git: 72ece341b427 - main - mitigations.7: mention supervisor mode memory access protections

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ed Maste <emaste_at_FreeBSD.org>
Date: Fri, 31 May 2024 19:36:25 UTC
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=72ece341b42707af7837357dbb1f2c2fe17507fa

commit 72ece341b42707af7837357dbb1f2c2fe17507fa
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-05-31 14:13:11 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-05-31 19:35:56 +0000

    mitigations.7: mention supervisor mode memory access protections
    
    Reviewed by:    imp (earlier), olce (earlier), kib
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D45420
---
 share/man/man7/mitigations.7 | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/share/man/man7/mitigations.7 b/share/man/man7/mitigations.7
index 1cea86e352c5..f97ba50320f2 100644
--- a/share/man/man7/mitigations.7
+++ b/share/man/man7/mitigations.7
@@ -25,7 +25,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd October 6, 2023
+.Dd May 31, 2024
 .Dt MITIGATIONS 7
 .Os
 .Sh NAME
@@ -234,8 +234,26 @@ and it is possible that some applications may not function correctly.
 .\"
 .\".Ss Stack Smashing Protection (SSP)
 .\"
-.\".Ss Supervisor mode memory protection
-.\"
+.Ss Supervisor mode memory protection
+Certain processors include features that prevent unintended access to memory
+pages accessible to userspace (non-privileged) code, while in a privileged
+mode.
+One feature prevents execution, intended to mitigate exploitation of kernel
+vulnerabilities from userland.
+Another feature prevents unintended reads from or writes to user space memory
+from the kernel.
+This also provides effective protection against NULL pointer dereferences from
+kernel.
+.Bl -column -offset indent "Architecture" "Feature" "Access Type Prevented"
+.It Sy Architecture Ta Sy Feature Ta Sy Access Type Prevented
+.It amd64       Ta SMAP  Ta Read / Write
+.It amd64       Ta SMEP  Ta Execute
+.It arm64       Ta PAN   Ta Read / Write
+.It arm64       Ta PXN   Ta Execute
+.El
+.Pp
+These features are automatically used by the kernel.
+There is no user-facing configuration.
 .Ss Hardware vulnerability controls
 See
 .Xr security 7