x86/cpu: Remove "noexec"

It doesn't make any sense to disable non-executable mappings - security-wise or else. So rip out that switch and move the remaining code into setup.c and delete setup_nx.c Signed-off-by: Borislav Petkov <bp@suse.de> Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220127115626.14179-6-bp@alien8.de
2025-03-06 20:59:54 +01:00 · 2022-01-27 12:56:25 +01:00 · 2022-01-27 12:56:25 +01:00 · 76ea0025a2
commit 76ea0025a2
parent 385d2ae0a1
7 changed files with 26 additions and 83 deletions
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@ -3456,11 +3456,6 @@
 	noexec		[IA-64]
 	noexec		[X86]
 			On X86-32 available only on PAE configured kernels.
 			noexec=on: enable non-executable mappings (default)
 			noexec=off: disable non-executable mappings
 	nosmap		[PPC]
 			Disable SMAP (Supervisor Mode Access Prevention)
 			even if it is supported by processor.
--- a/Documentation/x86/x86_64/boot-options.rst
+++ b/Documentation/x86/x86_64/boot-options.rst
@ -157,15 +157,6 @@ Rebooting
     newer BIOS, or newer board) using this option will ignore the built-in
     quirk table, and use the generic default reboot actions.
 Non Executable Mappings
 =======================
  noexec=on|off
    on
      Enable(default)
    off
      Disable
 NUMA
 ====
--- a/arch/x86/include/asm/proto.h
+++ b/arch/x86/include/asm/proto.h
@ -35,7 +35,6 @@ void xen_entry_INT80_compat(void);
 #endif
 void x86_configure_nx(void);
 void x86_report_nx(void);
 extern int reboot_force;
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@ -756,6 +756,30 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p)
 	return 0;
 }
 void x86_configure_nx(void)
 {
 	if (boot_cpu_has(X86_FEATURE_NX))
 		__supported_pte_mask |= _PAGE_NX;
 	else
 		__supported_pte_mask &= ~_PAGE_NX;
 }
 static void __init x86_report_nx(void)
 {
 	if (!boot_cpu_has(X86_FEATURE_NX)) {
 		printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
 		       "missing in CPU!\n");
 	} else {
 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
 		printk(KERN_INFO "NX (Execute Disable) protection: active\n");
 #else
 		/* 32bit non-PAE kernel, NX cannot be used */
 		printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
 		       "cannot be enabled: non-PAE kernel!\n");
 #endif
 	}
 }
 /*
 * Determine if we were loaded by an EFI loader.  If so, then we have also been
 * passed the efi memmap, systab, etc., so we should use these data structures
@ -896,9 +920,7 @@ void __init setup_arch(char **cmdline_p)
 	/*
 	 * x86_configure_nx() is called before parse_early_param() to detect
 	 * whether hardware doesn't support NX (so that the early EHCI debug
-	 * console setup can safely call set_fixmap()). It may then be called
+	 * console setup can safely call set_fixmap()).
 	 * again from within noexec_setup() during parsing early parameters
 	 * to honor the respective command line option.
 	 */
 	x86_configure_nx();
--- a/arch/x86/mm/Makefile
+++ b/arch/x86/mm/Makefile
@ -20,13 +20,12 @@ CFLAGS_REMOVE_mem_encrypt_identity.o	= -pg
 endif
 obj-y				:=  init.o init_$(BITS).o fault.o ioremap.o extable.o mmap.o \
-				    pgtable.o physaddr.o setup_nx.o tlb.o cpu_entry_area.o maccess.o
+				    pgtable.o physaddr.o tlb.o cpu_entry_area.o maccess.o
 obj-y				+= pat/
 # Make sure __phys_addr has no stackprotector
 CFLAGS_physaddr.o		:= -fno-stack-protector
 CFLAGS_setup_nx.o		:= -fno-stack-protector
 CFLAGS_mem_encrypt_identity.o	:= -fno-stack-protector
 CFLAGS_fault.o := -I $(srctree)/$(src)/../include/asm/trace
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@ -110,7 +110,6 @@ int force_personality32;
 /*
 * noexec32=on|off
 * Control non executable heap for 32bit processes.
 * To control the stack too use noexec=off
 *
 * on	PROT_READ does not imply PROT_EXEC for 32-bit processes (default)
 * off	PROT_READ implies PROT_EXEC
--- a/arch/x86/mm/setup_nx.c
+++ b/arch/x86/mm/setup_nx.c
@ -1,62 +0,0 @@
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/spinlock.h>
 #include <linux/errno.h>
 #include <linux/init.h>
 #include <linux/pgtable.h>
 #include <asm/proto.h>
 #include <asm/cpufeature.h>
 static int disable_nx;
 /*
 * noexec = on|off
 *
 * Control non-executable mappings for processes.
 *
 * on      Enable
 * off     Disable
 */
 static int __init noexec_setup(char *str)
 {
 	if (!str)
 		return -EINVAL;
 	if (!strncmp(str, "on", 2)) {
 		disable_nx = 0;
 	} else if (!strncmp(str, "off", 3)) {
 		disable_nx = 1;
 	}
 	x86_configure_nx();
 	return 0;
 }
 early_param("noexec", noexec_setup);
 void x86_configure_nx(void)
 {
 	if (boot_cpu_has(X86_FEATURE_NX) && !disable_nx)
 		__supported_pte_mask |= _PAGE_NX;
 	else
 		__supported_pte_mask &= ~_PAGE_NX;
 }
 void __init x86_report_nx(void)
 {
 	if (!boot_cpu_has(X86_FEATURE_NX)) {
 		printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
 		       "missing in CPU!\n");
 	} else {
 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
 		if (disable_nx) {
 			printk(KERN_INFO "NX (Execute Disable) protection: "
 			       "disabled by kernel command line option\n");
 		} else {
 			printk(KERN_INFO "NX (Execute Disable) protection: "
 			       "active\n");
 		}
 #else
 		/* 32bit non-PAE kernel, NX cannot be used */
 		printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
 		       "cannot be enabled: non-PAE kernel!\n");
 #endif
 	}
 }