Commit 4b0f3b81 authored by Kees Cook's avatar Kees Cook Committed by H. Peter Anvin

x86, mm: Report state of NX protections during boot

It is possible for x86_64 systems to lack the NX bit either due to the
hardware lacking support or the BIOS having turned off the CPU capability,
so NX status should be reported.  Additionally, anyone booting NX-capable
CPUs in 32bit mode without PAE will lack NX functionality, so this change
provides feedback for that case as well.
Signed-off-by: default avatarKees Cook <kees.cook@canonical.com>
Signed-off-by: default avatarH. Peter Anvin <hpa@zytor.com>
LKML-Reference: <1258154897-6770-6-git-send-email-hpa@zytor.com>
parent 4763ed4d
...@@ -17,6 +17,7 @@ extern void ia32_sysenter_target(void); ...@@ -17,6 +17,7 @@ extern void ia32_sysenter_target(void);
extern void syscall32_cpu_init(void); extern void syscall32_cpu_init(void);
extern void x86_configure_nx(void); extern void x86_configure_nx(void);
extern void x86_report_nx(void);
extern int reboot_force; extern int reboot_force;
......
...@@ -788,16 +788,17 @@ void __init setup_arch(char **cmdline_p) ...@@ -788,16 +788,17 @@ void __init setup_arch(char **cmdline_p)
*cmdline_p = command_line; *cmdline_p = command_line;
/* /*
* Must call this twice: Once just to detect whether hardware doesn't * x86_configure_nx() is called before parse_early_param() to detect
* support NX (so that the early EHCI debug console setup can safely * whether hardware doesn't support NX (so that the early EHCI debug
* call set_fixmap(), and then again after parsing early parameters to * console setup can safely call set_fixmap()). It may then be called
* honor the respective command line option. * again from within noexec_setup() during parsing early parameters
* to honor the respective command line option.
*/ */
x86_configure_nx(); x86_configure_nx();
parse_early_param(); parse_early_param();
x86_configure_nx(); x86_report_nx();
/* Must be before kernel pagetables are setup */ /* Must be before kernel pagetables are setup */
vmi_activate(); vmi_activate();
......
...@@ -146,10 +146,6 @@ unsigned long __init_refok init_memory_mapping(unsigned long start, ...@@ -146,10 +146,6 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
use_gbpages = direct_gbpages; use_gbpages = direct_gbpages;
#endif #endif
/* XXX: replace this with Kees' improved messages */
if (__supported_pte_mask & _PAGE_NX)
printk(KERN_INFO "NX (Execute Disable) protection: active\n");
/* Enable PSE if available */ /* Enable PSE if available */
if (cpu_has_pse) if (cpu_has_pse)
set_in_cr4(X86_CR4_PSE); set_in_cr4(X86_CR4_PSE);
......
...@@ -36,3 +36,25 @@ void __cpuinit x86_configure_nx(void) ...@@ -36,3 +36,25 @@ void __cpuinit x86_configure_nx(void)
else else
__supported_pte_mask &= ~_PAGE_NX; __supported_pte_mask &= ~_PAGE_NX;
} }
void __init x86_report_nx(void)
{
if (!cpu_has_nx) {
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
"missing in CPU or disabled in BIOS!\n");
} else {
#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
if (disable_nx) {
printk(KERN_INFO "NX (Execute Disable) protection: "
"disabled by kernel command line option\n");
} else {
printk(KERN_INFO "NX (Execute Disable) protection: "
"active\n");
}
#else
/* 32bit non-PAE kernel, NX cannot be used */
printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
"cannot be enabled: non-PAE kernel!\n");
#endif
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment