Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Jul 2017 10:10:52 +0300
From: Hans Liljestrand <liljestrandh@...il.com>
To: Kees Cook <keescook@...omium.org>
Cc: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
	"Reshetova, Elena" <elena.reshetova@...el.com>,
	Dave Hansen <dave.hansen@...el.com>,
	"H. Peter Anvin" <hpa@...or.com>
Subject: Re: [RFC PATCH 1/5] x86: add CONFIG_X86_INTEL_MPX_KERNEL to Kconfig

On Mon, Jul 24, 2017 at 07:51:34PM -0700, Kees Cook wrote:
>On Mon, Jul 24, 2017 at 6:38 AM, Hans Liljestrand
><liljestrandh@...il.com> wrote:
>> Add CONFIG_X86_INTEL_MPX_KERNEL for future kernel-space support for
>> Intel MPX. Currently depends on CPU_SUP_INTEL.
>>
>> Signed-off-by: Hans Liljestrand <LiljestrandH@...il.com>
>> Signed-off-by: Elena Reshetova <elena.reshetova@...el.com>
>> ---
>>  arch/x86/Kconfig | 19 +++++++++++++++++++
>>  1 file changed, 19 insertions(+)
>>
>> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
>> index 0efb4c9497bc..b740a8604705 100644
>> --- a/arch/x86/Kconfig
>> +++ b/arch/x86/Kconfig
>> @@ -1771,6 +1771,25 @@ config X86_INTEL_MPX
>>
>>           If unsure, say N.
>>
>> +config X86_INTEL_MPX_KERNEL
>> +       prompt "Intel MPX for kernel"
>> +       def_bool n
>> +       depends on CPU_SUP_INTEL
>> +       select CONSTRUCTORS
>> +       select GCC_PLUGINS
>
>GCC_PLUGINS should be a "depends" here, so that when we finally get
>compile-support-testing hooked up to Kconfig we won't get some nasty
>surprises.

Okay, sounds good. Also realized the CONSTRUCTORS thing is an old leftover, we 
don't use those anymore.

>
>> +       ---help---
>> +         MPX provides hardware features that can be used in
>> +         conjunction with compiler-instrumented code to check
>> +         memory references.  It is designed to detect buffer
>> +         overflow or underflow bugs.
>> +
>> +         This option enables MPXK, which is a slightly modified
>> +         MPX instrumentation for in-kernel code.  This
>> +         protection is modular and even when enabled covers
>> +         only code that explicitly use this feature.
>> +
>> +         If unsure, say N
>
>I think this Kconfig should live in whichever patch actually starts
>adding things (maybe patch 2?)

Ok, thanks!

-hans

>
>-Kees
>
>> +
>>  config X86_INTEL_MEMORY_PROTECTION_KEYS
>>         prompt "Intel Memory Protection Keys"
>>         def_bool y
>> --
>> 2.11.0
>>
>
>
>
>-- 
>Kees Cook
>Pixel Security

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.