From patchwork Mon Nov 6 08:57:23 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ram Pai X-Patchwork-Id: 834598 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3yVpnv3Qm0z9s7c for ; Mon, 6 Nov 2017 21:34:11 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="CPlXMLaK"; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 3yVpnv23D5zDrK6 for ; Mon, 6 Nov 2017 21:34:11 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="CPlXMLaK"; dkim-atps=neutral X-Original-To: linuxppc-dev@lists.ozlabs.org Delivered-To: linuxppc-dev@lists.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gmail.com (client-ip=2607:f8b0:400d:c0d::241; helo=mail-qt0-x241.google.com; envelope-from=ram.n.pai@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="CPlXMLaK"; dkim-atps=neutral Received: from mail-qt0-x241.google.com (mail-qt0-x241.google.com [IPv6:2607:f8b0:400d:c0d::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3yVmhz5gC0zDrJq for ; Mon, 6 Nov 2017 19:59:47 +1100 (AEDT) Received: by mail-qt0-x241.google.com with SMTP id 31so9995594qtz.9 for ; Mon, 06 Nov 2017 00:59:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=jG6nWNf90ng39o8gSSHz/p+XZnkDFbms8gzY0Ev/xBI=; b=CPlXMLaKrDtJzAN1bujvXo7mM9/uEcmRqxmSKsHw8Ut+sT0QcHLL3ReuiODYz1nna0 UUvpJCjkPZBes4wZdmomi0GH+bBNjU+Gcu/AI76TkrpMZyWjpPGaFx/DKhPFRsjU7/2T GU76Rrq+Yz9FSg5SFHL0MhLemWA50XwFt2suDoN0gLXq94lZTe+CxS9lVeFCu/QGxx57 EBVvmDL9aFHobTQmj/q0b5+fs1vba7VnPqyhduetp6e/KZOzMPlbu6y11jnLgXfN7ETH dGO4AxpWW5mJc2Owo7peHJE4RXN7L6O1uEpvS+MQKwrS6BqWD/K5SinCLNCBbuqpNs4N e8nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=jG6nWNf90ng39o8gSSHz/p+XZnkDFbms8gzY0Ev/xBI=; b=EGbkH8xbPqil7zF8XaYzjCKLE18kQyHbXyrL+b38/N1gR4ykkyayeARBPh9WVujgv4 OhitoB29wWxVnWViyGuaxIend+uU1fJJ5XbyO24zwCIpzuhBRGWOfCgRTEjzeYkuyBZV bXX0fWAXPcKwiPn8hYkxFihezXRiEOCi3QhmZr35Or00MVOnAmKDd0TFAITyxs/6yF1K 9XJvxKxspVYxTQkju6NX1V4aKaZeYomjXpzzrxA49eCcLA8yzzKFj2xQAwk1UL5epJHt LnsFbm4vEkSQcQxUdiY84EvdVB6zskam8Qujx2K+VA8ptWt28rCvI40oSS/45TCcIbZe A+sg== X-Gm-Message-State: AJaThX6SZmLz6CuE5R5sMFIIDEnvZ7gR1HGWvcFeM5trP/621uQu/kEa GoBeEMve2EPTAweF8pwz1AY= X-Google-Smtp-Source: ABhQp+SlbavPtGlQB2UEtAN6+vvM5PZHFyNY2yydRAyyPhlikpJ0nMqxYjyDCLuaoEujfuA/T3ao4w== X-Received: by 10.237.61.49 with SMTP id g46mr4971422qtf.239.1509958785786; Mon, 06 Nov 2017 00:59:45 -0800 (PST) Received: from localhost.localdomain (50-39-103-96.bvtn.or.frontiernet.net. [50.39.103.96]) by smtp.gmail.com with ESMTPSA id r26sm8001094qki.42.2017.11.06.00.59.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Nov 2017 00:59:45 -0800 (PST) From: Ram Pai To: mpe@ellerman.id.au, mingo@redhat.com, akpm@linux-foundation.org, corbet@lwn.net, arnd@arndb.de Subject: [PATCH v9 31/51] Documentation/vm: PowerPC specific updates to memory protection keys Date: Mon, 6 Nov 2017 00:57:23 -0800 Message-Id: <1509958663-18737-32-git-send-email-linuxram@us.ibm.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1509958663-18737-1-git-send-email-linuxram@us.ibm.com> References: <1509958663-18737-1-git-send-email-linuxram@us.ibm.com> X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.24 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-arch@vger.kernel.org, ebiederm@xmission.com, linux-doc@vger.kernel.org, x86@kernel.org, dave.hansen@intel.com, linux-kernel@vger.kernel.org, linuxram@us.ibm.com, mhocko@kernel.org, linux-mm@kvack.org, paulus@samba.org, aneesh.kumar@linux.vnet.ibm.com, linux-kselftest@vger.kernel.org, bauerman@linux.vnet.ibm.com, linuxppc-dev@lists.ozlabs.org, khandual@linux.vnet.ibm.com Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" Add documentation updates that capture PowerPC specific changes. Signed-off-by: Thiago Jung Bauermann Signed-off-by: Ram Pai --- Documentation/vm/protection-keys.txt | 126 +++++++++++++++++++++++++++------- 1 files changed, 101 insertions(+), 25 deletions(-) diff --git a/Documentation/vm/protection-keys.txt b/Documentation/vm/protection-keys.txt index fa46dcb..bc079b3 100644 --- a/Documentation/vm/protection-keys.txt +++ b/Documentation/vm/protection-keys.txt @@ -1,22 +1,46 @@ -Memory Protection Keys for Userspace (PKU aka PKEYs) is a CPU feature -which will be found on future Intel CPUs. - -Memory Protection Keys provides a mechanism for enforcing page-based -protections, but without requiring modification of the page tables -when an application changes protection domains. It works by -dedicating 4 previously ignored bits in each page table entry to a -"protection key", giving 16 possible keys. - -There is also a new user-accessible register (PKRU) with two separate -bits (Access Disable and Write Disable) for each key. Being a CPU -register, PKRU is inherently thread-local, potentially giving each -thread a different set of protections from every other thread. - -There are two new instructions (RDPKRU/WRPKRU) for reading and writing -to the new register. The feature is only available in 64-bit mode, -even though there is theoretically space in the PAE PTEs. These -permissions are enforced on data access only and have no effect on -instruction fetches. +Memory Protection Keys for Userspace (PKU aka PKEYs) is a CPU feature found on +future Intel CPUs and on PowerPC 5 and higher CPUs. + +Memory Protection Keys provide a mechanism for enforcing page-based +protections, but without requiring modification of the page tables when an +application changes protection domains. + +It works by dedicating bits in each page table entry to a "protection