From patchwork Mon Nov  6 08:57:03 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ram Pai <linuxram@us.ibm.com>
X-Patchwork-Id: 834539
Return-Path: 
 <linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3yVnkW4flTz9sPt
	for <patchwork-incoming@ozlabs.org>;
	Mon,  6 Nov 2017 20:46:11 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="htl8PzzH"; dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	by lists.ozlabs.org (Postfix) with ESMTP id 3yVnkW2hdzzDrJn
	for <patchwork-incoming@ozlabs.org>;
	Mon,  6 Nov 2017 20:46:11 +1100 (AEDT)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="htl8PzzH"; dkim-atps=neutral
X-Original-To: linuxppc-dev@lists.ozlabs.org
Delivered-To: linuxppc-dev@lists.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=gmail.com
	(client-ip=2607:f8b0:400d:c0d::242; helo=mail-qt0-x242.google.com;
	envelope-from=ram.n.pai@gmail.com; receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="htl8PzzH"; dkim-atps=neutral
Received: from mail-qt0-x242.google.com (mail-qt0-x242.google.com
	[IPv6:2607:f8b0:400d:c0d::242])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by lists.ozlabs.org (Postfix) with ESMTPS id 3yVmgw2VvdzDrJr
	for <linuxppc-dev@lists.ozlabs.org>;
	Mon,  6 Nov 2017 19:58:52 +1100 (AEDT)
Received: by mail-qt0-x242.google.com with SMTP id 8so10014677qtv.1
	for <linuxppc-dev@lists.ozlabs.org>;
	Mon, 06 Nov 2017 00:58:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=4wGT81IyHrl/Fru34JWsTzC/02R+E/sRN0EOjwOfmvk=;
	b=htl8PzzHnWd5EL/tim9Vrs57xXyXLqsqJCQMjdDsXkhCbt5aMf5JmR1SKEu3F9uzAT
	op51hY+myPQv2fEVQVzrOFZbYUQYZoxPxciZWJ9ZZE6lMYg3pH+Bg7VemzVB502EK1rM
	+xnqsmcO/CY9dMwpJLx2kD9vccgfyJoQ702kZoRaIPfIL8HCpg2SuzS2ah3Fm1zRxP/Q
	KRrC45/jKtyEVdTaMqlZsL1mGPMmErLdZBIxT/Y2o3tFI3KrlPktBcbiG4DyhU+ehzrG
	mlQsW3icgPRZ8+NDCSAuMnTBsh5c0mUmcvP24pVFdOkkIQY4aiNHnsGjirdPnERnoBiE
	h9aA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:in-reply-to:references;
	bh=4wGT81IyHrl/Fru34JWsTzC/02R+E/sRN0EOjwOfmvk=;
	b=t4FcUmaROacuZD/SQj35NmpqqZsVpkfi80gHdAfdMPmrhuvf9p6ZxJs/P6oGvsL2kh
	zoBbTonW0SLTwzu5WOqtVuDsIXgupt5K/An78d1qrVQOVwtWIHrrZ3amqGnj0ohDfqbh
	z+NQxjH+HqNBel3/pnJfoPupIrnf2S84PMLBoWam/t8WSXEh/aPW4+VMHCs8VybZ50nb
	iqQuSVh5IOjsV6GNXE6Fl8E8ZiZrDQ0gG8tHfxhmI3lF59uTDzJ3Buc97mHsUVO0T314
	C4tLow5t/qeU3UWARhKMJhWTuuLT7VqbXaQSQ+uMuBZ1CfS7nLxooea+McD2WfqBNryy
	jG3A==
X-Gm-Message-State: AMCzsaVgC8k77U19e2ycyJPIgEODUtF1o9oy74vVxWXHfMTvH/9uLzT/
	XVzMR0C/kxXAoeBpP3tjL8g=
X-Google-Smtp-Source: 
 ABhQp+T5ys3y4+eGCDpASNpw/KWS8cuDyZaMmjgnb6ejUsV6OROj/ZMmn14J2p39miIfpxDuYdG2MQ==
X-Received: by 10.200.26.90 with SMTP id q26mr23144009qtk.109.1509958730429;
	Mon, 06 Nov 2017 00:58:50 -0800 (PST)
Received: from localhost.localdomain (50-39-103-96.bvtn.or.frontiernet.net.
	[50.39.103.96]) by smtp.gmail.com with ESMTPSA id
	r26sm8001094qki.42.2017.11.06.00.58.47
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 06 Nov 2017 00:58:50 -0800 (PST)
From: Ram Pai <linuxram@us.ibm.com>
To: mpe@ellerman.id.au, mingo@redhat.com, akpm@linux-foundation.org,
	corbet@lwn.net, arnd@arndb.de
Subject: [PATCH v9 11/51] powerpc: introduce execute-only pkey
Date: Mon,  6 Nov 2017 00:57:03 -0800
Message-Id: <1509958663-18737-12-git-send-email-linuxram@us.ibm.com>
X-Mailer: git-send-email 1.7.1
In-Reply-To: <1509958663-18737-1-git-send-email-linuxram@us.ibm.com>
References: <1509958663-18737-1-git-send-email-linuxram@us.ibm.com>
X-BeenThere: linuxppc-dev@lists.ozlabs.org
X-Mailman-Version: 2.1.24
Precedence: list
List-Id: Linux on PowerPC Developers Mail List
	<linuxppc-dev.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/linuxppc-dev>,
	<mailto:linuxppc-dev-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/linuxppc-dev/>
List-Post: <mailto:linuxppc-dev@lists.ozlabs.org>
List-Help: <mailto:linuxppc-dev-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/linuxppc-dev>,
	<mailto:linuxppc-dev-request@lists.ozlabs.org?subject=subscribe>
Cc: linux-arch@vger.kernel.org, ebiederm@xmission.com,
	linux-doc@vger.kernel.org, x86@kernel.org, dave.hansen@intel.com,
	linux-kernel@vger.kernel.org, linuxram@us.ibm.com, mhocko@kernel.org,
	linux-mm@kvack.org, paulus@samba.org, aneesh.kumar@linux.vnet.ibm.com,
	linux-kselftest@vger.kernel.org, bauerman@linux.vnet.ibm.com,
	linuxppc-dev@lists.ozlabs.org, khandual@linux.vnet.ibm.com
Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org
Sender: "Linuxppc-dev"
	<linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org>

