Supervisor Mode Execution Protection (SMEP)

[Jezze]

As far as I've understood it raises an exception (a page fault perhaps?) if the kernel (running in ring 0) tries to access a page having the user bit set.

I found this article while browsing the web and tried to search the forum but didn't find anything.

It seems that flipping a bit in CR4 on newer processors is all you need to do to enable this.

Article: http://vulnfactory.org/blog/2011/06/05/ ... -on-linux/

Anyone here had any experience implementing this?

[bluemoon]

It may take awhile for the hardware to catch up – it doesn’t seem any existing CPUs actually implement SMEP...

The article is dated June 5th, 2011 at 4:40 pm.

Anyone here had any experience implementing this?

So I guess no. For those who (ie CPU makers) might actually had experience, however it would be trade secrets to talk with.

[Jezze]

My mistake somehow interpreted that sentence as "only newer cpus" instead of "no cpus".

[xyzzy]

As far as I've understood it raises an exception (a page fault perhaps?) if the kernel (running in ring 0) tries to access a page having the user bit set.

Not any access, it's still allowed to read/write to user pages. It only prevents execution from them.

https://lkml.org/lkml/2011/5/16/500

That's a link to the patchset to the Linux kernel to add support for it that could be used as a reference if you want to implement it. There's not much to it at all except flipping a CR4 bit, as you said, but you just wouldn't be able to actually test it. I wonder how straightforward it would be to add support to QEMU for it, I may have a look at doing so sometime.