• Benjamin Gray's avatar
    powerpc/dexcr: Reset DEXCR value across exec · bbd99922
    Benjamin Gray authored
    Inheriting the DEXCR across exec can have security and usability
    concerns. If a program is compiled with hash instructions it generally
    expects to run with NPHIE enabled. But if the parent process disables
    NPHIE then if it's not careful it will be disabled for any children too
    and the protection offered by hash checks is basically worthless.
    
    This patch introduces a per-process reset value that new execs in a
    particular process tree are initialized with. This enables fine grained
    control over what DEXCR value child processes run with by default.
    For example, containers running legacy binaries that expect hash
    instructions to act as NOPs could configure the reset value of the
    container root to control the default reset value for all members of
    the container.
    Signed-off-by: default avatarBenjamin Gray <bgray@linux.ibm.com>
    [mpe: Add missing SPDX tag on dexcr.c]
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20240417112325.728010-4-bgray@linux.ibm.com
    bbd99922
process.c 61.7 KB