[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 2/2] x86: Add Kconfig option to require NX bit support
- To: Alejandro Vallejo <alejandro.vallejo@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Fri, 16 Jun 2023 20:48:02 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Knkz+CuR2h5Nt8wHBfN9Yw57QXJvqyi0hdeSsJZ5oZ4=; b=YrL0Nkx/+FKFlXXHnO0xiiNtzX5xB9NWsn+VB1OxQDSvSWpqUUXnISfo0u6r0G12Uc24N2jgDeMH6o9AyUXFP7D75vYBkuuHTaS9uj4nJA9CFRRkTM0LCPJzd3fiu+L7CdcBKHcst1jPe4lSYNkQUzTmCyxRmbCNDS6V+EWiXs/9r7rTN8/smHl1OkEcnS6FOAU0rbVN1EAn6e2ucvbjWg+n98clmKk1Jwu+KtbALhOu5JWsnKiHnc4r+w5hEKorrXpulgf0xwQOAXi0EHFxYZvoqRn+3KTE2E+RDKgj5v2rEnTFub4+UkhZ1wMM1jidcIMWOKMP36k4lsWvZw5KfQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JbarzkuIYentWXTU61sIKCPBMnrQLTyvhgfnEGakTSX/pzyf1mw8Hzpi2EsQbxdNRDVBrJksyJ1Dum3E7b4Y72I+rS7Tu0WNzcDKt7iGlh+CEM95u98W5aPLc7mC+osKURmYwbO2K6hkqt2paruWLV6P9v95k8LNz8lZb9lvFhz6mwFrz0IOwnp2MmeZs8NQae3t1dzxA4JGByzKHwObcMp2EB5j9p7uAM7iLP3IrJClinJl2H6c2uQPrFvQMC185Yr2f6/tz89+8Vm/Awf4n3j7mZEluUzRABzwXbZz1ALG2i6KgH3ZUASIcwJ7Rwvx5RvdIRWKNrQ6GveJ2/zfhA==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
- Delivery-date: Fri, 16 Jun 2023 19:48:32 +0000
- Ironport-data: A9a23:/5rVr6yjVQXzPtVSXUt6t+f2xyrEfRIJ4+MujC+fZmUNrF6WrkVUn 2sWXjyHPqrfM2v2edAjborkoxgP78SAmIc2SVM5ryAxQypGp/SeCIXCJC8cHc8wwu7rFxs7s ppEOrEsCOhuExcwcz/0auCJQUFUjP3OHfykTrafYEidfCc8IA85kxVvhuUltYBhhNm9Emult Mj75sbSIzdJ4RYtWo4vw/zF8EsHUMja4mtC5QRgPK4T5zcyqlFOZH4hDfDpR5fHatE88t6SH 47r0Ly/92XFyBYhYvvNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ai87XAME0e0ZP4whlqvgqo Dl7WT5cfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQq2pYjqhljJBheAGEWxgp4KTlR6 MA6EisUUhGSoO2v0OuhTu9Thtt2eaEHPKtH0p1h5RfwKK58BLrlGuDN79Ie2yosjMdTG/qYf 9AedTdkcBXHZVtIJ0sTD5U92uyvgxETcRUB8A7T+fVxvjGVkFIZPLvFabI5fvSjQ8lPk1nej WXB52njWTkRNcCFyCrD+XWp7gPKtXqiA99LRe3mrpaGhnWI+zY4BhYvSWepmtOJsn6ARO9FM 0k9r39GQa8asRbDosPGdxS8rXyNuBIGXJxOGuk+5QOK4qHQ5BuVQGMDS1ZpeNEg8cM7WzEu/ luIhM/yQyxitqWPTnCQ/avSqim9UQAXJ2IfYS4PTSMe/sLu5oo0i3rnUdJLAKOzyNrvFlnNL yuiqSE/g/AZi5cN3qDjp1Tf2Wrw+N7OUxI/4RjRUiS99ARlaYW5Zouur1/G8fJHK4XfRV6E1 JQZp/WjACk1JcnlvESwrC8lRtlFO97t3OXgvGNS
