x86 ASM Changes For Linux 5.1 Pin Sensitive Bits To Help Fend Off Recent Exploits

Written by Michael Larabel in Hardware on 10 March 2019 at 08:55 AM EDT. Add A Comment
HARDWARE
Linux 5.1 is bringing another change to help bolster the security of Linux systems in light of recent exploits.

Covered recently was the work by Google's security engineers to better fend off exploits that end up disabling SMAP / SMEP / UMIP protections.

Some exploits have used the kernel's native_write_cr4 function to disable these Supervisor Mode Execution Protection / Supervisor Mode Access Prevention / User-Mode Instruction Prevention features as part of their exploit path. In addition to the CR4 SMAP/SMEP/UMIP bits, the WP (Write Protect) CR0 bit is also receiving similar treatment with the native_write_cr0 function given the trajectory of recent exploits.

With Linux 5.1, these sensitive CR0/CR4 bits are being pinned so they can't be so easily disabled by rogue software.

That pinning code was queued into the x86/asm tree and is now on its way to the mainline Linux kernel for the ongoing 5.1 merge window.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week