pc64: map kernel text readonly and everything else no-execute

the idea is to catch bugs and make kernel exploitation harder by mapping the kernel text section readonly and everything else no-execute. l.s maps the KZERO address space using 2MB pages so to get the 4K granularity for the text section we use the new ptesplit() function to split that mapping up. we need to set EFER no-execute enable bit early in apbootstrap so secondary application processors will understand the NX bit in our shared kernel page tables. also APBOOTSTRAP needs to be kept executable. rebootjump() needs to mark REBOOTADDR page executable.
author: cinap_lenrek <cinap_lenrek@felloff.net> 2019-08-29 07:35:22 +0200
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2019-08-29 07:35:22 +0200
commit: 7bb1a9a18566ea9c8ae7f6c2fa99e448026521d2 (patch)
tree: af707e1d04c8211dd6ac2e191ebd659c442ef25b /sys/src/9/pc64/squidboy.c
parent: e988d56a2f6b87531a12559a336b5de4471605b4 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/src/9/pc64/squidboy.c b/sys/src/9/pc64/squidboy.c
index e920c413b..dda4f257f 100644
--- a/sys/src/9/pc64/squidboy.c
+++ b/sys/src/9/pc64/squidboy.c
@@ -79,6 +79,7 @@ mpstartap(Apic* apic)
 	apbootp[1] = (uintptr)PADDR(pml4);
 	apbootp[2] = (uintptr)apic;
 	apbootp[3] = (uintptr)mach;
+	apbootp[4] |= (uintptr)m->havenx<<11;	/* EFER */
 
 	/*
 	 * Universal Startup Algorithm.
author	cinap_lenrek <cinap_lenrek@felloff.net>	2019-08-29 07:35:22 +0200
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2019-08-29 07:35:22 +0200
commit	7bb1a9a18566ea9c8ae7f6c2fa99e448026521d2 (patch)
tree	af707e1d04c8211dd6ac2e191ebd659c442ef25b /sys/src/9/pc64/squidboy.c
parent	e988d56a2f6b87531a12559a336b5de4471605b4 (diff)