| Message ID | 1500177424-13695-22-git-send-email-linuxram@us.ibm.com (mailing list archive) |
|---|---|
| State | RFC |
| Headers | show |
Ram Pai <linuxram@us.ibm.com> writes: > --- a/arch/powerpc/mm/pkeys.c > +++ b/arch/powerpc/mm/pkeys.c > @@ -97,3 +97,60 @@ int __arch_set_user_pkey_access(struct task_struct *tsk, int pkey, > init_iamr(pkey, new_iamr_bits); > return 0; > } > + > +static inline bool pkey_allows_readwrite(int pkey) > +{ > + int pkey_shift = pkeyshift(pkey); > + > + if (!(read_uamor() & (0x3UL << pkey_shift))) > + return true; > + > + return !(read_amr() & ((AMR_RD_BIT|AMR_WR_BIT) << pkey_shift)); > +} > + > +int __execute_only_pkey(struct mm_struct *mm) > +{ > + bool need_to_set_mm_pkey = false; > + int execute_only_pkey = mm->context.execute_only_pkey; > + int ret; > + > + /* Do we need to assign a pkey for mm's execute-only maps? */ > + if (execute_only_pkey == -1) { > + /* Go allocate one to use, which might fail */ > + execute_only_pkey = mm_pkey_alloc(mm); > + if (execute_only_pkey < 0) > + return -1; > + need_to_set_mm_pkey = true; > + } > + > + /* > + * We do not want to go through the relatively costly > + * dance to set AMR if we do not need to. Check it > + * first and assume that if the execute-only pkey is > + * readwrite-disabled than we do not have to set it > + * ourselves. > + */ > + if (!need_to_set_mm_pkey && > + !pkey_allows_readwrite(execute_only_pkey)) > + return execute_only_pkey; > + > + /* > + * Set up AMR so that it denies access for everything > + * other than execution. > + */ > + ret = __arch_set_user_pkey_access(current, execute_only_pkey, > + (PKEY_DISABLE_ACCESS | PKEY_DISABLE_WRITE)); > + /* > + * If the AMR-set operation failed somehow, just return > + * 0 and effectively disable execute-only support. > + */ > + if (ret) { > + mm_set_pkey_free(mm, execute_only_pkey); > + return -1; > + } > + > + /* We got one, store it and use it from here on out */ > + if (need_to_set_mm_pkey) > + mm->context.execute_only_pkey = execute_only_pkey; > + return execute_only_pkey; > +} If you follow the code flow in __execute_only_pkey, the AMR and UAMOR are read 3 times in total, and AMR is written twice. IAMR is read and written twice. Since they are SPRs and access to them is slow (or isn't it?), is it worth it to read them once in __execute_only_pkey and pass down their values to the callees, and then write them once at the end of the function? This function is used both by the mmap syscall and the mprotect syscall (but not by pkey_mprotect) if the requested protection is execute-only.
