Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Enabling NX bit on Xen ports?
Dear list,
As some of you have noticed, I passed some hours through x86 code around
the NXE feature (makes possible to mark specific memory pages as not
being executable).
I propose to enable the feature under Xen, by removing the mask
regarding CPUID_NOX (see patch attached).
Currently, the feature is disabled, for unknown reasons (at least by
me). I quickly tested it under i386 and amd64.
The explanations for the patch:
- under non-PAE kernels, PG_NX is a dummy variable set to 0, so I don't
expect much breakage, even if cpu_feature reports CPUID_NOX as available.
- for i386 PAE and amd64 kernels, the patch activate the NX feature when
the kernel detects support for it.
- add the PGEX_X code for the trap associated to an execution fetch on a
page with the NX bit set (i386 only, as amd64 already has it).
Opinions? Am I missing something?
--
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost
Index: arch/amd64/amd64/machdep.c
===================================================================
RCS file: /cvsroot/src/sys/arch/amd64/amd64/machdep.c,v
retrieving revision 1.144
diff -u -u -r1.144 machdep.c
--- arch/amd64/amd64/machdep.c 18 Apr 2010 23:47:50 -0000 1.144
+++ arch/amd64/amd64/machdep.c 20 Apr 2010 23:18:02 -0000
@@ -1253,7 +1253,6 @@
#endif /* XEN */
cpu_feature[0] &= ~CPUID_FEAT_BLACKLIST;
- cpu_feature[2] &= ~CPUID_EXT_FEAT_BLACKLIST;
cpu_init_msrs(&cpu_info_primary, true);
Index: arch/i386/i386/machdep.c
===================================================================
RCS file: /cvsroot/src/sys/arch/i386/i386/machdep.c,v
retrieving revision 1.685
diff -u -u -r1.685 machdep.c
--- arch/i386/i386/machdep.c 18 Apr 2010 23:47:51 -0000 1.685
+++ arch/i386/i386/machdep.c 20 Apr 2010 23:18:04 -0000
@@ -1299,7 +1299,6 @@
pcb = lwp_getpcb(&lwp0);
cpu_feature[0] &= ~CPUID_FEAT_BLACKLIST;
- cpu_feature[2] &= ~CPUID_EXT_FEAT_BLACKLIST;
cpu_init_msrs(&cpu_info_primary, true);
Index: arch/i386/i386/trap.c
===================================================================
RCS file: /cvsroot/src/sys/arch/i386/i386/trap.c,v
retrieving revision 1.255
diff -u -u -r1.255 trap.c
--- arch/i386/i386/trap.c 22 Feb 2010 06:42:14 -0000 1.255
+++ arch/i386/i386/trap.c 20 Apr 2010 23:18:04 -0000
@@ -671,6 +671,8 @@
map = &vm->vm_map;
if (frame->tf_err & PGEX_W)
ftype = VM_PROT_WRITE;
+ else if (frame->tf_err & PGEX_X)
+ ftype = VM_PROT_EXECUTE;
else
ftype = VM_PROT_READ;
Index: arch/i386/include/pte.h
===================================================================
RCS file: /cvsroot/src/sys/arch/i386/include/pte.h,v
retrieving revision 1.22
diff -u -u -r1.22 pte.h
--- arch/i386/include/pte.h 6 Apr 2010 20:43:57 -0000 1.22
+++ arch/i386/include/pte.h 20 Apr 2010 23:18:05 -0000
@@ -274,5 +274,6 @@
#define PGEX_P 0x01 /* protection violation (vs. no mapping) */
#define PGEX_W 0x02 /* exception during a write cycle */
#define PGEX_U 0x04 /* exception while in user mode (upl) */
+#define PGEX_X 0x10 /* exception during instruction fetch */
#endif /* _I386_PTE_H_ */
Index: arch/x86/include/specialreg.h
===================================================================
RCS file: /cvsroot/src/sys/arch/x86/include/specialreg.h,v
retrieving revision 1.40
diff -u -u -r1.40 specialreg.h
--- arch/x86/include/specialreg.h 18 Apr 2010 23:47:51 -0000 1.40
+++ arch/x86/include/specialreg.h 20 Apr 2010 23:18:08 -0000
@@ -262,10 +262,8 @@
#ifdef XEN
/* Not on Xen */
#define CPUID_FEAT_BLACKLIST (CPUID_PGE|CPUID_PSE|CPUID_MTRR|CPUID_FXSR)
-#define CPUID_EXT_FEAT_BLACKLIST (CPUID_NOX)
#else
#define CPUID_FEAT_BLACKLIST 0
-#define CPUID_EXT_FEAT_BLACKLIST 0
#endif /* XEN */
/*
Index: arch/x86/x86/pmap.c
===================================================================
RCS file: /cvsroot/src/sys/arch/x86/x86/pmap.c,v
retrieving revision 1.107
diff -u -u -r1.107 pmap.c
--- arch/x86/x86/pmap.c 18 Apr 2010 23:47:51 -0000 1.107
+++ arch/x86/x86/pmap.c 20 Apr 2010 23:18:09 -0000
@@ -1146,10 +1146,9 @@
if (flags & PMAP_NOCACHE)
npte |= PG_N;
-#ifndef XEN
if ((cpu_feature[2] & CPUID_NOX) && !(prot & VM_PROT_EXECUTE))
- npte |= PG_NX;
-#endif
+ npte |= protection_codes[VM_PROT_EXECUTE];
+
opte = pmap_pte_testset (pte, npte); /* zap! */
if (pmap_valid_entry(opte)) {
@@ -1268,13 +1267,11 @@
struct pcb *pcb;
int i;
vaddr_t kva;
-#ifdef XEN
- pt_entry_t pg_nx = 0;
-#else
+#ifndef XEN
unsigned long p1i;
vaddr_t kva_end;
- pt_entry_t pg_nx = (cpu_feature[2] & CPUID_NOX ? PG_NX : 0);
#endif
+ pt_entry_t pg_nx = (cpu_feature[2] & CPUID_NOX ? PG_NX : 0);
/*
* set up our local static global vars that keep track of the
Home |
Main Index |
Thread Index |
Old Index