Contributed by rueda on from the harder-and-harder dept.
Support for execute-only (xonly) code
(on which we
has been committed to -current by Theo de Raadt (
The commits were:
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2023/01/20 09:01:04 Modified files: sys/arch/amd64/amd64: cpu.c locore.S pmap.c trap.c vector.S sys/arch/amd64/include: cpufunc.h pte.h Log message: On cpu with the PKU feature, prot=PROT_EXEC pages now create pte which contain PG_XO, which is PKU key1. On every exit from kernel to userland, force the PKU register to inhibit data read against key1 memory. On (some) traps into the kernel if the PKU register is changed, abort the process (processes have no reason to change the PKU register). This provides us with viable xonly functionality on most modern intel & AMD cpus. I started with a xsave-based diff from dv@, but discovered the fpu save/restore logic wasn't a good fit and went to direct register management. Disabled on HV (vm) systems until we know they handle PKU correctly. ok kettenis, dv, guenther, etc
CVSROOT: /cvs Module name: src Changes by: email@example.com 2023/01/20 09:03:14 Modified files: libexec/ld.so/amd64: ld.script Log message: amd64 now has xonly support via the PKU feature. Marking ld.so exec-only is no longer a NOP on those systems, let's do it.
As usual, testing creatively for potential breakage between now and the upcoming release will be much appreciated by the developers.