git: f8c73ba5981c - stable/14 - mitigations.7: mention supervisor mode memory access protections

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ed Maste <emaste_at_FreeBSD.org>
Date: Thu, 01 Aug 2024 14:47:15 UTC
The branch stable/14 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=f8c73ba5981c6d66384d5c173b650906b9741ae8

commit f8c73ba5981c6d66384d5c173b650906b9741ae8
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-05-31 14:13:11 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-08-01 14:46:46 +0000

    mitigations.7: mention supervisor mode memory access protections
    
    Reviewed by:    imp (earlier), olce (earlier), kib
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D45420
    
    (cherry picked from commit 72ece341b42707af7837357dbb1f2c2fe17507fa)
---
 share/man/man7/mitigations.7 | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/share/man/man7/mitigations.7 b/share/man/man7/mitigations.7
index 950d84042c71..f68e3041c88f 100644
--- a/share/man/man7/mitigations.7
+++ b/share/man/man7/mitigations.7
@@ -25,7 +25,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd October 6, 2023
+.Dd May 31, 2024
 .Dt MITIGATIONS 7
 .Os
 .Sh NAME
@@ -234,8 +234,26 @@ and it is possible that some applications may not function correctly.
 .\"
 .\".Ss Stack Smashing Protection (SSP)
 .\"
-.\".Ss Supervisor mode memory protection
-.\"
+.Ss Supervisor mode memory protection
+Certain processors include features that prevent unintended access to memory
+pages accessible to userspace (non-privileged) code, while in a privileged
+mode.
+One feature prevents execution, intended to mitigate exploitation of kernel
+vulnerabilities from userland.
+Another feature prevents unintended reads from or writes to user space memory
+from the kernel.
+This also provides effective protection against NULL pointer dereferences from
+kernel.
+.Bl -column -offset indent "Architecture" "Feature" "Access Type Prevented"
+.It Sy Architecture Ta Sy Feature Ta Sy Access Type Prevented
+.It amd64       Ta SMAP  Ta Read / Write
+.It amd64       Ta SMEP  Ta Execute
+.It arm64       Ta PAN   Ta Read / Write
+.It arm64       Ta PXN   Ta Execute
+.El
+.Pp
+These features are automatically used by the kernel.
+There is no user-facing configuration.
 .Ss Hardware vulnerability controls
 See
 .Xr security 7