Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Intel SMAP Comes To Try To Better Secure Linux

  1. #1
    Join Date
    Jan 2007
    Posts
    14,294

    Default Intel SMAP Comes To Try To Better Secure Linux

    Phoronix: Intel SMAP Comes To Try To Better Secure Linux

    Intel SMAP support has landed in the mainline Linux kernel, which is a Supervisor Mode Access Prevention found on newer Intel CPUs...

    http://www.phoronix.com/vr.php?view=MTE5NzI

  2. #2
    Join Date
    Dec 2010
    Location
    MA, USA
    Posts
    1,202

    Default

    sounds interesting, but also a little pointless for Linux. I'd rater intel focus on implementing acpi, thunderbolt, and better usb3.0 support

  3. #3
    Join Date
    Jan 2009
    Location
    Italy
    Posts
    82

    Default

    Quote Originally Posted by schmidtbag View Post
    sounds interesting, but also a little pointless for Linux.
    Er, kernel-level buffer overflow attacks make the kernel jump to a location of memory controlled by attacker which contains the malicious code. SMAP prevents the kernel from reading user space memory (with a few controlled exception, like copy_{to,from*}_user) and it blocks this kind of attacks. It also prevents spurious (possible malicious) reads (feeding untrusted data to the kernel) and writes (leak of private data).

  4. #4
    Join Date
    Dec 2010
    Location
    MA, USA
    Posts
    1,202

    Default

    Quote Originally Posted by tettamanti View Post
    Er, kernel-level buffer overflow attacks make the kernel jump to a location of memory controlled by attacker which contains the malicious code. SMAP prevents the kernel from reading user space memory (with a few controlled exception, like copy_{to,from*}_user) and it blocks this kind of attacks. It also prevents spurious (possible malicious) reads (feeding untrusted data to the kernel) and writes (leak of private data).
    I said a LITTLE pointless, not completely. I understand why it's there and how it works, I just don't see it as an important priority for Linux compared to things like ACPI.

  5. #5
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    4,984

    Default

    Eh, Michael, you missed to mention the most important things, on what hardware these are supported :P

    To save others' googling: http://forums.grsecurity.net/viewtopic.php?f=7&t=3046

    tl;dr SMEP came in Ivy and SMAP will come in Haswell.

  6. #6
    Join Date
    Nov 2007
    Posts
    1,024

    Default

    Quote Originally Posted by schmidtbag View Post
    I said a LITTLE pointless, not completely. I understand why it's there and how it works, I just don't see it as an important priority for Linux compared to things like ACPI.
    Linux is primarily used as a secure service and appliance kernel, not a desktop. That this makes this far more important to Linux than improving support for hardware features primarily useful on the desktop.

    If you disagree, of course, you're free to start contributing to the kernel. Get a few thousands desktop kernel developers together and maybe you'll start to outnumber the server-oriented kernel developers.

  7. #7
    Join Date
    Dec 2010
    Location
    MA, USA
    Posts
    1,202

    Default

    Quote Originally Posted by elanthis View Post
    Linux is primarily used as a secure service and appliance kernel, not a desktop. That this makes this far more important to Linux than improving support for hardware features primarily useful on the desktop.

    If you disagree, of course, you're free to start contributing to the kernel. Get a few thousands desktop kernel developers together and maybe you'll start to outnumber the server-oriented kernel developers.
    I understand that but I didn't get the impression Linux was struggling in this category. I know it's more secure than windows in some ways, and less so in others. But considering that this is specifically an intel hardware feature, this shouldn't be a major priority. If you're going to bring up non-desktop Linux machines, well, not all of them are intel based, or x86 for that matter. For the ones that are intel based, not all of them support this specific instruction set. For the systems that actually do support it, only a handful of them would actually care to use it. For the few who care to use it, even less will have a bleeding edge setup that will support the 3.7 kernel in the near future. It wouldnt surprise me if as little as 500 computers would take advantage of this. Many, possibly most companies would much rather get a more power efficient or reliable system than a CONDITIONALLY more secure one. Focus on stuff like ACPI and everyone, desktop or not (maybe even AMD) users will benefit.
    Last edited by schmidtbag; 10-02-2012 at 02:42 PM.