On Fri, Jul 28, 2017 at 07:17:13PM -0300, Thiago Jung Bauermann wrote: > > Ram Pai <linuxram@us.ibm.com> writes: > > --- a/arch/powerpc/mm/pkeys.c > > +++ b/arch/powerpc/mm/pkeys.c > > @@ -97,3 +97,60 @@ int __arch_set_user_pkey_access(struct task_struct *tsk, int pkey, > > init_iamr(pkey, new_iamr_bits); > > return 0; > > } > > + > > +static inline bool pkey_allows_readwrite(int pkey) > > +{ > > + int pkey_shift = pkeyshift(pkey); > > + > > + if (!(read_uamor() & (0x3UL << pkey_shift))) > > + return true; > > + > > + return !(read_amr() & ((AMR_RD_BIT|AMR_WR_BIT) << pkey_shift)); > > +} > > + > > +int __execute_only_pkey(struct mm_struct *mm) > > +{ > > + bool need_to_set_mm_pkey = false; > > + int execute_only_pkey = mm->context.execute_only_pkey; > > + int ret; > > + > > + /* Do we need to assign a pkey for mm's execute-only maps? */ > > + if (execute_only_pkey == -1) { > > + /* Go allocate one to use, which might fail */ > > + execute_only_pkey = mm_pkey_alloc(mm); > > + if (execute_only_pkey < 0) > > + return -1; > > + need_to_set_mm_pkey = true; > > + } > > + > > + /* > > + * We do not want to go through the relatively costly > > + * dance to set AMR if we do not need to. Check it > > + * first and assume that if the execute-only pkey is > > + * readwrite-disabled than we do not have to set it > > + * ourselves. > > + */ > > + if (!need_to_set_mm_pkey && > > + !pkey_allows_readwrite(execute_only_pkey)) ^^^^^ Here uamor and amr is read once each. > > + return execute_only_pkey; > > + > > + /* > > + * Set up AMR so that it denies access for everything > > + * other than execution. > > + */ > > + ret = __arch_set_user_pkey_access(current, execute_only_pkey, > > + (PKEY_DISABLE_ACCESS | PKEY_DISABLE_WRITE)); ^^^^^^^ here amr and iamr are written once each if the the function returns successfully. > > + /* > > + * If the AMR-set operation failed somehow, just return > > + * 0 and effectively disable execute-only support. > > + */ > > + if (ret) { > > + mm_set_pkey_free(mm, execute_only_pkey); ^^^ here only if __arch_set_user_pkey_access() fails amr and iamr and uamor will be written once each. > > + return -1; > > + } > > + > > + /* We got one, store it and use it from here on out */ > > + if (need_to_set_mm_pkey) > > + mm->context.execute_only_pkey = execute_only_pkey; > > + return execute_only_pkey; > > +} > > If you follow the code flow in __execute_only_pkey, the AMR and UAMOR > are read 3 times in total, and AMR is written twice. IAMR is read and > written twice. Since they are SPRs and access to them is slow (or isn't > it?), is it worth it to read them once in __execute_only_pkey and pass > down their values to the callees, and then write them once at the end of > the function? If my calculations are right: uamor may be read once and may be written once. amr may be read once and is written once. iamr is written once. So not that bad, i think. RP
Ram Pai <linuxram@us.ibm.com> writes: > On Fri, Jul 28, 2017 at 07:17:13PM -0300, Thiago Jung Bauermann wrote: >> >> Ram Pai <linuxram@us.ibm.com> writes: >> > --- a/arch/powerpc/mm/pkeys.c >> > +++ b/arch/powerpc/mm/pkeys.c >> > @@ -97,3 +97,60 @@ int __arch_set_user_pkey_access(struct task_struct *tsk, int pkey, >> > init_iamr(pkey, new_iamr_bits); >> > return 0; >> > } >> > + >> > +static inline bool pkey_allows_readwrite(int pkey) >> > +{ >> > + int pkey_shift = pkeyshift(pkey); >> > + >> > + if (!(read_uamor() & (0x3UL << pkey_shift))) >> > + return true; >> > + >> > + return !