From patchwork Thu Jun 14 00:29:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ram Pai X-Patchwork-Id: 929146 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 415lHJ52hrz9ry1 for ; Thu, 14 Jun 2018 10:43:56 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=us.ibm.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="khYu0LZi"; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 415lHJ34VlzF0dd for ; Thu, 14 Jun 2018 10:43:56 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=us.ibm.com Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="khYu0LZi"; dkim-atps=neutral X-Original-To: linuxppc-dev@lists.ozlabs.org Delivered-To: linuxppc-dev@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gmail.com (client-ip=2607:f8b0:400d:c0d::241; helo=mail-qt0-x241.google.com; envelope-from=ram.n.pai@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=us.ibm.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="khYu0LZi"; dkim-atps=neutral Received: from mail-qt0-x241.google.com (mail-qt0-x241.google.com [IPv6:2607:f8b0:400d:c0d::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 415kyd5127zF0Vt for ; Thu, 14 Jun 2018 10:29:29 +1000 (AEST) Received: by mail-qt0-x241.google.com with SMTP id h5-v6so4221988qtm.13 for ; Wed, 13 Jun 2018 17:29:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Idw23ar7CQpGGLe7Ly0cT7tDNJZAGYdPYjg625IxnAo=; b=khYu0LZirJcH1zcD9SsZGA1rQsExF2o9jwKs/WOJ1Z75cPZoL+ZyOPcaWbF9Sqeyau YA4Mo/ZX86DsKqZf25anTCc/YIfy3EVcxePOtZKfSbgV2voW2gsSNDMBnYAvjVcOAUT/ 5c3+pRdoANs0x++eeBgv0V9tDcr8JdEIezdUtfWkcLaJ0yZ6yOyWD+TVOgQUHeQmV4j5 meEP3QbG4IsLvPdhhXxtA6Tm2H2In2hnD47D6qDuRDTCH1FxWvhYgJTfQbfcpPXAz4rc Ds/4buEVJvK5elxroqrEs3PBvKImmvGqBuEZ9EQmqqGlREWONs6ERaEGOoikiM5JOPui FZjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=Idw23ar7CQpGGLe7Ly0cT7tDNJZAGYdPYjg625IxnAo=; b=fy+St7/9X0MCKDsmvymeRxZKIWZ7aMeg/QhMcRoT5s8hbXXL9G7qH3/lzr8FC8bnhO SW0gTOawkEFBDny1/Dk4T3CK2V3+MeMXx4RUshyI7+KDmYDOm2zhIRwetUvmgtfzZnN/ mzeBil6zynH+Nzxtu0dS4UdLlYprzf4bEU+nnLsfjjYEqvSUmxyGJ098TlEMcgh1jeBU arxkfa6kMh41ALex0dhMzMg9k18ro64Arnz8xN6YRSwBP5XX7X31vxMXlBuCmX4TgN+6 /IsWKRUhrJDt67BwYRrVx7Pg44nSsCgHPSvBiVpoI5tPxBZeeqVluQVgIv8ahROO17Co cErA== X-Gm-Message-State: APt69E1MHLnGlEtEron2mDPNrtMiJ4qTpyLgSWAJGGqchFjdYfAMTIFA +dZKIRcRPNZkJxOHzlRJk6M= X-Google-Smtp-Source: ADUXVKIqXdKkEqWIBFA4GgV+iMYSQcPSPQNM+JNPxPCG3dogsXlZ5PV1C6jTMhGIG6iBJMNiXFi+Sw== X-Received: by 2002:ac8:2825:: with SMTP id 34-v6mr323584qtq.377.1528936167276; Wed, 13 Jun 2018 17:29:27 -0700 (PDT) Received: from localhost.localdomain (50-39-100-161.bvtn.or.frontiernet.net. [50.39.100.161]) by smtp.gmail.com with ESMTPSA id s12-v6sm3159581qkl.65.2018.06.13.17.29.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Jun 2018 17:29:26 -0700 (PDT) From: Ram Pai To: mpe@ellerman.id.au Subject: [PATCH v2 5/6] powerpc/pkeys: make protection key 0 less special Date: Wed, 13 Jun 2018 17:29:03 -0700 Message-Id: <1528936144-6696-6-git-send-email-linuxram@us.ibm.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1528936144-6696-1-git-send-email-linuxram@us.ibm.com> References: <1528936144-6696-1-git-send-email-linuxram@us.ibm.com> MIME-Version: 1.0 X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: fweimer@redhat.com, Ulrich.Weigand@de.ibm.com, linuxram@us.ibm.com, mhocko@kernel.org, dave.hansen@intel.com, aneesh.kumar@linux.vnet.ibm.com, luto@kernel.org, bauerman@linux.vnet.ibm.com, msuchanek@suse.de, linuxppc-dev@lists.ozlabs.org Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" Applications need the ability to associate an address-range with some key and latter revert to its initial default key. Pkey-0 comes close to providing this function but falls short, because the current implementation disallows applications to explicitly associate pkey-0 to the address range. Lets make pkey-0 less special and treat it almost like any other key. Thus it can be explicitly associated with any address range, and can be freed. This gives the application more flexibility and power. The ability to free pkey-0 must be used responsibily, since pkey-0 is associated with almost all address-range by default. Even with this change pkey-0 continues to be slightly more special from the following point of view. (a) it is implicitly allocated. (b) it is the default key assigned to any address-range. (c) its permissions cannot be modified by userspace. NOTE: (c) is specific to powerpc only. pkey-0 is associated by default with all pages including kernel pages, and pkeys are also active in kernel