On Tue, Jul 25, 2017 at 05:44:08PM -0700, Ricardo Neri wrote:
On Fri, 2017-06-09 at 18:10 +0200, Borislav Petkov wrote:
On Fri, May 05, 2017 at 11:17:22AM -0700, Ricardo Neri wrote:
User_mode Instruction Prevention (UMIP) is enabled by setting/clearing a bit in %cr4.
It makes sense to enable UMIP at some point while booting, before user spaces come up. Like SMAP and SMEP, is not critical to have it enabled very early during boot. This is because UMIP is relevant only when there is a userspace to be protected from. Given the similarities in relevance, it makes sense to enable UMIP along with SMAP and SMEP.
UMIP is enabled by default. It can be disabled by adding clearcpuid=514 to the kernel parameters.
...
So would this become a y when more machines have UMIP?
I guess. Stuff which proves reliable and widespread gets automatically enabled with time, in most cases. IMHO, of course.
Why would static_cpu_has() reply wrong if alternatives are not in place? Because it uses the boot CPU data? When it calls _static_cpu_has() it would do something equivalent to
Nevermind - I forgot that static_cpu_has() now drops to dynamic check before alternatives application.