(read_amr() & ((AMR_RD_BIT|AMR_WR_BIT) << pkey_shift)); >> > +} >> > + >> > +int __execute_only_pkey(struct mm_struct *mm) >> > +{ >> > + bool need_to_set_mm_pkey = false; >> > + int execute_only_pkey = mm->context.execute_only_pkey; >> > + int ret; >> > + >> > + /* Do we need to assign a pkey for mm's execute-only maps? */ >> > + if (execute_only_pkey == -1) { >> > + /* Go allocate one to use, which might fail */ >> > + execute_only_pkey = mm_pkey_alloc(mm); >> > + if (execute_only_pkey < 0) >> > + return -1; >> > + need_to_set_mm_pkey = true; >> > + } >> > + >> > + /* >> > + * We do not want to go through the relatively costly >> > + * dance to set AMR if we do not need to. Check it >> > + * first and assume that if the execute-only pkey is >> > + * readwrite-disabled than we do not have to set it >> > + * ourselves. >> > + */ >> > + if (!need_to_set_mm_pkey && >> > + !pkey_allows_readwrite(execute_only_pkey)) > ^^^^^ > Here uamor and amr is read once each. You are right. What confused me was that the call to mm_pkey_alloc above also reads uamor and amr (and also iamr, and writes to all of those) but if that function is called, then need_to_set_mm_pkey is true and pkey_allows_readwrite won't be called. >> > + return execute_only_pkey; >> > + >> > + /* >> > + * Set up AMR so that it denies access for everything >> > + * other than execution. >> > + */ >> > + ret = __arch_set_user_pkey_access(current, execute_only_pkey, >> > + (PKEY_DISABLE_ACCESS | PKEY_DISABLE_WRITE)); > ^^^^^^^ > here amr and iamr are written once each if the > the function returns successfully. __arch_set_user_pkey_access also reads uamor for the second time in its call to is_pkey_enabled, and reads amr for the second time as well in its calls to init_amr. The first reads are in either pkey_allows_readwrite or pkey_status_change (called from __arch_activate_pkey). If need_to_set_mm_pkey is true, then the iamr read in init_iamr is the 2nd one during __execute_only_pkey's execution. In this case the writes to amr and iamr will be the 2nd ones as well. The first reads and writes are in pkey_status_change. >> > + /* >> > + * If the AMR-set operation failed somehow, just return >> > + * 0 and effectively disable execute-only support. >> > + */ >> > + if (ret) { >> > + mm_set_pkey_free(mm, execute_only_pkey); > ^^^ > here only if __arch_set_user_pkey_access() fails > amr and iamr and uamor will be written once each. I assume the error case isn't perfomance sensitive and didn't account for mm_set_pkey_free in my analysis. >> > + return -1; >> > + } >> > + >> > + /* We got one, store it and use it from here on out */ >> > + if (need_to_set_mm_pkey) >> > + mm->context.execute_only_pkey = execute_only_pkey; >> > + return execute_only_pkey; >> > +} >> >> If you follow the code flow in __execute_only_pkey, the AMR and UAMOR >> are read 3 times in total, and AMR is written twice. IAMR is read and >> written twice. Since they are SPRs and access to them is slow (or isn't >> it?), is it worth it to read them once in __execute_only_pkey and pass >> down their values to the callees, and then write them once at the end of >> the function? > > If my calculations are right: > uamor may be read once and may be written once. > amr may be read once and is written once. > iamr is written once. > So not that bad, i think. If I'm following the code correctly: if need_to_set_mm_pkey = true: uamor is read twice and written once. amr is read twice and written twice. iamr is read twice and written twice. if need_to_set_mm_pkey = false: uamor is read twice. amr is read once or twice (depending on the value of uamor) and written once. iamr is read once and written once.
Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> writes: > Ram Pai <linuxram@us.ibm.com> writes: ... >> + >> + /* We got one, store it and use it from here on out */ >> + if (need_to_set_mm_pkey) >> + mm->context.execute_only_pkey = execute_only_pkey; >> + return execute_only_pkey; >> +} > > If you follow the code flow in __execute_only_pkey, the AMR and UAMOR > are read 3 times in total, and AMR is written twice. IAMR is read and > written twice. Since they are SPRs and access to them is slow (or isn't > it?), SPRs read/writes are slow, but they're not *that* slow in comparison to a system call (which I think is where this code is being called?). So we should try to avoid too many SPR read/writes, but at the same time we can accept more than the minimum if it makes the code much easier to follow. cheers
diff --git a/arch/powerpc/include/asm/book3s/64/mmu.h b/arch/powerpc/include/asm/book3s/64/mmu.h index 104ad72..0c0a2a8 100644 --- a/arch/powerpc/include/asm/book3s/64/mmu.h +++ b/arch/powerpc/include/asm/book3s/64/mmu.h @@ -116,6 +116,7 @@ struct patb_entry { * bit unset -> key available for allocation */ u32 pkey_allocation_map; + s16 execute_only_pkey; /* key holding execute-only protection */ #endif } mm_context_t; diff --git a/arch/powerpc/include/asm/pkeys.h b/arch/powerpc/include/asm/pkeys.h index 0e744f1..1864148 100644 --- a/arch/powerpc/include/asm/pkeys.h +++ b/arch/powerpc/include/asm/pkeys.h @@ -118,11 +118,15 @@ static inline int mm_pkey_free(struct mm_struct *mm, int pkey) * Try to dedicate one of the protection keys to be used as an * execute-only protection key. */ +extern int __execute_only_pkey(struct mm_struct *mm); static inline int execute_only_pkey(struct mm_struct *mm) { - return 0; + if (!pkey_inited) + return -1; + return __execute_only_pkey(mm); } + static inline int arch_override_mprotect_pkey(struct vm_area_struct *vma, int prot, int pkey) { @@ -144,6 +148,8 @@ static inline void pkey_mm_init(struct mm_struct *mm) if (!pkey_inited) return; mm_pkey_allocation_map(mm) = PKEY_INITIAL_ALLOCAION; + /* -1 means unallocated or invalid */ + mm->context.execute_only_pkey = -1; } static inline void pkey_initialize(void) diff --git a/arch/powerpc/mm/pkeys.c b/arch/powerpc/mm/pkeys.c index b9ad98d..34e8557 100644 --- a/arch/powerpc/mm/pkeys.c +++ b/arch/powerpc/mm/pkeys.c @@ -97,3 +97,60 @@ int __arch_set_user_pkey_access(struct task_struct *tsk, int pkey, init_iamr(pkey, new_iamr_bits); return 0; } + +static inline bool pkey_allows_readwrite(int pkey) +{ + int pkey_shift = pkeyshift(pkey); + + if (!(read_uamor() & (0x3UL << pkey_shift))) + return true; + + return !(read_amr() & ((AMR_RD_BIT|AMR_WR_BIT) << pkey_shift)); +} + +int __execute_only_pkey(struct mm_struct *mm) +{ + bool need_to_set_mm_pkey = false; + int execute_only_pkey = mm->context.execute_only_pkey; + int ret; + + /* Do we need to assign a pkey for mm's execute-only maps? */ + if (execute_only_pkey == -1) { + /* Go allocate one to use, which might fail */ + execute_only_pkey = mm_pkey_alloc(mm); + if (execute_only_pkey < 0) + return -1; + need_to_set_mm_pkey = true; + } + + /* + * We do not want to go through the relatively costly + * dance to set AMR if we do not need to. Check it + * first and assume that if the execute-only pkey is + * readwrite-disabled than we do not have to set it + * ourselves. + */ + if (!need_to_set_mm_pkey && + !pkey_allows_readwrite(execute_only_pkey)) + return execute_only_pkey; + + /* + * Set up AMR so that it denies access for everything + * other than execution. + */ + ret = __arch_set_user_pkey_access(current, execute_only_pkey, + (PKEY_DISABLE_ACCESS | PKEY_DISABLE_WRITE)); + /* + * If the AMR-set operation failed somehow, just return + * 0 and effectively disable execute-only support. + */ + if (ret) { + mm_set_pkey_free(mm, execute_only_pkey); + return -1; + } + + /* We got one, store it and use it from here on out */ + if (need_to_set_mm_pkey) + mm->context.execute_only_pkey = execute_only_pkey; + return execute_only_pkey; +}
This patch provides the implementation of execute-only pkey. The architecture-independent expects the ability to create and manage a special key which has execute-only permission. Signed-off-by: Ram Pai <linuxram@us.ibm.com> --- arch/powerpc/include/asm/book3s/64/mmu.h | 1 + arch/powerpc/include/asm/pkeys.h | 8 ++++- arch/powerpc/mm/pkeys.c | 57 ++++++++++++++++++++++++++++++ 3 files changed, 65 insertions(+), 1 deletions(-)