Intel SMAP Comes To Try To Better Secure Linux
Posted by Michael Larabel on October 02, 2012
Intel SMAP support has landed in the mainline Linux kernel, which is a Supervisor Mode Access Prevention found on newer Intel CPUs.
The Supervisor Mode Access Prevention feature is an instruction set extension whereby the kernel cannot access pages that are user-space. However, when the need comes about for the kernel to access a user-space page, an override is available. This work from Intel was originally published last month and has now been merged into the mainline kernel for Linux 3.7.
Basically SMAP comes down to a hardware feature preventing unintended user-space data access from kernel code. SMAP works alongside SMEP (Supervisor Mode Execution Protection) to try to prevent kernel bugs from being exploited. Intel SMAP is turned on by default for supported hardware. The kernel config option for SMAP does mention though, "There is a small performance cost if this enabled and turned on; there is also a small increase in the kernel size if this is enabled."
The merge of SMAP for Linux 3.7 happened with this commit.
The Supervisor Mode Access Prevention feature is an instruction set extension whereby the kernel cannot access pages that are user-space. However, when the need comes about for the kernel to access a user-space page, an override is available. This work from Intel was originally published last month and has now been merged into the mainline kernel for Linux 3.7.
Basically SMAP comes down to a hardware feature preventing unintended user-space data access from kernel code. SMAP works alongside SMEP (Supervisor Mode Execution Protection) to try to prevent kernel bugs from being exploited. Intel SMAP is turned on by default for supported hardware. The kernel config option for SMAP does mention though, "There is a small performance cost if this enabled and turned on; there is also a small increase in the kernel size if this is enabled."
The merge of SMAP for Linux 3.7 happened with this commit.
Discuss this article in our forums, IRC channel, or email the author. You can also follow our content via RSS and on social networks like Facebook, Identi.ca, and Twitter (@Phoronix and @MichaelLarabel). Subscribe to Phoronix Premium to view our content without advertisements, view entire articles on a single page, and experience other benefits.
Copyright © 2004 - 2013 by Phoronix Media.
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).