Module smep_smap 

SMEP/SMAP Enforcement

Supervisor Mode Execution Prevention (SMEP) prevents the kernel from executing code mapped in user-space pages. Supervisor Mode Access Prevention (SMAP) prevents the kernel from reading or writing user-space memory unless explicitly permitted.

Architecture Support

• x86_64: CR4.SMEP (bit 20) and CR4.SMAP (bit 21). Temporary SMAP bypass via STAC/CLAC instructions.
• AArch64: Privileged Access Never (PAN) via SCTLR_EL1 bit 22.
• RISC-V: Supervisor User Memory (SUM) bit in sstatus register.

Usage

Call init() during boot to detect and enable available protections. When the kernel must copy data to/from user-space buffers, bracket the access with disable_smap_temporarily() and restore_smap().

Structs

SmapGuard

RAII guard that disables SMAP on creation and restores it on drop.

Functions

disable_smap_temporarily

Temporarily disable SMAP to allow kernel access to user-space memory.

enable_smap

Enable SMAP. Returns Ok(()) if enabled or already enabled, or Err if the feature is not supported.

enable_smep

Enable SMEP. Returns Ok(()) if enabled or already enabled, or Err if the feature is not supported.

init

Detect and enable SMEP/SMAP (or platform equivalents).

is_smap_enabled

Returns true if SMAP is currently enabled.

is_smap_supported

Returns true if the CPU supports SMAP (or the arch-specific equivalent).

is_smep_enabled

Returns true if SMEP is currently enabled.

is_smep_supported

Returns true if the CPU supports SMEP (or the arch-specific equivalent).

restore_smap

Restore SMAP after a temporary user-memory access.