Enabling NX bit on Xen ports?

To: port-xen <port-xen%NetBSD.org@localhost>, NetBSD-current Users's Discussion List <current-users%netbsd.org@localhost>
Subject: Enabling NX bit on Xen ports?
From: Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost>
Date: Wed, 21 Apr 2010 01:31:53 +0200

Dear list,

As some of you have noticed, I passed some hours through x86 code aroundthe NXE feature (makes possible to mark specific memory pages as notbeing executable).

I propose to enable the feature under Xen, by removing the maskregarding CPUID_NOX (see patch attached).

Currently, the feature is disabled, for unknown reasons (at least byme). I quickly tested it under i386 and amd64.


The explanations for the patch:

- under non-PAE kernels, PG_NX is a dummy variable set to 0, so I don'texpect much breakage, even if cpu_feature reports CPUID_NOX as available.- for i386 PAE and amd64 kernels, the patch activate the NX feature whenthe kernel detects support for it.- add the PGEX_X code for the trap associated to an execution fetch on apage with the NX bit set (i386 only, as amd64 already has it).


Opinions? Am I missing something?

--
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost

Index: arch/amd64/amd64/machdep.c
===================================================================
RCS file: /cvsroot/src/sys/arch/amd64/amd64/machdep.c,v
retrieving revision 1.144
diff -u -u -r1.144 machdep.c
--- arch/amd64/amd64/machdep.c  18 Apr 2010 23:47:50 -0000      1.144
+++ arch/amd64/amd64/machdep.c  20 Apr 2010 23:18:02 -0000
@@ -1253,7 +1253,6 @@
 #endif /* XEN */
 
        cpu_feature[0] &= ~CPUID_FEAT_BLACKLIST;
-       cpu_feature[2] &= ~CPUID_EXT_FEAT_BLACKLIST;
 
        cpu_init_msrs(&cpu_info_primary, true);
 
Index: arch/i386/i386/machdep.c
===================================================================
RCS file: /cvsroot/src/sys/arch/i386/i386/machdep.c,v
retrieving revision 1.685
diff -u -u -r1.685 machdep.c
--- arch/i386/i386/machdep.c    18 Apr 2010 23:47:51 -0000      1.685
+++ arch/i386/i386/machdep.c    20 Apr 2010 23:18:04 -0000
@@ -1299,7 +1299,6 @@
        pcb = lwp_getpcb(&lwp0);
 
        cpu_feature[0] &= ~CPUID_FEAT_BLACKLIST;
-       cpu_feature[2] &= ~CPUID_EXT_FEAT_BLACKLIST;
 
        cpu_init_msrs(&cpu_info_primary, true);
 
Index: arch/i386/i386/trap.c
===================================================================
RCS file: /cvsroot/src/sys/arch/i386/i386/trap.c,v
retrieving revision 1.255
diff -u -u -r1.255 trap.c
--- arch/i386/i386/trap.c       22 Feb 2010 06:42:14 -0000      1.255
+++ arch/i386/i386/trap.c       20 Apr 2010 23:18:04 -0000
@@ -671,6 +671,8 @@
                        map = &vm->vm_map;
                if (frame->tf_err & PGEX_W)
                        ftype = VM_PROT_WRITE;
+               else if (frame->tf_err & PGEX_X)
+                       ftype = VM_PROT_EXECUTE;
                else
                        ftype = VM_PROT_READ;
 
Index: arch/i386/include/pte.h
===================================================================
RCS file: /cvsroot/src/sys/arch/i386/include/pte.h,v
retrieving revision 1.22
diff -u -u -r1.22 pte.h
--- arch/i386/include/pte.h     6 Apr 2010 20:43:57 -0000       1.22
+++ arch/i386/include/pte.h     20 Apr 2010 23:18:05 -0000
@@ -274,5 +274,6 @@
 #define PGEX_P         0x01    /* protection violation (vs. no mapping) */
 #define PGEX_W         0x02    /* exception during a write cycle */
 #define PGEX_U         0x04    /* exception while in user mode (upl) */
+#define PGEX_X         0x10    /* exception during instruction fetch */
 
 #endif /* _I386_PTE_H_ */
Index: arch/x86/include/specialreg.h
===================================================================
RCS file: /cvsroot/src/sys/arch/x86/include/specialreg.h,v
retrieving revision 1.40
diff -u -u -r1.40 specialreg.h
--- arch/x86/include/specialreg.h       18 Apr 2010 23:47:51 -0000      1.40
+++ arch/x86/include/specialreg.h       20 Apr 2010 23:18:08 -0000
@@ -262,10 +262,8 @@
 #ifdef XEN
 /* Not on Xen */
 #define CPUID_FEAT_BLACKLIST    (CPUID_PGE|CPUID_PSE|CPUID_MTRR|CPUID_FXSR)
-#define CPUID_EXT_FEAT_BLACKLIST (CPUID_NOX)
 #else
 #define CPUID_FEAT_BLACKLIST    0
-#define CPUID_EXT_FEAT_BLACKLIST 0
 #endif /* XEN */
 
 /*
Index: arch/x86/x86/pmap.c
===================================================================
RCS file: /cvsroot/src/sys/arch/x86/x86/pmap.c,v
retrieving revision 1.107
diff -u -u -r1.107 pmap.c
--- arch/x86/x86/pmap.c 18 Apr 2010 23:47:51 -0000      1.107
+++ arch/x86/x86/pmap.c 20 Apr 2010 23:18:09 -0000
@@ -1146,10 +1146,9 @@
        if (flags & PMAP_NOCACHE)
                npte |= PG_N;
 
-#ifndef XEN
        if ((cpu_feature[2] & CPUID_NOX) && !(prot & VM_PROT_EXECUTE))
-               npte |= PG_NX;
-#endif
+               npte |= protection_codes[VM_PROT_EXECUTE];
+
        opte = pmap_pte_testset (pte, npte); /* zap! */
 
        if (pmap_valid_entry(opte)) {
@@ -1268,13 +1267,11 @@
        struct pcb *pcb;
        int i;
        vaddr_t kva;
-#ifdef XEN
-       pt_entry_t pg_nx = 0;
-#else
+#ifndef XEN
        unsigned long p1i;
        vaddr_t kva_end;
-       pt_entry_t pg_nx = (cpu_feature[2] & CPUID_NOX ? PG_NX : 0);
 #endif
+       pt_entry_t pg_nx = (cpu_feature[2] & CPUID_NOX ? PG_NX : 0);
 
        /*
         * set up our local static global vars that keep track of the

Follow-Ups:
- Re: Enabling NX bit on Xen ports?
  - From: Matthias Drochner
- Re: Enabling NX bit on Xen ports?
  - From: Manuel Bouyer

Prev by Date: Re: no joy building i386 ALL or MONOLITHIC "options DIAGNOSTIC" over the past 24 hours or so....
Next by Date: daily CVS update output
Previous by Thread: no joy building i386 ALL or MONOLITHIC "options DIAGNOSTIC" over the past 24 hours or so....
Next by Thread: Re: Enabling NX bit on Xen ports?
Indexes:

Home | Main Index | Thread Index | Old Index