| Message ID | 20170724133824.27223-2-LiljestrandH@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, Jul 24, 2017 at 6:38 AM, Hans Liljestrand <liljestrandh@gmail.com> wrote: > Add CONFIG_X86_INTEL_MPX_KERNEL for future kernel-space support for > Intel MPX. Currently depends on CPU_SUP_INTEL. > > Signed-off-by: Hans Liljestrand <LiljestrandH@gmail.com> > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> > --- > arch/x86/Kconfig | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index 0efb4c9497bc..b740a8604705 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -1771,6 +1771,25 @@ config X86_INTEL_MPX > > If unsure, say N. > > +config X86_INTEL_MPX_KERNEL > + prompt "Intel MPX for kernel" > + def_bool n > + depends on CPU_SUP_INTEL > + select CONSTRUCTORS > + select GCC_PLUGINS GCC_PLUGINS should be a "depends" here, so that when we finally get compile-support-testing hooked up to Kconfig we won't get some nasty surprises. > + ---help--- > + MPX provides hardware features that can be used in > + conjunction with compiler-instrumented code to check > + memory references. It is designed to detect buffer > + overflow or underflow bugs. > + > + This option enables MPXK, which is a slightly modified > + MPX instrumentation for in-kernel code. This > + protection is modular and even when enabled covers > + only code that explicitly use this feature. > + > + If unsure, say N I think this Kconfig should live in whichever patch actually starts adding things (maybe patch 2?) -Kees > + > config X86_INTEL_MEMORY_PROTECTION_KEYS > prompt "Intel Memory Protection Keys" > def_bool y > -- > 2.11.0 >
On Mon, Jul 24, 2017 at 07:51:34PM -0700, Kees Cook wrote: >On Mon, Jul 24, 2017 at 6:38 AM, Hans Liljestrand ><liljestrandh@gmail.com> wrote: >> Add CONFIG_X86_INTEL_MPX_KERNEL for future kernel-space support for >> Intel MPX. Currently depends on CPU_SUP_INTEL. >> >> Signed-off-by: Hans Liljestrand <LiljestrandH@gmail.com> >> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> >> --- >> arch/x86/Kconfig | 19 +++++++++++++++++++ >> 1 file changed, 19 insertions(+) >> >> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig >> index 0efb4c9497bc..b740a8604705 100644 >> --- a/arch/x86/Kconfig >> +++ b/arch/x86/Kconfig >> @@ -1771,6 +1771,25 @@ config X86_INTEL_MPX >> >> If unsure, say N. >> >> +config X86_INTEL_MPX_KERNEL >> + prompt "Intel MPX for kernel" >> + def_bool n >> + depends on CPU_SUP_INTEL >> + select CONSTRUCTORS >> + select GCC_PLUGINS > >GCC_PLUGINS should be a "depends" here, so that when we finally get >compile-support-testing hooked up to Kconfig we won't get some nasty >surprises. Okay, sounds good. Also realized the CONSTRUCTORS thing is an old leftover, we don't use those anymore. > >> + ---help--- >> + MPX provides hardware features that can be used in >> + conjunction with compiler-instrumented code to check >> + memory references. It is designed to detect buffer >> + overflow or underflow bugs. >> + >> + This option enables MPXK, which is a slightly modified >> + MPX instrumentation for in-kernel code. This >> + protection is modular and even when enabled covers >> + only code that explicitly use this feature. >> + >> + If unsure, say N > >I think this Kconfig should live in whichever patch actually starts >adding things (maybe patch 2?) Ok, thanks! -hans > >-Kees > >> + >> config X86_INTEL_MEMORY_PROTECTION_KEYS >> prompt "Intel Memory Protection Keys" >> def_bool y >> -- >> 2.11.0 >> > > > >-- >Kees Cook >Pixel Security
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 0efb4c9497bc..b740a8604705 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1771,6 +1771,25 @@ config X86_INTEL_MPX If unsure, say N. +config X86_INTEL_MPX_KERNEL + prompt "Intel MPX for kernel" + def_bool n + depends on CPU_SUP_INTEL + select CONSTRUCTORS + select GCC_PLUGINS + ---help--- + MPX provides hardware features that can be used in + conjunction with compiler-instrumented code to check + memory references. It is designed to detect buffer + overflow or underflow bugs. + + This option enables MPXK, which is a slightly modified + MPX instrumentation for in-kernel code. This + protection is modular and even when enabled covers + only code that explicitly use this feature. + + If unsure, say N + config X86_INTEL_MEMORY_PROTECTION_KEYS prompt "Intel Memory Protection Keys" def_bool y