This patch provides the implementation of execute-only pkey.
The architecture-independent layer expects the arch-dependent
layer, to support the ability to create and enable a special
key which has execute-only permission.

Acked-by: Balbir Singh <bsingharora@gmail.com>
Signed-off-by: Ram Pai <linuxram@us.ibm.com>
---
 arch/powerpc/include/asm/book3s/64/mmu.h |    1 +
 arch/powerpc/include/asm/pkeys.h         |    8 ++++-
 arch/powerpc/mm/pkeys.c                  |   56 ++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 1 deletions(-)

diff --git a/arch/powerpc/include/asm/book3s/64/mmu.h b/arch/powerpc/include/asm/book3s/64/mmu.h
index df17fbc..44dbc91 100644
--- a/arch/powerpc/include/asm/book3s/64/mmu.h
+++ b/arch/powerpc/include/asm/book3s/64/mmu.h
@@ -116,6 +116,7 @@ struct patb_entry {
 	 * bit unset -> key available for allocation
 	 */
 	u32 pkey_allocation_map;
+	s16 execute_only_pkey; /* key holding execute-only protection */
 #endif
 } mm_context_t;
 
diff --git a/arch/powerpc/include/asm/pkeys.h b/arch/powerpc/include/asm/pkeys.h
index 0b2d9f0..20d1f0e 100644
--- a/arch/powerpc/include/asm/pkeys.h
+++ b/arch/powerpc/include/asm/pkeys.h
@@ -128,9 +128,13 @@ static inline int mm_pkey_free(struct mm_struct *mm, int pkey)
  * Try to dedicate one of the protection keys to be used as an
  * execute-only protection key.
  */
+extern int __execute_only_pkey(struct mm_struct *mm);
 static inline int execute_only_pkey(struct mm_struct *mm)
 {
-	return 0;
+	if (static_branch_likely(&pkey_disabled))
+		return -1;
+
+	return __execute_only_pkey(mm);
 }
 
 static inline int arch_override_mprotect_pkey(struct vm_area_struct *vma,
@@ -154,6 +158,8 @@ static inline void pkey_mm_init(struct mm_struct *mm)
 	if (static_branch_likely(&pkey_disabled))
 		return;
 	mm_pkey_allocation_map(mm) = initial_allocation_mask;
+	/* -1 means unallocated or invalid */
+	mm->context.execute_only_pkey = -1;
 }
 
 extern void thread_pkey_regs_save(struct thread_struct *thread);
diff --git a/arch/powerpc/mm/pkeys.c b/arch/powerpc/mm/pkeys.c
index 469f370..5da94fe 100644
--- a/arch/powerpc/mm/pkeys.c
+++ b/arch/powerpc/mm/pkeys.c
@@ -247,3 +247,59 @@ void thread_pkey_regs_init(struct thread_struct *thread)
 	write_iamr(read_iamr() & pkey_iamr_mask);
 	write_uamor(read_uamor() & pkey_amr_uamor_mask);
 }
+
+static inline bool pkey_allows_readwrite(int pkey)
+{
+	int pkey_shift = pkeyshift(pkey);
+
+	if (!is_pkey_enabled(pkey))
+		return true;
+
+	return !(read_amr() & ((AMR_RD_BIT|AMR_WR_BIT) << pkey_shift));
+}
+
+int __execute_only_pkey(struct mm_struct *mm)
+{
+	bool need_to_set_mm_pkey = false;
+	int execute_only_pkey = mm->context.execute_only_pkey;
+	int ret;
+
+	/* Do we need to assign a pkey for mm's execute-only maps? */
+	if (execute_only_pkey == -1) {
+		/* Go allocate one to use, which might fail */
+		execute_only_pkey = mm_pkey_alloc(mm);
+		if (execute_only_pkey < 0)
+			return -1;
+		need_to_set_mm_pkey = true;
+	}
+
+	/*
+	 * We do not want to go through the relatively costly dance to set AMR
+	 * if we do not need to. Check it first and assume that if the
+	 * execute-only pkey is readwrite-disabled than we do not have to set it
+	 * ourselves.
+	 */
+	if (!need_to_set_mm_pkey && !pkey_allows_readwrite(execute_only_pkey))
+		return execute_only_pkey;
+
+	/*
+	 * Set up AMR so that it denies access for everything other than
+	 * execution.
+	 */
+	ret = __arch_set_user_pkey_access(current, execute_only_pkey,
+					  PKEY_DISABLE_ACCESS |
+					  PKEY_DISABLE_WRITE);
+	/*
+	 * If the AMR-set operation failed somehow, just return 0 and
+	 * effectively disable execute-only support.
+	 */
+	if (ret) {
+		mm_pkey_free(mm, execute_only_pkey);
+		return -1;
+	}
+
+	/* We got one, store it and use it from here on out */
+	if (need_to_set_mm_pkey)
+		mm->context.execute_only_pkey = execute_only_pkey;
+	return execute_only_pkey;
+}