key". +There is also a user-accessible register with two separate bits for each +key. Being a CPU register, the user-accessible register is inherently +thread-local, potentially giving each thread a different set of protections +from every other thread. + +On Intel: + + Four previously bits are used the page table entry giving 16 possible keys. + + The user accessible register(PKRU) has a bit each per key to disable + access and to disable write. + + The feature is only available in 64-bit mode, even though there is + theoretically space in the PAE PTEs. These permissions are enforced on + data access only and have no effect on instruction fetches. + +On PowerPC: + + Five bits in the page table entry are used giving 32 possible keys. + This support is currently for Hash Page Table mode only. + + The user accessible register(AMR) has a bit each per key to disable + read and write. Access disable can be achieved by disabling + read and write. + + 'mtspr 0xd, mem' reads the AMR register + 'mfspr mem, 0xd' writes into the AMR register. + + Execution can be disabled by allocating a key with execute-disabled + permission. The execute-permissions on the key; however, cannot be + changed through a user accessible register. Instead; a powerpc specific + system call sys_pkey_modify() must be used. The CPU will not allow + execution of instruction in pages that are associated with + execute-disabled key. + =========================== Syscalls =========================== @@ -28,9 +52,9 @@ There are 3 system calls which directly interact with pkeys: unsigned long prot, int pkey); Before a pkey can be used, it must first be allocated with -pkey_alloc(). An application calls the WRPKRU instruction +pkey_alloc(). An application calls the WRPKRU/AMR instruction directly in order to change access permissions to memory covered -with a key. In this example WRPKRU is wrapped by a C function +with a key. In this example WRPKRU/AMR is wrapped by a C function called pkey_set(). int real_prot = PROT_READ|PROT_WRITE; @@ -52,11 +76,11 @@ is no longer in use: munmap(ptr, PAGE_SIZE); pkey_free(pkey); -(Note: pkey_set() is a wrapper for the RDPKRU and WRPKRU instructions. +(Note: pkey_set() is a wrapper for the RDPKRU,WRPKRU or AMR instructions. An example implementation can be found in - tools/testing/selftests/x86/protection_keys.c) + tools/testing/selftests/vm/protection_keys.c) -=========================== Behavior =========================== +=========================== Behavior ================================= The kernel attempts to make protection keys consistent with the behavior of a plain mprotect(). For instance if you do this: @@ -66,7 +90,7 @@ behavior of a plain mprotect(). For instance if you do this: you can expect the same effects with protection keys when doing this: - pkey = pkey_alloc(0, PKEY_DISABLE_WRITE | PKEY_DISABLE_READ); + pkey = pkey_alloc(0, PKEY_DISABLE_ACCESS); pkey_mprotect(ptr, size, PROT_READ|PROT_WRITE, pkey); something(ptr); @@ -83,3 +107,55 @@ with a read(): The kernel will send a SIGSEGV in both cases, but si_code will be set to SEGV_PKERR when violating protection keys versus SEGV_ACCERR when the plain mprotect() permissions are violated. + +========================== sysfs Interface ========================== + +Information about support of protection keys on the system can be +found in the /sys/kernel/mm/protection_keys directory, which +contains the following files: + +- total_keys: Shows the number of keys supported by the hardware. + Not all of those keys may be available for use by a process + because the platform or operating system may reserve some keys + for their own use. + +- usable_keys: Shows the minimum number of keys guaranteed to be + available for use by a process. In other words: total_keys minus + the keys reserved by the platform or operating system. This + number doesn't change to reflect keys that are already being + used by the process reading the file. + + There may be one more key available than what is advertised in + this file because the kernel may use one key for mprotect() + calls setting up memory with execute-only permissions. This file + assumes that this key is being used, but if it is not the + process will have one more key it can use for other purposes. + +- disable_access_supported: Shows 'true' if the system supports keys + which disallow reading from a given page (i.e., the + PKEY_DISABLE_ACCESS flag is supported). + +- disable_write_supported: Shows 'true' if the system supports keys + which disallow writing to a given page (i.e., the + PKEY_DISABLE_WRITE flag is supported). + +- disable_execute_supported: Shows 'true' if the system supports keys + which disallow code execution from a given page (i.e., the + PKEY_DISABLE_EXECUTE flag is supported). + +==================================================================== + Differences + +The following differences exist between x86 and power. + +a) powerpc (PowerPC8 onwards) *also* allows creation of a key with + execute-disabled. + The following is allowed + pkey = pkey_alloc(0, PKEY_DISABLE_EXECUTE); + +b) On powerpc the access/write permission on a key can be modified by + programming the AMR register from the signal handler. The changes + persist across signal boundaries. On x86, the PKRU specific fpregs + entry has to be modified to change the access/write permission on + a key. +=====================================================================