- Ironport-hdrordr: A9a23:SHFltKkeEAOKuEWu+fMX/aLTqLjpDfMxiWdD5ihNYBxZY6Wkfp +V8cjzhCWftN9OYhodcLC7V5Voj0msjKKdkrNhWotKOzOWxVdATbsSl7cKpgeNJ8SQzJ8/6U 4NSdkaNDS0NykAsS+Y2njHLz9D+rm6GcmT7I+xrkuFDzsaE52Ihz0JdTpzeXcGIDWua6BJcq Z0qvA3xQZJLh8sH7iG7zQ+LqD+T5qhruOVXTc2QzocrCWehzKh77D3VzCewxclSjtKhZsy7G TflAT9x6O799W20AXV2WP/54lf3IKJ8KoOOOW8zuwubhn8gAehY4psH5WEoTAOuemqrHo6jd XWpB8kHsJrr1fcZHu8rxfB0xTplBwu93jh41mFhmaLm721eBsKT+56wa5JeBrQ7EQt+Pl6za Jwxmqc875aFwnJkijR78XBE0gCrDv/nVMS1cooy1BPW4oXb7Fc6aQZ4UNuCZ8FWAb38pouHu VCBNzVoNxWbVSZRXbEuXQH+q3mYl0DWjO9BmQSsM2c1DZb2Fh/0ksj3cQa2kwN8ZosIqM0kN jsA+BNrvVjX8UWZaVyCKMqWs2sEFHARhrKLSa7PUnnPLtvAQOMl7fHpJEOoM26cp0By5U/3L 7bVklDiGI0c0XyTeWTwZxw9AzXSmnVZ0Wt9ihn3ek6hlTAfsuvDcXaI2pe1/dI4s9vTPEzYs zDe66/WJTYXCzT8YUg5XyLZ3AdEwhZbCQvgKdJZ7u/mLO7FmTUjJ2qTB/yHsuaLd92YBK3Pl IzGB7OGe5n0meHHlfFvTm5YQKZRqW4x+M+LJTn
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 15/06/2023 4:31 pm, Alejandro Vallejo wrote:
> diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
> index 406445a358..fa97d4cccc 100644
> --- a/xen/arch/x86/Kconfig
> +++ b/xen/arch/x86/Kconfig
> @@ -307,6 +307,22 @@ config MEM_SHARING
> bool "Xen memory sharing support (UNSUPPORTED)" if UNSUPPORTED
> depends on HVM
>
> +config REQUIRE_NX
> + bool "Require NX bit support"
"Require NX (No eXecute) support".
> + help
> + No-eXecute (also called XD "eXecute Disable" and DEP "Data
> + Execution Prevention") is a security feature designed originally
> + to combat buffer overflow attacks by marking regions of memory
> + which the CPU must not interpret as instructions.
> +
> + The NX feature exists in every 64bit CPU except for some very
> + early Pentium 4 Prescott machines.
> +
> + Enabling this option will improve Xen's security by removing
> + cases where Xen could be tricked into thinking that the feature
> + was unavailable. However, if enabled, Xen will no longer boot on
> + any CPU which is lacking NX support.
> +
> endmenu
>
> source "common/Kconfig"
> diff --git a/xen/arch/x86/boot/head.S b/xen/arch/x86/boot/head.S
> index ce62eae6f3..ec1e80ef68 100644
> --- a/xen/arch/x86/boot/head.S
> +++ b/xen/arch/x86/boot/head.S
> @@ -123,6 +123,7 @@ multiboot2_header:
> .Lbad_ldr_nih: .asciz "ERR: EFI ImageHandle is not provided by bootloader!"
> .Lbad_efi_msg: .asciz "ERR: EFI IA-32 platforms are not supported!"
> .Lbag_alg_msg: .asciz "ERR: Xen must be loaded at a 2Mb boundary!"
> +.Lno_nx_bit_msg: .asciz "ERR: Not an NX-bit capable CPU!"
Still two too many "bit"'s in this line.
With these two adjusted, Reviewed-by: Andrew Cooper
<andrew.cooper3@xxxxxxxxxx>
|