mode. If any permission is denied on pkey-0, the kernel running in the context of the application will be unable to operate. Tested on powerpc. cc: Thomas Gleixner cc: Dave Hansen cc: Michael Ellermen cc: Ingo Molnar cc: Andrew Morton cc: Thiago Jung Bauermann cc: Michal Suchè°©nek ----------------------------------------------------------------------- History: v5: . no changes since version. v4: . introduced PKEY_0 macro. No bug fixes. Code re-arrangement to save a few cycles. v3: . Corrected a comment in arch_set_user_pkey_access(). . Clarified the header, to capture the notion that pkey-0 permissions cannot be modified by userspace on powerpc. -- comment from Thiago v2: . mm_pkey_is_allocated() continued to treat pkey-0 special. fixed it. --- arch/powerpc/include/asm/pkeys.h | 29 +++++++++++++++++++++++------ arch/powerpc/mm/pkeys.c | 13 ++++++------- 2 files changed, 29 insertions(+), 13 deletions(-) diff --git a/arch/powerpc/include/asm/pkeys.h b/arch/powerpc/include/asm/pkeys.h index 5ba80cf..c824528 100644 --- a/arch/powerpc/include/asm/pkeys.h +++ b/arch/powerpc/include/asm/pkeys.h @@ -13,7 +13,10 @@ DECLARE_STATIC_KEY_TRUE(pkey_disabled); extern int pkeys_total; /* total pkeys as per device tree */ -extern u32 initial_allocation_mask; /* bits set for reserved keys */ +extern u32 initial_allocation_mask; /* bits set for the initially allocated keys */ +extern u32 reserved_allocation_mask; /* bits set for reserved keys */ + +#define PKEY_0 0 #define ARCH_VM_PKEY_FLAGS (VM_PKEY_BIT0 | VM_PKEY_BIT1 | VM_PKEY_BIT2 | \ VM_PKEY_BIT3 | VM_PKEY_BIT4) @@ -83,15 +86,19 @@ static inline u16 pte_to_pkey_bits(u64 pteflags) #define __mm_pkey_is_allocated(mm, pkey) \ (mm_pkey_allocation_map(mm) & pkey_alloc_mask(pkey)) -#define __mm_pkey_is_reserved(pkey) (initial_allocation_mask & \ +#define __mm_pkey_is_reserved(pkey) (reserved_allocation_mask & \ pkey_alloc_mask(pkey)) static inline bool mm_pkey_is_allocated(struct mm_struct *mm, int pkey) { - /* A reserved key is never considered as 'explicitly allocated' */ - return ((pkey < arch_max_pkey()) && - !__mm_pkey_is_reserved(pkey) && - __mm_pkey_is_allocated(mm, pkey)); + if (pkey < 0 || pkey >= arch_max_pkey()) + return false; + + /* Reserved keys are never allocated. */ + if (__mm_pkey_is_reserved(pkey)) + return false; + + return __mm_pkey_is_allocated(mm, pkey); } extern void __arch_activate_pkey(int pkey); @@ -187,6 +194,16 @@ static inline int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, { if (static_branch_likely(&pkey_disabled)) return -EINVAL; + + /* + * userspace should not change pkey-0 permissions. + * pkey-0 is associated with every page in the kernel. + * If userspace denies any permission on pkey-0, the + * kernel cannot operate. + */ + if (pkey == PKEY_0) + return init_val ? -EINVAL : 0; + return __arch_set_user_pkey_access(tsk, pkey, init_val); } diff --git a/arch/powerpc/mm/pkeys.c b/arch/powerpc/mm/pkeys.c index 1f2389f..9098605 100644 --- a/arch/powerpc/mm/pkeys.c +++ b/arch/powerpc/mm/pkeys.c @@ -14,7 +14,8 @@ bool pkey_execute_disable_supported; int pkeys_total; /* Total pkeys as per device tree */ bool pkeys_devtree_defined; /* pkey property exported by device tree */ -u32 initial_allocation_mask; /* Bits set for reserved keys */ +u32 initial_allocation_mask; /* Bits set for the initially allocated keys */ +u32 reserved_allocation_mask; /* Bits set for reserved keys */ u64 pkey_amr_mask; /* Bits in AMR not to be touched */ u64 pkey_iamr_mask; /* Bits in AMR not to be touched */ u64 pkey_uamor_mask; /* Bits in UMOR not to be touched */ @@ -121,8 +122,9 @@ int pkey_initialize(void) #else os_reserved = 0; #endif - initial_allocation_mask = (0x1 << 0) | (0x1 << 1) | - (0x1 << EXECUTE_ONLY_KEY); + /* Bits are in LE format. */ + reserved_allocation_mask = (0x1 << 1) | (0x1 << EXECUTE_ONLY_KEY); + initial_allocation_mask = reserved_allocation_mask | (0x1 << PKEY_0); /* register mask is in BE format */ pkey_amr_mask = ~0x0ul; @@ -135,7 +137,7 @@ int pkey_initialize(void) pkey_amr_mask |= (AMR_RD_BIT|AMR_WR_BIT) << pkeyshift(EXECUTE_ONLY_KEY); pkey_uamor_mask = ~0x0ul; - pkey_uamor_mask &= ~(0x3ul << pkeyshift(0)); + pkey_uamor_mask &= ~(0x3ul << pkeyshift(PKEY_0)); pkey_uamor_mask &= ~(0x3ul << pkeyshift(EXECUTE_ONLY_KEY)); for (i = (pkeys_total - os_reserved); i < pkeys_total; i++) @@ -374,9 +376,6 @@ static bool pkey_access_permitted(int pkey, bool write, bool execute) int pkey_shift; u64 amr; - if (!pkey) - return true; - if (!is_pkey_enabled(pkey)) return true;