  8. #8
    Join Date
    Dec 2011
    Posts
    2,000

    Default What is this for?

    We already have virtual machines, chroot, AppArmor, SELinux, containers, and system call filters.

    What is this for?
    Is it actually for improving security for the end-user, or is this to protect DRM and proprietary software from the user and reverse engineering and debuggers?

  9. #9
    Join Date
    Mar 2011
    Location
    Canada
    Posts
    94

    Default

    How about avoiding all the FUD and pointless trolling for once? Intel is one of the biggest contributors to the Linux kernel, and obviously they're going to work on enabling features in their hardware. Not spending time implementing something doesn't mean there would be any extra time spent on your own pet features.

    Companies and individuals are going to put in the time/money required to get things implemented that they need. If you want more work done on working around bugs in ACPI implementations, put forward that development time yourself or hire a team to do it in your place - Intel is doing exactly that.

    Improved isolation of kernel code is a good thing, no one loses out by having this nice security improvement available.

  10. #10
    Join Date
    Dec 2010
    Location
    MA, USA
    Posts
    1,202

    Default

    Quote Originally Posted by strcat View Post
    How about avoiding all the FUD and pointless trolling for once? Intel is one of the biggest contributors to the Linux kernel, and obviously they're going to work on enabling features in their hardware. Not spending time implementing something doesn't mean there would be any extra time spent on your own pet features.

    Companies and individuals are going to put in the time/money required to get things implemented that they need. If you want more work done on working around bugs in ACPI implementations, put forward that development time yourself or hire a team to do it in your place - Intel is doing exactly that.

    Improved isolation of kernel code is a good thing, no one loses out by having this nice security improvement available.
    You call the previous discussions FUD and trolling but then you say stuff like "your own pet features" and "put forward that development time yourself". I'm not even an intel user, and I think they need to get into ACPI. I have NO REASON to care about anything they do right now, but I feel them working on a relatively unimportant feature like this is not a good priority. I'm not saying it shouldn't be worked on and that it is worthless, I'm just saying that they have more important things to worry about - again, not important to me, but it is to other people. I don't understand why so many of you find this concept hard to grasp.
    SMAP pros:
    * Can increase security for systems that have it
    * Might increase reliability
    * Its simple enough that it's an entire feature that can be knocked off the "todo" list
    SMAP cons (compared to ACPI):
    * Probably less than 1% of all linux users will intentionally use it, whereas nearly everyone, including those SMAP users, would care about other things like ACPI
    * There are probably software alternatives to SMAP, maybe just not as efficient
    * SMAP doesn't save companies as much money as ACPI
    * To my knowledge, SMAP doesn't benefit any other platform. It doesn't even benefit most intel processors in the wild

    ACPI seems to be complicated and hard to implement to the point that it STILL is broken and largely unsupported. How do you expect the average community member to pitch in? Nouveau managed to accomplish a lot without any assistance, but if it weren't for reverse engineering the nvidia blob driver, they probably wouldn't have accomplished any form of GPU acceleration. Even if intel only got intel-based ACPI standards to work, that still benefits the majority of all x86 linux users in a way that everyone, including server owners, care about.

    I just don't see why all of you are acting like my idea of priorities is basically unrealistic or stupid. It feels like I'm arguing against a cure to cure rabies when cancer is something that nearly everyone has a chance to be worried about. Sure it sucks if you find out you have rabies when its too late, but how many people actually die of that lately? And yea I'm sure you'll say "well they're both under different research groups" but who pays for all of them in the end? I'm sure there's only a handful of head corporations that pay for all researchers, minus the independent ones.

    Anyways, I understand why people are defending intel saying that they don't HAVE to do anything, but the point is they are doing something, and many of you are defending their choice of priority as though A) you'll personally benefit from it, B) you think it's actually a (more) important feature to work on, and C) that my ideas are simply wrong just because I'm trying to focus on everyone as a whole. Linux is a community, if you want proprietary features, go to Mac.
    Last edited by schmidtbag; 10-07-2012 at 10:24 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •