Results 1 to 10 of 12

Thread: Intel SMAP Comes To Try To Better Secure Linux

Hybrid View

  1. #1
    Join Date
    Jan 2007
    Posts
    14,658

    Default Intel SMAP Comes To Try To Better Secure Linux

    Phoronix: Intel SMAP Comes To Try To Better Secure Linux

    Intel SMAP support has landed in the mainline Linux kernel, which is a Supervisor Mode Access Prevention found on newer Intel CPUs...

    http://www.phoronix.com/vr.php?view=MTE5NzI

  2. #2
    Join Date
    Dec 2010
    Location
    MA, USA
    Posts
    1,277

    Default

    sounds interesting, but also a little pointless for Linux. I'd rater intel focus on implementing acpi, thunderbolt, and better usb3.0 support

  3. #3
    Join Date
    Jan 2009
    Location
    Italy
    Posts
    82

    Default

    Quote Originally Posted by schmidtbag View Post
    sounds interesting, but also a little pointless for Linux.
    Er, kernel-level buffer overflow attacks make the kernel jump to a location of memory controlled by attacker which contains the malicious code. SMAP prevents the kernel from reading user space memory (with a few controlled exception, like copy_{to,from*}_user) and it blocks this kind of attacks. It also prevents spurious (possible malicious) reads (feeding untrusted data to the kernel) and writes (leak of private data).

  4. #4
    Join Date
    Dec 2010
    Location
    MA, USA
    Posts
    1,277

    Default

    Quote Originally Posted by tettamanti View Post
    Er, kernel-level buffer overflow attacks make the kernel jump to a location of memory controlled by attacker which contains the malicious code. SMAP prevents the kernel from reading user space memory (with a few controlled exception, like copy_{to,from*}_user) and it blocks this kind of attacks. It also prevents spurious (possible malicious) reads (feeding untrusted data to the kernel) and writes (leak of private data).
    I said a LITTLE pointless, not completely. I understand why it's there and how it works, I just don't see it as an important priority for Linux compared to things like ACPI.

  5. #5
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,072

    Default

    Eh, Michael, you missed to mention the most important things, on what hardware these are supported :P

    To save others' googling: http://forums.grsecurity.net/viewtopic.php?f=7&t=3046

    tl;dr SMEP came in Ivy and SMAP will come in Haswell.

  6. #6
    Join Date
    Jan 2012
    Posts
    29

    Default

    Quote Originally Posted by curaga View Post
    Eh, Michael, you missed to mention the most important things, on what hardware these are supported :P

    To save others' googling: http://forums.grsecurity.net/viewtopic.php?f=7&t=3046

    tl;dr SMEP came in Ivy and SMAP will come in Haswell.
    Thanks for doing Michael's work and saving my time at that.

  7. #7
    Join Date
    Nov 2007
    Posts
    1,024

    Default

    Quote Originally Posted by schmidtbag View Post
    I said a LITTLE pointless, not completely. I understand why it's there and how it works, I just don't see it as an important priority for Linux compared to things like ACPI.
    Linux is primarily used as a secure service and appliance kernel, not a desktop. That this makes this far more important to Linux than improving support for hardware features primarily useful on the desktop.

    If you disagree, of course, you're free to start contributing to the kernel. Get a few thousands desktop kernel developers together and maybe you'll start to outnumber the server-oriented kernel developers.

  8. #8
    Join Date
    Dec 2010
    Location
    MA, USA
    Posts
    1,277

    Default

    Quote Originally Posted by elanthis View Post
    Linux is primarily used as a secure service and appliance kernel, not a desktop. That this makes this far more important to Linux than improving support for hardware features primarily useful on the desktop.

    If you disagree, of course, you're free to start contributing to the kernel. Get a few thousands desktop kernel developers together and maybe you'll start to outnumber the server-oriented kernel developers.
    I understand that but I didn't get the impression Linux was struggling in this category. I know it's more secure than windows in some ways, and less so in others. But considering that this is specifically an intel hardware feature, this shouldn't be a major priority. If you're going to bring up non-desktop Linux machines, well, not all of them are intel based, or x86 for that matter. For the ones that are intel based, not all of them support this specific instruction set. For the systems that actually do support it, only a handful of them would actually care to use it. For the few who care to use it, even less will have a bleeding edge setup that will support the 3.7 kernel in the near future. It wouldnt surprise me if as little as 500 computers would take advantage of this. Many, possibly most companies would much rather get a more power efficient or reliable system than a CONDITIONALLY more secure one. Focus on stuff like ACPI and everyone, desktop or not (maybe even AMD) users will benefit.
    Last edited by schmidtbag; 10-02-2012 at 02:42 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •