From nobody Fri May 31 19:36:25 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VrYJp06y9z5LFF7; Fri, 31 May 2024 19:36:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VrYJn6XN4z4MT9; Fri, 31 May 2024 19:36:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1717184185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MR03PTYPfAEF19k7OUyzQ5EhuUzzI4AITxlTAPylbhQ=; b=Q7/GOwWYh11PX9p7YbkYYvCNAI5vuK6DHAiSxEDzCdMvaGHXcZjakTx/EQV6eftJSXfmcI 7ok57o29Yl5e3AI83lbYTHmp8Z2G55YAvz+r/uFUpYyKSTKJ96F9vhCUW9j+RGMtrtKwy6 I8ch9IWixsEK9WH/KbUmqxoC82tquN2Z2adxRAB5iXwN2MWn0yvW5WbNOKM+ajwXOQ+uK2 Qfr7JQnBA+gdsrAVLeJ/I7cc7bTJ63lagGzaNgPWC+ctKN7b500vd9ElecuoFEv7T4LCpz dvX9kGKYqtlp55gp+XxAsmW1DUxOjGFWb5DSL+MsDnqRzZIEFPgyEzfCxrAhXA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1717184185; a=rsa-sha256; cv=none; b=uP/5jbR4JzDOHTYOBYfbpisXfad7sWq/5bunme4hBcXDKhmO6YoRdnkeFNgGVW/pYKbHp0 jdE6OecAZ2hs5cfzKn0ewu+ysEhYPdeatKsrnC1zR/RREChaA64wghYFY5f2Pit3rXXiJe 0Yy57luZHdFjsIpzeumuGUzW73dwdxZMKOFoKWzgE+aVo6cEMZRSdRTwLpayKWIOKr63G8 Wf51mygLLdm2XoKLMCc6syHSnfJ+6c3iL84lCzwBx4RomFPcW+eXWJWxGGuywTeKWYYK0y 1sl8cSag1ZuEsquJJfJnikuv0bsFKV6FpCoMKMntRqFtsmudjQfSfTRTZudj4g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1717184185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MR03PTYPfAEF19k7OUyzQ5EhuUzzI4AITxlTAPylbhQ=; b=wjVW2pWtQI1EzAeBSFNyKFCmNkEJ2Fw76xWo+VL4krd9tQaY//UPTURSXTej7ByK9GicKl DbblWL93JXpmHWcgYkpR8trZjwaCOZXJK6qFlWJT62fN3ZGVJOCLRKHQ1Op05MIcY2j8ek NMa9ZMVaqUbFi8Xm6tZV6/3Bh4FEoJ4n5XFRWry6cp260LCpjBW8l+GKBLOYv/Rg3GK5JZ 3XNnfi8OP1e9PyB58Gd/2uQb1si9lbvM+VzIFIU2Rdj/YEGxOa8HTQ3hasPEYShMFp/Zvw 8ae0hl0uA5Ypd6szC+AiuzwoT8qJH7yjfjna8Dw8HMx1tciaIM98n1IBT2VF6g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VrYJn65r8zcXV; Fri, 31 May 2024 19:36:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 44VJaPhZ068232; Fri, 31 May 2024 19:36:25 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 44VJaPJU068229; Fri, 31 May 2024 19:36:25 GMT (envelope-from git) Date: Fri, 31 May 2024 19:36:25 GMT Message-Id: <202405311936.44VJaPJU068229@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: 72ece341b427 - main - mitigations.7: mention supervisor mode memory access protections List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 72ece341b42707af7837357dbb1f2c2fe17507fa Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=72ece341b42707af7837357dbb1f2c2fe17507fa commit 72ece341b42707af7837357dbb1f2c2fe17507fa Author: Ed Maste AuthorDate: 2024-05-31 14:13:11 +0000 Commit: Ed Maste CommitDate: 2024-05-31 19:35:56 +0000 mitigations.7: mention supervisor mode memory access protections Reviewed by: imp (earlier), olce (earlier), kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45420 --- share/man/man7/mitigations.7 | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/share/man/man7/mitigations.7 b/share/man/man7/mitigations.7 index 1cea86e352c5..f97ba50320f2 100644 --- a/share/man/man7/mitigations.7 +++ b/share/man/man7/mitigations.7 @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd October 6, 2023 +.Dd May 31, 2024 .Dt MITIGATIONS 7 .Os .Sh NAME @@ -234,8 +234,26 @@ and it is possible that some applications may not function correctly. .\" .\".Ss Stack Smashing Protection (SSP) .\" -.\".Ss Supervisor mode memory protection -.\" +.Ss Supervisor mode memory protection +Certain processors include features that prevent unintended access to memory +pages accessible to userspace (non-privileged) code, while in a privileged +mode. +One feature prevents execution, intended to mitigate exploitation of kernel +vulnerabilities from userland. +Another feature prevents unintended reads from or writes to user space memory +from the kernel. +This also provides effective protection against NULL pointer dereferences from +kernel. +.Bl -column -offset indent "Architecture" "Feature" "Access Type Prevented" +.It Sy Architecture Ta Sy Feature Ta Sy Access Type Prevented +.It amd64 Ta SMAP Ta Read / Write +.It amd64 Ta SMEP Ta Execute +.It arm64 Ta PAN Ta Read / Write +.It arm64 Ta PXN Ta Execute +.El +.Pp +These features are automatically used by the kernel. +There is no user-facing configuration. .Ss Hardware vulnerability controls See .Xr security 7