[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3 2/3] x86/ldt: Make modify_ldt optional

To: "Andy Lutomirski" <luto@xxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Thu, 23 Jul 2015 01:13:46 -0600
Cc: "security@xxxxxxxxxx" <security@xxxxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, X86 ML <x86@xxxxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx, Steven Rostedt <rostedt@xxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Sasha Levin <sasha.levin@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
Delivery-date: Thu, 23 Jul 2015 07:14:04 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 22.07.15 at 21:23, <luto@xxxxxxxxxx> wrote:
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -1015,6 +1015,7 @@ config VM86
>  config X86_16BIT
>       bool "Enable support for 16-bit segments" if EXPERT
>       default y
> +     depends on MODIFY_LDT_SYSCALL
>       ---help---
>         This option is required by programs like Wine to run 16-bit
>         protected mode legacy code on x86 processors.  Disabling
> @@ -2053,6 +2054,22 @@ config CMDLINE_OVERRIDE
>         This is used to work around broken boot loaders.  This should
>         be set to 'N' under normal conditions.
>  
> +config MODIFY_LDT_SYSCALL
> +       bool "Enable the LDT (local descriptor table)" if EXPERT
> +       default y
> +       ---help---
> +         Linux can allow user programs to install a per-process x86
> +      Local Descriptor Table (LDT) using the modify_ldt(2) system
> +      call.  This is required to run 16-bit or segmented code such as
> +      DOSEMU or some Wine programs.  It is also used by some very old
> +      threading libraries.
> +
> +      Enabling this feature adds a small amount of overhead to
> +      context switches and increases the low-level kernel attack
> +      surface.  Disabling it removes the modify_ldt(2) system call.
> +
> +      Saying 'N' here may make sense for embedded or server kernels.
> +

I think it would be better to place this ahead of the one being
made dependent on it, to avoid the user being prompted for
X86_16BIT despite it possibly becoming unavailable (when this
one gets set to n).

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v3 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andy Lutomirski
- [Xen-devel] [PATCH v3 2/3] x86/ldt: Make modify_ldt optional
  - From: Andy Lutomirski

Prev by Date: Re: [Xen-devel] [PATCH] xen/HVM: atomically access pointers in bufioreq handling
Next by Date: Re: [Xen-devel] PV-vNUMA issue: topology is misinterpreted by the guest
Previous by thread: [Xen-devel] [PATCH v3 2/3] x86/ldt: Make modify_ldt optional
Next by thread: Re: [Xen-devel] [PATCH v3 2/3] x86/ldt: Make modify_ldt optional
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.