Intel SMAP Comes To Try To Better Secure Linux
Intel SMAP support has landed in the mainline Linux kernel, which is a Supervisor Mode Access Prevention found on newer Intel CPUs.
The Supervisor Mode Access Prevention feature is an instruction set extension whereby the kernel cannot access pages that are user-space. However, when the need comes about for the kernel to access a user-space page, an override is available. This work from Intel was originally published last month and has now been merged into the mainline kernel for Linux 3.7.
Basically SMAP comes down to a hardware feature preventing unintended user-space data access from kernel code. SMAP works alongside SMEP (Supervisor Mode Execution Protection) to try to prevent kernel bugs from being exploited. Intel SMAP is turned on by default for supported hardware. The kernel config option for SMAP does mention though, "There is a small performance cost if this enabled and turned on; there is also a small increase in the kernel size if this is enabled."
The merge of SMAP for Linux 3.7 happened with this commit.
The Supervisor Mode Access Prevention feature is an instruction set extension whereby the kernel cannot access pages that are user-space. However, when the need comes about for the kernel to access a user-space page, an override is available. This work from Intel was originally published last month and has now been merged into the mainline kernel for Linux 3.7.
Basically SMAP comes down to a hardware feature preventing unintended user-space data access from kernel code. SMAP works alongside SMEP (Supervisor Mode Execution Protection) to try to prevent kernel bugs from being exploited. Intel SMAP is turned on by default for supported hardware. The kernel config option for SMAP does mention though, "There is a small performance cost if this enabled and turned on; there is also a small increase in the kernel size if this is enabled."
The merge of SMAP for Linux 3.7 happened with this commit.
11 Comments