. Peter Anvin" , Kees Cook Subject: [PATCH] x86/mm: Disable W^X detection and enforcement on 32-bit Date: Fri, 23 Sep 2022 15:17:30 -0700 Message-Id: <20220923221730.1860518-1-dave.hansen@linux.intel.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org The 32-bit code is in a weird spot. Some 32-bit builds (non-PAE) do not even have NX support. Even PAE builds that support NX have to contend with things like EFI data and code mixed in the same pages where W+X is unavoidable. The folks still running X86_32=y kernels are unlikely to care much about NX. That combined with the fundamental inability fix _all_ of the W+X things means this code had little value on X86_32=y. Disable the checks. Reported-by: Guenter Roeck Signed-off-by: Dave Hansen Cc: Ard Biesheuvel Cc: Darren Hart Cc: Andy Shevchenko Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: x86@kernel.org Cc: linux-efi@vger.kernel.org Cc: "H. Peter Anvin" Cc: Kees Cook Link: https://lore.kernel.org/all/CAMj1kXHcF_iK_g0OZSkSv56Wmr=eQGQwNstcNjLEfS=mm7a06w@mail.gmail.com/ Acked-by: Ard Biesheuvel --- arch/x86/mm/pat/set_memory.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c index 20b1e24baa85..efe882c753ca 100644 --- a/arch/x86/mm/pat/set_memory.c +++ b/arch/x86/mm/pat/set_memory.c @@ -587,6 +587,14 @@ static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long star { unsigned long end; + /* + * 32-bit has some unfixable W+X issues, like EFI code + * and writeable data being in the same page. Disable + * detection and enforcement there. + */ + if (IS_ENABLED(CONFIG_X86_32)) + return new; + /* Only enforce when NX is supported: */ if (!(__supported_pte_mask & _PAGE_NX)) return new;