Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933088AbbLHOUB (ORCPT <rfc822;w@1wt.eu>);
	Tue, 8 Dec 2015 09:20:01 -0500
Received: from mail.skyhub.de ([78.46.96.112]:42987 "EHLO mail.skyhub.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S932693AbbLHOT6 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 8 Dec 2015 09:19:58 -0500
Date: Tue, 8 Dec 2015 15:19:46 +0100
From: Borislav Petkov <bp@alien8.de>
To: Matt Fleming <matt@codeblueprint.co.uk>, Kees Cook <keescook@chromium.org>
Cc: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>,
        Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>, "x86@kernel.org" <x86@kernel.org>,
        "linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] x86: Fix kernel panic when booting with XD disabled
 in uEFI firmware
Message-ID: <20151208141946.GD27180@pd.tnic>
References: <20151204164057.GE2514@codeblueprint.co.uk>
 <17EC94B0A072C34B8DCF0D30AD16044A0288EFC7@BPXM09GP.gisp.nec.co.jp>
 <20151208122557.GA2518@codeblueprint.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20151208122557.GA2518@codeblueprint.co.uk>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1483
Lines: 42

On Tue, Dec 08, 2015 at 12:25:57PM +0000, Matt Fleming wrote:
> On Mon, 07 Dec, at 11:10:43PM, Kosuke Tatsukawa wrote:
> > 
> > Thank you pointing that out.
> > 
> > linux-4.4-rc3 booted without a problem on a real server even with XD
> > turned off by the firmware.  I didn't notice this before because I was

The aforementioned patch reenables NX.

> Borislav, what do you think about stripping PAGE_NX from 'page_flags'
> in kernel_map_pages_in_pgd() if NX isn't supported, rather than
> returning EINVAL? At least that way EFI runtime services would still
> work.

I guess we can - I mean, I don't see what can go wrong more when
allowing the kernel to execute even NX UEFI regions. Maybe easier
generation of "gadgets" in the ROP sense ...

On a related node, I'm very sceptical of the existence of this "noexec"
chicken bit, if you ask me. It is a really bad idea, security-wise, to
disable NX. Is there even a valid use case to disable NX?

Because if not, I'd vote for removing that chicken bit or at least
taining the kernel with

	add_taint(TAINT_USER_MORON, ... );

Kees, has this NX disabling practice come up in the past, per chance... ?

Thanks.

-- 
Regards/Gruss,
    Boris.

ECO tip #101: Trim your mails when you reply.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/