Intel MPX Support Will Be Removed From Linux - Memory Protection Extensions Appear Dead
Back in April was a discussion about dropping MPX support from the Linux kernel but no action taken. Now though an Intel developer is preparing to see this Memory Protection Extensions functionality removed from the mainline Linux kernel.
Memory Protection Extensions (MPX) have been supported since Intel Skylake CPUs for allowing the checking of pointer references at run-time to avoid buffer overflows and other potential related vulnerabilities. While it's able to increase security, it didn't end up gaining much fanfare, requires support plumbed through the compiler and operating system, and some studies found software-based alternatives like AddressSanitizer to be superior. Intel also hasn't invested too much into maintaining the Linux MPX support in recent years.
GNU developers already decided and took action with the removal of MPX in GCC 9 due out early next year. Without the upstream GCC compiler support in place and the kernel code not seeing much attention, Intel is going ahead with removing this functionality.
Intel developer Dave Hansen has crafted a mpx-remove branch that I spotted this morning in Git. This patch from yesterday hasn't been submitted as a pull request for the mainline kernel -- presumably it will not be sent until Linux 4.20~5.0 merge window -- but does away with the MPX kernel support.
The mpx-remove comments explain:
With that said, it looks like MPX just isn't no more for Linux but is something Intel will be doing away with entirely in future generations of processors.
Memory Protection Extensions (MPX) have been supported since Intel Skylake CPUs for allowing the checking of pointer references at run-time to avoid buffer overflows and other potential related vulnerabilities. While it's able to increase security, it didn't end up gaining much fanfare, requires support plumbed through the compiler and operating system, and some studies found software-based alternatives like AddressSanitizer to be superior. Intel also hasn't invested too much into maintaining the Linux MPX support in recent years.
GNU developers already decided and took action with the removal of MPX in GCC 9 due out early next year. Without the upstream GCC compiler support in place and the kernel code not seeing much attention, Intel is going ahead with removing this functionality.
Intel developer Dave Hansen has crafted a mpx-remove branch that I spotted this morning in Git. This patch from yesterday hasn't been submitted as a pull request for the mainline kernel -- presumably it will not be sent until Linux 4.20~5.0 merge window -- but does away with the MPX kernel support.
The mpx-remove comments explain:
MPX requires recompiling applications, which requires compiler suppport. Unfortunately, GCC 9.1 will be released without support for MPX. This means that there was only a small window where folks could have ever used MPX. It failed to gain wide adoption in the industry, and Linux was the only mainstream OS to ever support it widely.
Support for the feature may also disappear on future processors.
The benefits of keeping the feature in the tree is not worth the ongoing maintenance cost.
It was a fun run , but it's time for it to go. Adios, MPX!
With that said, it looks like MPX just isn't no more for Linux but is something Intel will be doing away with entirely in future generations of processors.
19 Comments