Commit 76ea0025 authored by Borislav Petkov's avatar Borislav Petkov
Browse files

x86/cpu: Remove "noexec" 



It doesn't make any sense to disable non-executable mappings -
security-wise or else.

So rip out that switch and move the remaining code into setup.c and
delete setup_nx.c

Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
Reviewed-by: default avatarLai Jiangshan <jiangshanlai@gmail.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220127115626.14179-6-bp@alien8.de
parent 385d2ae0

Documentation/admin-guide/kernel-parameters.txt

+0 −5
Original line number Diff line number Diff line
@@ -3456,11 +3456,6 @@ 


	noexec		[IA-64]



	noexec		[X86]

			On X86-32 available only on PAE configured kernels.

			noexec=on: enable non-executable mappings (default)

			noexec=off: disable non-executable mappings



	nosmap		[PPC]

			Disable SMAP (Supervisor Mode Access Prevention)

			even if it is supported by processor.

Documentation/x86/x86_64/boot-options.rst

+0 −9
Original line number Diff line number Diff line
@@ -157,15 +157,6 @@ Rebooting 
     newer BIOS, or newer board) using this option will ignore the built-in

     quirk table, and use the generic default reboot actions.



Non Executable Mappings

=======================



  noexec=on|off

    on

      Enable(default)

    off

      Disable



NUMA

====

arch/x86/include/asm/proto.h

+0 −1
Original line number Diff line number Diff line
@@ -35,7 +35,6 @@ void xen_entry_INT80_compat(void); 
#endif



void x86_configure_nx(void);

void x86_report_nx(void);



extern int reboot_force;

arch/x86/kernel/setup.c

+25 −3
Original line number Diff line number Diff line
@@ -756,6 +756,30 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p) 
	return 0;

}



void x86_configure_nx(void)

{

	if (boot_cpu_has(X86_FEATURE_NX))

		__supported_pte_mask |= _PAGE_NX;

	else

		__supported_pte_mask &= ~_PAGE_NX;

}



static void __init x86_report_nx(void)

{

	if (!boot_cpu_has(X86_FEATURE_NX)) {

		printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "

		       "missing in CPU!\n");

	} else {

#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)

		printk(KERN_INFO "NX (Execute Disable) protection: active\n");

#else

		/* 32bit non-PAE kernel, NX cannot be used */

		printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "

		       "cannot be enabled: non-PAE kernel!\n");

#endif

	}

}



/*

 * Determine if we were loaded by an EFI loader.  If so, then we have also been

 * passed the efi memmap, systab, etc., so we should use these data structures
@@ -896,9 +920,7 @@ void __init setup_arch(char **cmdline_p) 
	/*

	 * x86_configure_nx() is called before parse_early_param() to detect

	 * whether hardware doesn't support NX (so that the early EHCI debug

	 * console setup can safely call set_fixmap()). It may then be called

	 * again from within noexec_setup() during parsing early parameters

	 * to honor the respective command line option.

	 * console setup can safely call set_fixmap()).

	 */

	x86_configure_nx();

arch/x86/mm/Makefile

+1 −2
Original line number Diff line number Diff line
@@ -20,13 +20,12 @@ CFLAGS_REMOVE_mem_encrypt_identity.o = -pg 
endif



obj-y				:=  init.o init_$(BITS).o fault.o ioremap.o extable.o mmap.o \

				    pgtable.o physaddr.o setup_nx.o tlb.o cpu_entry_area.o maccess.o

				    pgtable.o physaddr.o tlb.o cpu_entry_area.o maccess.o



obj-y				+= pat/



# Make sure __phys_addr has no stackprotector

CFLAGS_physaddr.o		:= -fno-stack-protector

CFLAGS_setup_nx.o		:= -fno-stack-protector

CFLAGS_mem_encrypt_identity.o	:= -fno-stack-protector



CFLAGS_fault.o := -I $(srctree)/$(src)/../include/asm/trace